California Invasion of Privacy Act (CIPA): Compliance Guide

What is the California Invasion of Privacy Act?

CIPA was enacted in 1967 to protect California residents from telephone wiretapping and electronic eavesdropping. For most of its history, the law governed phone call recording; it is the statute that requires businesses to announce "this call may be recorded for quality assurance purposes."

Its application to websites is more recent, stemming from a series of court rulings beginning around 2020 that extended CIPA's language to digital communications.

The legal theory behind modern CIPA website claims is straightforward. When a user types a search query, enters information into a form, or interacts with a live chat widget, they are engaged in "communication." If a third-party tool captures or transmits that interaction in real time before the user has given explicit consent, plaintiff firms argue it constitutes illegal interception under a wiretapping statute.

The theory has had mixed results in court, but it has survived dismissal in enough cases to sustain a very large volume of demand letters and lawsuits.

Critically, CIPA is not limited to California-based companies. It applies to any website that California residents can visit, which is effectively every website on the internet.

CIPA at a glance

Key CIPA sections that apply to websites

Section 631: the wiretapping provision

California Penal Code Section 631 is the most frequently cited provision in website tracking litigation. It prohibits willfully intercepting or reading the contents of any electronic communication without the consent of all parties. The third prong, aiding and abetting a third-party interceptor, is the one most relevant to website operators. Courts have generally held that a website cannot eavesdrop on its own communications, since it is a party to the exchange. The viable theory is that the website aids and abets a third-party vendor that itself intercepts the communication.

The 2022 Ninth Circuit ruling in Javier v. Assurance IQ was the inflection point. The court held that Section 631 applies to internet communications and that consent under CIPA must be prior; a user agreeing to a privacy policy after their data has already been captured does not constitute valid consent. That ruling opened the door to the wave of pixel and session replay lawsuits that followed.

Section 632: confidential communications

Section 632 prohibits recording a "confidential communication" without the consent of all parties. For websites, this provision applies most directly to live chat tools and customer support widgets. Courts have generally dismissed Section 632 claims where the chat tool operates entirely on behalf of the website operator. Claims have proceeded where the vendor retains independent rights to the conversation data, including for model training, audience building, or advertising. Reviewing your chat vendor's data processing terms is a practical step in assessing exposure here.

Sections 638.50 and 638.51: pen register provisions

The pen register provisions, added to CIPA in 2015, prohibit installing or using a device that records routing or signalling information from electronic communications without a court order or consent. Plaintiffs have argued that tracking pixels and web beacons are "pen registers" because they record device identifiers and browsing paths. Courts have increasingly dismissed these claims: two California courts in 2024 and 2025 ruled that IP addresses alone are not "outgoing communications" and that CIPA's pen register provisions do not extend to internet communications as currently written. Pen register claims remain in play, but their legal footing is weaker than Section 631 claims.

Why websites are being sued under CIPA, and what courts have decided

The CIPA litigation surge can be traced back to one ruling. In Javier v. Assurance IQ, the Ninth Circuit found that CIPA's Section 631 applies to internet communications and requires prior consent, not retroactive consent. That decision altered the landscape radically as it made CIPA claims legally viable, with plaintiff firms quickly recognizing the opportunity. As the American Bar Association has documented, the ruling significantly expanded the statute's reach into digital tracking cases.

However, there might be some respite or defendants, as a recent development narrows exposure. In Torres v. Prudential Financial, a federal court granted summary judgment for the defendants, ruling that session replay software does not violate Section 631 because the captured data only becomes readable after it has been stored and reassembled, not while it is in transit.

CIPA's wiretapping provision requires interception during transmission. If the data is processed post-transmission, the legal theory fails. This ruling provides a meaningful defense for businesses using analytics tools configured to receive data through their own servers rather than directly to third-party endpoints in real time.

The Torres ruling does not end CIPA litigation. It narrows one specific theory. Tools that capture search queries, form inputs, or chat messages synchronously, transmitting that content to a third-party server as the user types, remain more exposed than tools that process data post-transmission.

The economic dynamics reinforce the litigation pressure. Plaintiff firms set settlement demands calibrated to be cheaper than litigation. Settling with one firm does not prevent subsequent demand letters from other firms. The best risk reduction strategy, at any stage, is a technical implementation that does not give plaintiffs a viable claim in the first place.

Worried your pixel setup is creating CIPA exposure?

Enzuzo blocks all non-essential tracking scripts until a user consents and logs every consent event with a timestamp as legal documentation. Rated 4.6/5 on G2.

Book a free demo →

Website technologies that create CIPA exposure

These are the tool categories most commonly cited in CIPA demand letters and lawsuits.

Session replay and heatmap tools: Hotjar, FullStory, Microsoft Clarity, LogRocket. These tools record user keystrokes, mouse movements, and clicks. If they transmit search queries or form field content to a third-party server in real time as the user types, they create the strongest CIPA exposure. Tools that process data only after transmission are better positioned following Torres, but the risk has not disappeared.

Live chat and support widgets: Intercom, Drift, HubSpot Chat, Zendesk. Chat software that initializes before the user has consented was at issue in the Javier ruling. The key question is whether the chat vendor has independent data rights to the conversation content. Where the vendor retains conversation data for its own purposes, the third-party interception argument has more legal traction.

Advertising pixels: Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, Snap Pixel. These are explicitly named in a significant share of CIPA filings. Meta Pixel fires on page load by default and transmits full page URLs, referrer data, and user actions to Meta's servers immediately. If it fires before a user has consented, every transmission is a potential violation. For a detailed breakdown of Meta Pixel lawsuits, see our full coverage of that litigation wave.

Analytics tags configured for ads or audience building: Google's Consent Mode documentation explains how consent state affects tag behaviour, but Consent Mode alone does not stop all third-party scripts from loading. Google Analytics (GA4) and Google Ads conversion tracking can create exposure when tags fire before consent is established.

Call tracking, form enrichment, and A/B testing scripts: Dynamic phone number scripts, autofill enrichment tools, and testing platforms often load early, sometimes before the consent banner renders, and transmit interaction data to external vendors.

CIPA vs. CCPA: what is the difference?

Being compliant with the California Consumer Privacy Act (CCPA) does not mean you are compliant with CIPA. They address overlapping but distinct legal concerns, and many businesses that are fully CCPA-compliant still face CIPA exposure.

The practical gap: a CCPA-compliant website often uses opt-out consent, meaning tracking begins by default and users can turn it off. Under CIPA, that model is the problem. If a pixel fires before a user has actively consented and it transmits data to a third party in real time, CCPA compliance provides no shield.

CIPA compliance checklist for websites

The following steps address the core technical gaps that plaintiff firms identify when scanning websites for demand letter targets.

1. Run your consent platform in opt-in mode for California visitors.

All non-essential tracking scripts must be blocked by default until a user actively accepts. Opt-out mode, where tracking fires on page load and users can decline later, does not satisfy CIPA's prior consent requirement. Geofencing to California is a practical starting point for companies that cannot immediately roll out opt-in consent globally.

2. Ensure consent initialises before your tag manager loads marketing tags.

The most common technical failure is a consent banner that appears compliant but loads too slowly, allowing pixels to fire before the user has seen or interacted with it. Your consent management platform tag should fire on Consent Initialization in Google Tag Manager, not on Page View. For a step-by-step guide, see our CIPA enforcement and defense guide.

3. Remove hard-coded pixels from your site header.

A pixel embedded directly in your site's HTML or theme loads before any GTM rules apply. Consent gating in GTM cannot block it. Audit your site header, theme files, WordPress plugins, and Shopify apps for any tracking code that loads outside your tag manager.

4. Align your privacy policy with your actual tech stack.

Privacy policy language that does not name specific tracking vendors, or that describes narrower data practices than what actually runs on your site, eliminates the consent defence. Audit your tag manager, then update your privacy policy to list every third-party tool and what it does.

5. Review your chat vendor contracts.

For each live chat tool and session replay product, check whether the vendor has independent rights to use the data it collects from your users. Where the vendor has those rights, the third-party interception theory has more legal support. Document that each tool operates as your agent with no independent data processing rights.

6. Build and retain a consent log.

Consent logs document when each user granted or denied consent, with timestamps. These records are the primary evidence in a CIPA defence, demonstrating that your site honoured consent choices before any tracking began. Enzuzo logs every consent event automatically and retains records for up to seven years.

7. Test with a fresh incognito session.

Google Tag Manager's Preview Mode is a supported tool for verifying your consent implementation. Open your website in an incognito window, open your browser's network inspector, and watch what fires before you interact with the consent banner. Any third-party request that appears before you click "Accept" is a potential CIPA violation.

What to do if you receive a CIPA demand letter

Demand letters from plaintiff firms are not the same as a lawsuit, but they cannot be ignored. Non-response typically results in an actual filing. The claims range from $10,000 to $200,000 per demand based on Enzuzo's review of letters shared by customers, with the range depending on the number of non-compliant tools, the volume of California traffic, and how the defendant responds.

Immediate steps: preserve your current site configuration before making any changes, document the state of your tag manager and pixel setup, pull any existing consent logs, and engage legal counsel with privacy litigation experience before responding. Technical remediation, specifically fixing the underlying consent timing issue, is the most important long-term step, since settling one claim without changing the implementation leaves you exposed to the next letter.

Get CIPA-compliant today

Enzuzo is a Google-certified consent management platform that blocks tracking scripts until consent is granted, logs every consent event for legal documentation, and integrates with Google Tag Manager in an afternoon. Rated 4.6/5 on G2 from verified reviews.

Book a free demo →

Frequently asked questions about CIPA

What does CIPA stand for?

California Invasion of Privacy Act (CIPA) is a 1967 state wiretapping statute applied by courts to digital tracking technologies. It is separate from the Children's Internet Protection Act, a federal law governing internet filtering in schools and libraries.

What is CIPA compliance for a website?

CIPA compliance means no third-party tracking tool, including pixels, session replay software, or live chat widgets, captures or transmits user data before the user has explicitly consented. Your consent banner must run in opt-in mode for California visitors, your tag manager must block all marketing scripts until consent is granted, and your privacy policy must accurately name every tool in use.

Does CIPA apply to companies outside California?

Yes. CIPA applies to any website that California residents can visit, regardless of where the website operator is located. Non-US companies operating websites accessible to California residents have received CIPA demand letters. If your site has any California traffic, you have potential CIPA exposure.

What is the penalty for a CIPA violation?

CIPA provides for statutory damages of $5,000 per violation, with no requirement to prove actual harm. In class action contexts, where each user session may count as a separate violation, damages can escalate quickly. Most cases settle before trial, with demand letters typically calibrated to be cheaper to resolve than to litigate.

Is CIPA the same as CCPA?

No. CCPA is a data privacy law focused on transparency and consumer rights around data sale and sharing, enforced by the California Privacy Protection Agency using an opt-out model. CIPA is a wiretapping statute enforced by private plaintiffs, requires prior opt-in consent before tracking begins, and carries $5,000 per-violation damages without proof of harm. A CCPA-compliant site can still violate CIPA.

Does a cookie banner protect me from CIPA?

Only if it works correctly. A banner that displays a preference interface while tracking scripts fire before the user interacts with it does not establish prior consent. The banner must technically gate all non-essential scripts, not just show a consent dialog, before any tracking data is transmitted.

What is a CIPA demand letter?

A CIPA demand letter is a formal notice from a plaintiff law firm asserting that your website violated CIPA by running tracking tools without prior user consent. Based on Enzuzo's review of customer-shared letters, settlements have ranged from $10,000 to $200,000 depending on the number of violations and California traffic volume.

Which websites are most targeted under CIPA?

Any consumer-facing website with California traffic that runs Meta Pixel, TikTok Pixel, session replay tools, or live chat widgets without a technically enforced consent mechanism. Media and news sites, ecommerce brands, healthcare and wellness platforms, and SaaS companies with marketing-heavy tech stacks have been the most common targets.