Businesses nationwide are facing a sharp increase in claims under the California Invasion of Privacy Act (CIPA), a 1967 statute originally designed to address wiretapping and eavesdropping.
Today, plaintiffs’ attorneys are using CIPA to challenge common website technologies, including cookies, analytics tools, session replay software, and chat features. Many companies are caught off guard when they receive a demand letter alleging unlawful website tracking, followed by the threat of litigation.
Thousands of CIPA website tracking claims have been asserted, and filings continue to rise.
What Is the California Invasion of Privacy Act?
CIPA was enacted to protect individuals from the unlawful interception or recording of private communications. While the law originally focused on telephone wiretapping, plaintiffs and some courts now interpret it to apply to digital communications and online activity.
Under these theories, certain website tracking tools may be characterized as unlawfully “intercepting” or “recording” user communications without adequate consent.
CIPA allows private lawsuits and provides for statutory damages of up to $5,000 per violation, even without proof of actual harm.
Why Are CIPA Website Tracking Lawsuits Increasing?
CIPA claims have surged as a relatively small group of plaintiffs’ firms and serial litigants target routine website practices that were not contemplated when the law was enacted.
These cases are appealing to the plaintiff because of:
- Statutory damages of up to $5,000 per violation
- The potential of class action certification
- Inconsistent court rulings on how CIPA applies to online tracking
In 2025, California lawmakers considered Senate Bill 690 (SB 690), which would have limited CIPA’s application to certain common business uses of website technologies, but the bill ultimately did not pass. While similar legislation may be introduced in the future, any change may not take effect immediately or apply retroactively.
The absence of a statutory safe harbor continues to create uncertainty for businesses and may incentivize additional filings.
What Website Technologies Trigger CIPA Claims?
Recent CIPA website tracking lawsuits have targeted widely used tools, including:
- Website cookies and tracking pixels
- Analytics and marketing tools
- Session replay or keystroke monitoring software
- Chat widgets and contact forms
In many cases, the challenged tools are standard third-party services used for marketing, customer support, and website optimization.
How Do CIPA Claims Typically Begin?
Most CIPA disputes begin with a demand letter alleging unlawful interception of website communications. Some matters resolve before a lawsuit is filed; others proceed to formal litigation.
Business Risks and Compliance Considerations
Even defensible CIPA claims can be costly. Potential exposures include:
- Statutory damages
- Attorneys’ fees
- Class action defense costs
- Reputational risks
Because CIPA provides statutory damages without requiring proof of actual harm, businesses often must evaluate risk early and make strategic decisions under significant legal and financial uncertainty.
Businesses Facing CIPA Claims
Varnum regularly advises businesses responding to CIPA demand letters and defending website privacy litigation at both the pre-suit and litigation stages.
If your organization has received a CIPA demand letter or lawsuit, or has questions about website privacy litigation trends, contact your Varnum attorney or a member of Varnum’s Data Privacy or Litigation Practice teams.
