ConsentPixel – Privacy · Verified

Active litigation — 1,641 lawsuits filed since June 2022

Your website might be
wiretapping
your visitors.

The California Invasion of Privacy Act (CIPA) carries $5,000 in statutory damages per violation — with no proof of harm required. Plaintiff law firms are systematically scanning websites for session replay tools firing before consent.

If you run Hotjar, FullStory, Microsoft Clarity, or Meta Pixel — and you serve California visitors — you may be in their index right now.

Free scan · no account · results in 10 seconds

CIPA Litigation — Live Status
1,641
Lawsuits filed since June 2022
83%
Filed in California alone
$5K
Statutory damages per violation
28
States with active filings
Plaintiff firms actively scanning websites
Kind Law (Los Angeles) Hotjar · Clarity · Meta Pixel
Swigart Law Group $10K–$200K+ settlements
Pacific Trial Attorneys FedEx demand letters
✓ No statutory safe harbour exists as of May 2026 — SB 690 stalled in 2025
What is CIPA?

A 1967 wiretapping law being applied
to modern website analytics tools.

The California Invasion of Privacy Act (CIPA) was enacted in 1967 to protect Californians from wiretapping and eavesdropping on phone calls. It prohibits intercepting or recording communications without the consent of all parties. The statute was never intended to regulate websites — but courts have applied it to modern digital tracking tools, making it one of the most active sources of privacy litigation in the United States.

The key provision is CIPA Section 631, which creates civil liability for anyone who "reads, or attempts to read, or to learn the contents" of a communication without consent. Plaintiffs' firms have argued — with significant success — that session replay tools like Hotjar and FullStory intercept visitors' keystrokes, mouse movements, and form inputs in real time, effectively "wiretapping" their communication with your website.

CIPA § 631
Wiretapping
Prohibits intentionally reading or attempting to read the contents of a communication without consent. Applied to session replay tools that capture keystrokes and form inputs in real time.
$5,000 / violation
CIPA § 638.51
Pen Register
Prohibits installing a device that records the source or destination of communications. Courts have applied this to tracking pixels that record IP addresses and browsing paths. Case law is more favourable to defendants here.
$5,000 / violation
CIPA § 632
Confidential Communications
Covers recording of confidential conversations. Relevant where chat tools or AI chatbots intercept visitor communications and share them with third-party vendors without consent.
$5,000 / violation
⚠ The crucial detail most people miss

CIPA applies based on the location of the visitor, not the location of your business. If a California resident visits your website — wherever your business is based — and your tracking tools fire without their consent, CIPA may apply. With 40 million Californians, almost every consumer-facing website in the US is potentially in scope.

Which tools create exposure

If any of these are on your site
and you serve California visitors — you're exposed.

These are the exact tools plaintiff firms scan for. Not generic "analytics" — specific named products.

Critical — Section 631 (session replay)
Hotjar
Heatmaps · session recording · keystroke capture
CRITICAL
FullStory
Session replay · form field recording · page events
CRITICAL
Microsoft Clarity
Session recording · click maps · mouse tracking
CRITICAL
Lucky Orange
Live chat + session replay combined
CRITICAL
Inspectlet
Session recording · keystroke logging
CRITICAL
LogRocket
Session replay · console logging · network monitoring
CRITICAL
Mouseflow
Session recording · heatmaps · form analytics
CRITICAL
Smartlook
Session replay · event tracking
CRITICAL
SessionCam
Session recording · heatmaps
CRITICAL
Crazy Egg
Session recording · A/B testing
CRITICAL
High — Section 638.51 (pen register theory)
Meta Pixel
Tracks page views, form inputs, conversions — sends to Meta
HIGH
Google Analytics 4
User behaviour tracking, session data, demographics
HIGH
TikTok Pixel
Conversion tracking, audience matching
HIGH
LinkedIn Insight
B2B visitor tracking, retargeting
HIGH
Intercom / Drift (chat)
Chat tools that share conversations with third-party servers
HIGH
Safe — when consent-gated before firing
Any tool that fires AFTER consent ✓
Including all tools above — consent-gating eliminates the exposure
SAFE
✅ Every tool above is safe when consent-gated

The legal risk is not the tool — it's the timing. Hotjar firing before consent = CIPA exposure. Hotjar firing after the visitor clicks Accept = no exposure. ConsentPixel — Privacy · Verified blocks all these scripts until consent is given, at the browser level.

Fix it in 10 minutes →
How plaintiff firms operate

Industrial-scale scanning.
Not targeted complaints.

This is not a situation where a wronged individual sues a company. Kind Law, Swigart Law Group, and Pacific Trial Attorneys operate automated scanners that crawl thousands of consumer-facing websites daily — logging every session replay script that fires before a consent event.

They source sites from BuiltWith (which tracks which sites use Hotjar, FullStory, and Clarity), Wappalyzer, and general web crawls. E-commerce sites, subscription services, healthcare portals, and SaaS platforms are primary targets because of their high session volumes and reliance on behavioural analytics.

📧
Demand letter via FedEx — not a court summons
The first contact is typically a demand letter offering to settle for $10,000–$50,000 before litigation. Many businesses pay rather than fight, which funds the next batch of scanning.
⚖️
Class action with multiplied damages
If they file, they file as a class action on behalf of all California visitors. Tractor Supply Co. settled for $1.35M in Sept 2025. Sutter Health settled for $21.5M in April 2026. Inova Health for $3.1M in April 2026.
🔄
They re-scan after you fix it
If you receive a demand letter and rush to disable Hotjar but don't implement proper consent management, their next scan will still find other tools firing. The fix needs to be architectural.
⚖️
Demand Letter
Received via FedEx · Swigart Law Group
Action required

Dear [Business Owner],

Our firm represents a class of California residents who visited yourwebsite.com between January 2024 and present. During this period, your website deployed Hotjar session replay software which intercepted visitors' keystrokes, mouse movements, and communications without consent, in violation of California Penal Code § 631 (CIPA).

Each session constitutes a separate violation carrying statutory damages of $5,000. Based on your website's estimated California traffic, potential exposure is estimated at $2,400,000 in aggregate statutory damages.

We are prepared to resolve this matter for $45,000 within 30 days of this letter. Failure to respond will result in the filing of a class action complaint in...

⚠ This is a simulation illustrating a real pattern. Demand letters of this type are being sent to thousands of websites. ConsentPixel — Privacy · Verified prevents the underlying violation before it can be documented.
Real case law — what courts have decided

The law is genuinely unsettled.
That uncertainty is itself a risk.

Courts have ruled in both directions. The split means there is no safe assumption — and no guarantee you would win even with a strong defence. The cheapest defence is prevention.

Plaintiff-friendly rulings
Mikulsky v. Bloomingdale's — FullStory
Ninth Circuit · June 20, 2025
Reversed dismissal. Court found plaintiffs adequately alleged that FullStory intercepted "contents" of communications (names, addresses, credit card information) during the session, not just metadata. Case survives to proceed to discovery.
Plaintiff wins — case proceeds
Saleh v. Nike — FullStory
C.D. California · 2024
Court found plaintiff adequately pleaded that FullStory was a third-party eavesdropper, not merely a tool of Nike. Focus was on FullStory's real-time behavior during the communication, not post-transmission storage. Case survived dismissal.
Plaintiff wins — case proceeds
Camplisson v. Adidas — FullStory pixel
California Federal Court · November 2025
Survived pleading stage under the §638.51 pen register theory. Court found that tracking pixels which collect IP addresses and browsing paths may constitute pen register devices under CIPA. Significant precedent for retail e-commerce sites.
Plaintiff wins — case proceeds
Heerde v. Learfield Communications
C.D. California · 2024
Court found CIPA viable where search terms were transmitted in real time to third parties. The "real-time" interception of content (the search query) distinguished this from mere passive data collection. Survived on the aiding-and-abetting theory.
Mixed — CIPA theory survives
Defendant-friendly rulings
Torres v. Prudential Financial
N.D. California · April 17, 2025
Summary judgment for defendant. Court held CIPA § 631 requires evidence that the party "read or attempted to read" content in transit. Session replay software that processes data only after transmission does not satisfy the real-time interception element. Significant narrowing of § 631 liability.
Defendant wins — case dismissed
Thomas v. Papa John's — FullStory
Ninth Circuit · June 18, 2025
Affirmed dismissal. Papa John's was a party to its own visitors' communications — under California law a party cannot eavesdrop on its own conversation. Direct liability failed. Court noted plaintiff did not allege aiding-and-abetting theory, leaving that question open.
Defendant wins — case dismissed
Khamooshi v. Politico LLC
N.D. California · October 2, 2025
CIPA § 638.51 pen register claim dismissed for lack of Article III standing. Collection of generic device and browser metadata did not constitute the kind of embarrassing, invasive, or otherwise private information necessary to establish concrete injury.
Defendant wins — dismissed
Graham v. Noom — FullStory
N.D. California
Court found FullStory was a direct party to the communication when it recorded user sessions, not a third-party interceptor. As a service provider integrated into Noom's infrastructure, the "party exception" applied — no unauthorized third-party interception occurred.
Defendant wins
What this split means for your business
You might win
If the session replay tool only processes data post-transmission, or if the vendor is deemed a direct party rather than a third-party interceptor — Torres and Graham show viable defences exist.
You might lose
If the tool captures keystrokes in real time (Hotjar's recording of typing), or if the vendor is configured as a true third-party — Mikulsky and Saleh show significant liability exists for exactly this fact pattern.
Either way you pay to find out
Defending a CIPA class action costs $200,000–$500,000 in legal fees before reaching summary judgment. Most businesses settle. Consent-gating the script before it fires eliminates the dispute entirely.
Am I at risk?

Answer these four questions honestly.

🎯
Do you have California visitors?
With 40 million residents, almost every US consumer-facing website does. B2C e-commerce, SaaS, healthcare, legal, real estate, finance — all high-risk if serving California traffic.
→ If yes: CIPA scope confirmed
🔍
Do you run any session replay tool?
Hotjar, FullStory, Clarity, Lucky Orange, Inspectlet, LogRocket, Mouseflow, Smartlook, SessionCam, Crazy Egg. Check your Google Tag Manager container — these are often installed and forgotten.
→ If yes: §631 exposure present
🏷
Do those tools fire before consent?
Most default installations fire immediately on page load — before any banner is shown. Even if you have a consent banner, it means nothing if the scripts fire before the visitor has a chance to respond.
→ If yes: active violation occurring now
⚠️
Are you in Kind Law's index?
Kind Law scans sites sourced from BuiltWith. If your site is listed as using Hotjar or FullStory on BuiltWith, you are very likely already in their scanning rotation. Demand letters are typically sent within 30–90 days of detection.
→ Check BuiltWith for your domain
Find out in 10 seconds

Free CIPA Risk Scan

We visit your site as a fresh visitor with zero cookies — exactly how Kind Law's scanner works — and tell you what's firing before consent.

No account required · No email needed · Results in 10 seconds

How to fix it

The fix is architectural.
Not just a cookie banner.

A consent banner that shows after your tracking scripts have already fired is not a legal defence. The fix requires that tracking scripts are physically blocked from executing until after the visitor has actively consented. Not deferred — blocked.

CIPA compliance checklist
Block all non-essential scripts before consent fires
Session replay, analytics, marketing pixels — all must be physically blocked (not just deferred) until the visitor actively consents. MutationObserver intercept is the correct technical approach.
Show a consent banner before any tracking fires
The banner must be visible and presented before the visitor can interact with the page in a way that would be recorded. Banner appearing after Hotjar fires = no defence.
Never use dark patterns in consent UI
CCPA 2026 regulations (effective Jan 1, 2026) explicitly prohibit asymmetric consent UI. Accept and Reject buttons must be equal prominence. Closing the popup without clicking does not count as consent.
Honour Global Privacy Control (GPC) signals
California visitors with GPC enabled in their browser must automatically receive opt-out treatment — no banner required. CCPA 2026 compliance requires this. Your CMP must read navigator.globalPrivacyControl.
Log every consent decision with timestamp
If you receive a demand letter, your legal defence is the consent log showing that visitor X did (or did not) consent before the tool fired. Without logs, you have no defence. Logs must be immutable.
Disclose all tracking vendors in your privacy policy
CCPA 2026 requires your privacy policy to list every third-party vendor you share data with. An auto-generated policy from your actual scan results is far more defensible than a generic template.
Scan your site regularly for new trackers
A developer installs a new analytics tool next month and doesn't think to add it to the consent banner. Your weekly scanner catches it before Kind Law does. Alert-based monitoring is essential.
Why ConsentPixel — Privacy · Verified

The only CMP built specifically for CIPA protection.

Generic cookie banners — Cookiebot, CookieYes — were built for GDPR. CIPA requires a different technical approach: true script blocking at the browser level, named blocklists for the specific tools plaintiff firms scan for, and active scanning to catch new risks before they're exploited.

Named CIPA blocklist — Hotjar, FullStory, Clarity and 7 more session replay tools explicitly named and blocked. The exact tools Kind Law scans for.
Browser-level blocking — MutationObserver intercept + fetch monkey-patch. Scripts cannot execute, not just deferred. The technical standard courts expect.
Active scanner — weekly (Starter) or daily (Growth+) Playwright crawl of your site, fresh visitor, no cookies. We find what Kind Law finds before they do.
Immutable consent logs — every decision stored with timestamp, banner version, and geography. Your legal defence if a demand letter arrives.
GPC signal support — automatically opts out California visitors who have GPC enabled. CCPA 2026 compliant from day one.
Start free trial — 14 days, no card →
⚠ Important: This is not legal advice

ConsentPixel — Privacy · Verified provides compliance infrastructure, not legal counsel. The case law summaries on this page are for informational purposes. Every business's situation is different. If you have received a demand letter or are concerned about your specific CIPA exposure, consult a qualified California privacy attorney.

CIPA FAQ

Questions business owners ask
after reading about CIPA

Does CIPA apply if my business isn't in California?+
Yes. CIPA's scope is determined by the location of the visitor, not the operator. If a California resident visits your website — whether your business is in Texas, Florida, the UK, or anywhere else — and their communications are intercepted without consent, CIPA applies. California's 40 million residents mean virtually every consumer-facing US website is potentially within scope.
We already have a cookie banner. Are we protected?+
Only if your tracking scripts are physically blocked from executing until after the visitor has consented through that banner. Most cookie banners are cosmetic — they display while scripts run in the background. A 2024 California court dismissed a CIPA claim specifically because the plaintiff had consented via a cookie banner before tracking began. The banner works as a defence only when it actually gates the scripts. If Hotjar fires while your banner is displayed but before anyone clicks Accept, the banner provides no protection.
Microsoft Clarity is free and from Microsoft — surely it's fine?+
No. Microsoft Clarity records mouse movements, clicks, and keystroke data. The fact that it's free, from a large company, or widely used is irrelevant to CIPA analysis. The legal question is whether the tool intercepts communications without consent — Clarity does exactly that when configured in its default state. Kind Law has been documented scanning specifically for Clarity installations. Being free and popular makes it more common, which means it's in more plaintiff firm scan indexes.
Can I just remove Hotjar to be safe?+
Removing Hotjar eliminates one specific CIPA exposure, but it doesn't mean you're compliant. Your site likely still has Google Analytics, Meta Pixel, or other tracking tools that create separate exposure under other CIPA provisions and under CCPA. The correct approach is a comprehensive consent management solution that blocks all non-essential tracking until consent is given — not removing individual tools one by one as demand letters arrive. Removing Hotjar then getting a demand letter for Meta Pixel next month is an expensive way to learn this.
We received a demand letter. What should we do?+
Engage a qualified California privacy attorney immediately. Do not ignore the letter, and do not respond directly without legal advice. At the same time, implement proper consent management immediately — demand letters typically document a past violation, but ongoing violations after you've been put on notice strengthen the plaintiff's case significantly. Installing ConsentPixel — Privacy · Verified stops any ongoing violation from accumulating, which is relevant to any settlement negotiation. We can provide consent logs showing when compliant consent management went live on your site.
Is the legal landscape improving for businesses?+
Somewhat, but not reliably. The Torres and Thomas rulings in 2025 were significant wins for defendants, narrowing the real-time interception requirement. However, Mikulsky and Camplisson show plaintiffs are finding viable theories. SB 690, which would have created a commercial business purpose safe harbour, failed to pass in 2025 and is not expected before 2027 at the earliest. The practical risk remains real — and defending even a winnable case costs $200,000–$500,000 before summary judgment. Prevention is dramatically cheaper than litigation.
How much does a CIPA demand letter typically ask for?+
Demand letters typically ask for between $10,000 and $75,000 for pre-litigation settlement. If the case is filed, settlements range from $10,000 to over $200,000 depending on California traffic volume and violation count. Class actions against larger companies have settled in the millions: Tractor Supply Co. settled for $1.35M in September 2025 (CCPA, not CIPA), Sutter Health for $21.5M in April 2026 (tracking pixels on healthcare portal), and Inova Health for $3.1M in April 2026. ConsentPixel — Privacy · Verified costs from $8.99/domain/month.
Don't wait for the FedEx letter

Find out if Kind Law has your site
in their index. Free. Right now.

Scan your site the same way plaintiff firms do. Zero cookies. Fresh session. Real results. 10 seconds.

$8.99/domain/month · Works on WordPress, Shopify, Webflow, any HTML · Trust Charter

Legal disclaimer: This page is for informational purposes only and does not constitute legal advice. CIPA case law is actively evolving. If you have received a demand letter or have specific concerns about your compliance posture, consult a qualified California privacy attorney.

Scroll to Top