What Is a CIPA Claim?
A CIPA claim alleges that your website's trackers "wiretapped" a visitor without consent. Here's exactly what a plaintiff has to prove, what one is worth, how the claim moves through court — and the one change that makes your site un-claimable.
On this page
What a CIPA claim is
A CIPA claim is a lawsuit — or, far more often, the pre-lawsuit demand letter that precedes one — alleging that a website violated the California Invasion of Privacy Act by letting third-party tracking technology intercept a visitor's communications without their consent. In plain terms: a plaintiff argues that the pixels, session-replay scripts, chat widgets, or analytics tags running on your site "wiretapped" them, and that under a 1967 anti-wiretapping statute, they're owed statutory damages for it.
That framing sounds strange until you see the mechanics. CIPA was written for telephone taps and hidden tape recorders, but its broad language has let plaintiffs' attorneys argue it applies to the ordinary tracking stack on almost every modern website. The result is one of the most active bodies of privacy litigation in the United States, and the reason "CIPA claims" have become a line item that website operators now have to think about.
Why CIPA claims exploded against websites
Three things turned a dormant telephone statute into a website-litigation engine.
The private right of action. Unlike most privacy laws — which are enforced by a regulator — CIPA lets any individual sue, and win statutory damages, without proving they lost a single dollar. That combination (private plaintiffs + fixed damages + no proof-of-harm requirement) is what makes CIPA an attractive vehicle for high-volume litigation.
The Javier consent-timing rule. In Javier v. Assurance IQ (9th Cir. 2022), the court signaled that consent under § 631 must be obtained before tracking begins. A visitor agreeing to a privacy policy after data was already captured doesn't count. Practically every modern CIPA demand letter now leans on Javier, because it means any site that fires trackers on page load — before a consent gate — has a weak defense.
The volume playbook. A small number of plaintiff firms — names like Swigart Law Group, Tauler Smith, Pacific Trial Attorneys, and Bursor & Fisher — run templated complaints calibrated to settle for less than it would cost to defend. It's an assembly line: scan a site's technical fingerprint, generate a near-identical letter, send it, repeat.
What a plaintiff must prove in a CIPA claim
Most website CIPA claims are brought under Section 631(a). To make out that claim, a plaintiff generally has to establish a handful of elements. This is the anatomy the entire dispute turns on — and where a well-configured site breaks the claim.
| Element | What it means in a website case |
|---|---|
| Interception in transit | A communication was intercepted or read while "in transit" — e.g. a chat message or form entry captured in real time as it moved between the visitor and the site. |
| By a third party | Because a website can't wiretap its own conversation, the plaintiff must show a third-party vendor did the intercepting — and that the site "aided, agreed with, employed, or conspired with" it. |
| Contents, not just record | The intercepted data must be the contents of a communication (what was said/typed), not merely "record" information like an IP address or timestamp. This distinction decides many cases. |
| Without consent | No valid, all-party consent was obtained — and under Javier, consent generally has to come before the interception, not after. |
| Confidential / expectation of privacy | For some theories, that the communication was confidential or that the visitor had a reasonable expectation of privacy in it. |
The "party exception" — the defendant's best friend
Courts have repeatedly held that a website is a party to its own communications, so it can't be liable for "eavesdropping" on itself. The plaintiff's workaround is the aiding-and-abetting theory above. But there's a catch that cuts against plaintiffs: if the third-party vendor is acting purely as a tool for the website — collecting data only on the site's behalf, contractually barred from using it for its own purposes — several courts have found no third-party interception at all (the reasoning in Graham v. Noom). Where the vendor can use or monetize the data for itself (the concern in Javier), the claim is far more likely to survive.
Is your site giving a plaintiff the elements they need?
A CIPA claim needs trackers firing before consent. Our free scanner shows you exactly which pixels, replay scripts, and chat tools load on your site before a visitor opts in — the same view a plaintiff firm's scan produces. About 10 seconds, no account.
Scan your site free →The CIPA sections behind most claims
CIPA isn't a single rule — it's a cluster of prohibitions in California Penal Code §§ 630–638. Three provisions do almost all the work in website claims:
- § 631 — Wiretapping. The heavyweight. Bars intercepting or reading the contents of a communication in transit without all-party consent, and reaches anyone who aids or conspires with the interceptor. This is the provision cited in the large majority of website CIPA claims. For a full breakdown, see our CIPA Section 631 explainer.
- § 632 — Confidential communications. Prohibits recording or eavesdropping on a confidential communication without every party's consent. Used alongside § 631 in some complaints.
- § 638.51 — Pen register / trap-and-trace. A newer theory arguing that tracking pixels act like a "pen register" by capturing device and routing information. It powered a wave of filings after Greenley v. Kochava, but its footing is weaker — multiple California courts in 2024–2026 dismissed pen-register claims, holding that IP addresses alone aren't "outgoing communications."
What is a CIPA claim worth?
This is the number that drives the whole ecosystem. CIPA provides statutory damages of $5,000 per violation, or three times actual damages — whichever is greater — and crucially, a plaintiff doesn't have to prove they suffered any concrete financial loss to seek it.
But the "$5,000 per violation" headline needs three caveats that plaintiff-side marketing tends to skip:
- It's a court-awarded maximum, not a guarantee. These are amounts a court may award if a violation is proven. They are not money that exists simply because a demand letter was sent.
- "Per violation" is contested. Whether that means per visit, per interception, or something else is itself disputed and can dramatically change the math — especially in a class action, where the aggregate can look enormous even when each individual claim is modest.
- Demand letters are priced to settle, not to litigate. In practice, most demands land in the tens of thousands — deliberately set below the cost of mounting a defense, so recipients pay to make the matter disappear.
How a CIPA claim proceeds
Most website operators meet CIPA not as a filed lawsuit but as a letter. Here's the typical arc:
- Automated scan. A plaintiff firm (or a serial plaintiff) crawls sites with a fresh, zero-cookie session and records which trackers fire before consent.
- Demand letter. A templated letter arrives — often styled to look like a complaint — alleging a § 631 violation and naming a settlement figure. Our CIPA demand-letter response guide walks through what to do if you receive one.
- Settlement or filing. Many recipients settle. If they don't, a complaint may be filed — increasingly as a class action, which multiplies the stakes.
- Motion to dismiss. Defendants typically challenge the claim early — on the party exception, the record-vs-contents distinction, standing, or personal jurisdiction. This is where a lot of CIPA cases live or die.
One procedural detail worth knowing: CIPA carries a one-year statute of limitations, generally running from when the plaintiff knew (or reasonably should have known) about the alleged interception.
Where the courts are in 2026
The case law is genuinely unsettled, and both sides have wins. On the plaintiff-friendly side, the Ninth Circuit in Mikulsky v. Bloomingdale's (June 2025) let a § 631 claim proceed, finding the plaintiff adequately alleged the site conspired with its session-replay vendor to intercept communication contents. On the defense-friendly side, the same court in Thomas v. Papa John's affirmed dismissal, reinforcing the party exception, and a February 2026 ruling in Maghoney v. Dotdash Meredith dismissed a session-replay claim for lack of standing. Large settlements also keep landing — healthcare and pixel-tracking cases have produced multi-million-dollar resolutions in 2026. The throughline: outcomes hinge on specific facts, and the safest posture is not to generate the facts in the first place. We track new rulings in our CIPA lawsuit tracker.
Common defenses to a CIPA claim
If you're on the receiving end (with counsel — see the disclaimer), the recurring defenses are:
- Consent. The visitor agreed to the tracking — strongest when consent was captured before tracking fired, and documented.
- Party exception. The vendor was a mere tool acting only on the site's behalf, not an independent eavesdropper.
- Record, not contents. What was captured was addressing/record data (like an IP), not the contents of a communication.
- No standing / no injury. The plaintiff can't show a concrete injury sufficient to sue.
- Personal jurisdiction. Contested for out-of-state defendants — though the Ninth Circuit's Briskin v. Shopify reasoning has made this harder to win for interactive commercial sites.
Notice that the strongest, cleanest defense is documented pre-consent — and that's a technical posture you control in advance, not a legal argument you improvise after a letter arrives.
How to make your site "un-claimable"
The uncomfortable truth of CIPA litigation is that the volume model depends on sites failing the first automated scan. Close that gap and you drop off the target list. Concretely:
- Block third-party trackers until consent. This is the core fix. If no non-essential pixel, replay script, or chat SDK fires before opt-in, there's no pre-consent interception to allege. This is the "without consent" element — removed.
- Get consent before tracking, per Javier. A banner that appears while trackers are already running is exactly the failure these claims target. The gate has to actually gate.
- Make declining as easy as accepting. No dark patterns; a real choice is what stands up.
- Keep a consent record. A timestamped, tamper-evident log of who consented to what and when is the documentation that supports the consent defense if a claim ever comes.
- Watch for drift. A new marketing tag added months later can silently reopen exposure. Ongoing scanning matters.
ConsentPixel — Privacy · Verified is built around exactly this prevention-first posture: one pixel that blocks non-essential trackers until consent, captures an immutable consent log, and keeps scanning for drift. It's a CIPA-first consent platform rather than a generic cookie banner — because in this litigation, when a tracker fires is the whole ballgame.
⚡ Key takeaways
- A CIPA claim alleges your site's third-party trackers intercepted a visitor's communication without consent, under California's anti-wiretapping law (§ 631).
- The load-bearing elements are third-party interception of contents, in transit, without prior consent — and consent is the one you control.
- Damages are $5,000 per violation or 3× actual, with no proof of harm required — but "per violation" is contested and demand figures are priced to settle.
- The Javier rule (consent before tracking) is why sites that fire pixels on page load are exposed.
- The cleanest defense is documented pre-consent — a technical posture you set up in advance, not an argument you make after a letter.
- Blocking trackers until consent removes the "without consent" element and drops you off the automated-scan target list.
Frequently asked questions
What is a CIPA claim in simple terms?
How much is a CIPA claim worth?
Can I get a CIPA claim if my business isn't in California?
What must a plaintiff prove in a CIPA claim?
What's the best way to avoid CIPA claims?
Is a CIPA demand letter the same as a lawsuit?
The bottom line
A CIPA claim is, at its core, an argument about timing and consent: did a third-party tracker capture a visitor's communication before that visitor agreed to it? Everything else — the sections, the damages math, the case law — hangs off that question.
That's also why CIPA is one of the rare legal risks you can largely engineer away. You can't control which firm sends letters or how a court rules on the party exception. You can control whether your trackers fire before consent. Close that gap, keep the record, and the elements a plaintiff needs simply aren't there.
See what fires before consent on your site
Run the same scan a plaintiff firm would — in about 10 seconds. See every tracker loading before opt-in, then close the gap with one pixel.
Free scan · no account · 14-day trial, no credit card · from $8.99/mo
This article is for general educational purposes only and is not legal advice. CIPA litigation is unsettled and fact-specific; nothing here creates an attorney–client relationship. If you have received a CIPA demand letter or lawsuit, consult a qualified attorney about your specific situation.