ConsentPixel – Privacy · Verified

⚖️ CIPA & Legal Risk

What Is a CIPA Claim?

A CIPA claim alleges that your website's trackers "wiretapped" a visitor without consent. Here's exactly what a plaintiff has to prove, what one is worth, how the claim moves through court — and the one change that makes your site un-claimable.

CP ConsentPixel Editorial Updated July 2026 13 min read
$5,000
Statutory damages a plaintiff can seek per violation — or 3× actual damages, whichever is greater
1 year
Statute of limitations — the window a plaintiff has to file a CIPA claim
Any site
CIPA reaches any website a California resident can visit — not just California businesses

What a CIPA claim is

A CIPA claim is a lawsuit — or, far more often, the pre-lawsuit demand letter that precedes one — alleging that a website violated the California Invasion of Privacy Act by letting third-party tracking technology intercept a visitor's communications without their consent. In plain terms: a plaintiff argues that the pixels, session-replay scripts, chat widgets, or analytics tags running on your site "wiretapped" them, and that under a 1967 anti-wiretapping statute, they're owed statutory damages for it.

That framing sounds strange until you see the mechanics. CIPA was written for telephone taps and hidden tape recorders, but its broad language has let plaintiffs' attorneys argue it applies to the ordinary tracking stack on almost every modern website. The result is one of the most active bodies of privacy litigation in the United States, and the reason "CIPA claims" have become a line item that website operators now have to think about.

The one-sentence version: a CIPA claim says a tracker on your site captured a visitor's interaction — a keystroke, a chat message, an identifier — before they consented, and that this counts as an illegal interception under California Penal Code § 631.

Why CIPA claims exploded against websites

Three things turned a dormant telephone statute into a website-litigation engine.

The private right of action. Unlike most privacy laws — which are enforced by a regulator — CIPA lets any individual sue, and win statutory damages, without proving they lost a single dollar. That combination (private plaintiffs + fixed damages + no proof-of-harm requirement) is what makes CIPA an attractive vehicle for high-volume litigation.

The Javier consent-timing rule. In Javier v. Assurance IQ (9th Cir. 2022), the court signaled that consent under § 631 must be obtained before tracking begins. A visitor agreeing to a privacy policy after data was already captured doesn't count. Practically every modern CIPA demand letter now leans on Javier, because it means any site that fires trackers on page load — before a consent gate — has a weak defense.

The volume playbook. A small number of plaintiff firms — names like Swigart Law Group, Tauler Smith, Pacific Trial Attorneys, and Bursor & Fisher — run templated complaints calibrated to settle for less than it would cost to defend. It's an assembly line: scan a site's technical fingerprint, generate a near-identical letter, send it, repeat.

Visitor types in chat / form Your website a party to the chat 3rd-party tracker pixel · replay · chat SDK intercepts before consent The § 631 theory: the website "aids" a third party that intercepts the visitor's communication in transit
How the claim is built. The site is a party to the conversation, so it can't "eavesdrop" on itself. The viable theory is that it aided and abetted a third-party vendor that did the intercepting.

What a plaintiff must prove in a CIPA claim

Most website CIPA claims are brought under Section 631(a). To make out that claim, a plaintiff generally has to establish a handful of elements. This is the anatomy the entire dispute turns on — and where a well-configured site breaks the claim.

ElementWhat it means in a website case
Interception in transitA communication was intercepted or read while "in transit" — e.g. a chat message or form entry captured in real time as it moved between the visitor and the site.
By a third partyBecause a website can't wiretap its own conversation, the plaintiff must show a third-party vendor did the intercepting — and that the site "aided, agreed with, employed, or conspired with" it.
Contents, not just recordThe intercepted data must be the contents of a communication (what was said/typed), not merely "record" information like an IP address or timestamp. This distinction decides many cases.
Without consentNo valid, all-party consent was obtained — and under Javier, consent generally has to come before the interception, not after.
Confidential / expectation of privacyFor some theories, that the communication was confidential or that the visitor had a reasonable expectation of privacy in it.
Why this matters for you: notice that consent is one of the load-bearing elements. A site that provably blocks third-party trackers until a visitor opts in removes the "without consent" element the whole claim depends on — which is the prevention-first logic ConsentPixel is built around.

The "party exception" — the defendant's best friend

Courts have repeatedly held that a website is a party to its own communications, so it can't be liable for "eavesdropping" on itself. The plaintiff's workaround is the aiding-and-abetting theory above. But there's a catch that cuts against plaintiffs: if the third-party vendor is acting purely as a tool for the website — collecting data only on the site's behalf, contractually barred from using it for its own purposes — several courts have found no third-party interception at all (the reasoning in Graham v. Noom). Where the vendor can use or monetize the data for itself (the concern in Javier), the claim is far more likely to survive.

Is your site giving a plaintiff the elements they need?

A CIPA claim needs trackers firing before consent. Our free scanner shows you exactly which pixels, replay scripts, and chat tools load on your site before a visitor opts in — the same view a plaintiff firm's scan produces. About 10 seconds, no account.

Scan your site free →

The CIPA sections behind most claims

CIPA isn't a single rule — it's a cluster of prohibitions in California Penal Code §§ 630–638. Three provisions do almost all the work in website claims:

  • § 631 — Wiretapping. The heavyweight. Bars intercepting or reading the contents of a communication in transit without all-party consent, and reaches anyone who aids or conspires with the interceptor. This is the provision cited in the large majority of website CIPA claims. For a full breakdown, see our CIPA Section 631 explainer.
  • § 632 — Confidential communications. Prohibits recording or eavesdropping on a confidential communication without every party's consent. Used alongside § 631 in some complaints.
  • § 638.51 — Pen register / trap-and-trace. A newer theory arguing that tracking pixels act like a "pen register" by capturing device and routing information. It powered a wave of filings after Greenley v. Kochava, but its footing is weaker — multiple California courts in 2024–2026 dismissed pen-register claims, holding that IP addresses alone aren't "outgoing communications."

What is a CIPA claim worth?

This is the number that drives the whole ecosystem. CIPA provides statutory damages of $5,000 per violation, or three times actual damages — whichever is greater — and crucially, a plaintiff doesn't have to prove they suffered any concrete financial loss to seek it.

But the "$5,000 per violation" headline needs three caveats that plaintiff-side marketing tends to skip:

  • It's a court-awarded maximum, not a guarantee. These are amounts a court may award if a violation is proven. They are not money that exists simply because a demand letter was sent.
  • "Per violation" is contested. Whether that means per visit, per interception, or something else is itself disputed and can dramatically change the math — especially in a class action, where the aggregate can look enormous even when each individual claim is modest.
  • Demand letters are priced to settle, not to litigate. In practice, most demands land in the tens of thousands — deliberately set below the cost of mounting a defense, so recipients pay to make the matter disappear.
Important: we deliberately don't put a "your exposure = $X" figure in front of you. The real number in any matter depends on facts, class size, and unsettled legal questions a court hasn't resolved. Anyone quoting you a precise exposure from a demand letter alone is selling fear. This article is educational, not legal advice.

How a CIPA claim proceeds

Most website operators meet CIPA not as a filed lawsuit but as a letter. Here's the typical arc:

  1. Automated scan. A plaintiff firm (or a serial plaintiff) crawls sites with a fresh, zero-cookie session and records which trackers fire before consent.
  2. Demand letter. A templated letter arrives — often styled to look like a complaint — alleging a § 631 violation and naming a settlement figure. Our CIPA demand-letter response guide walks through what to do if you receive one.
  3. Settlement or filing. Many recipients settle. If they don't, a complaint may be filed — increasingly as a class action, which multiplies the stakes.
  4. Motion to dismiss. Defendants typically challenge the claim early — on the party exception, the record-vs-contents distinction, standing, or personal jurisdiction. This is where a lot of CIPA cases live or die.

One procedural detail worth knowing: CIPA carries a one-year statute of limitations, generally running from when the plaintiff knew (or reasonably should have known) about the alleged interception.

Where the courts are in 2026

The case law is genuinely unsettled, and both sides have wins. On the plaintiff-friendly side, the Ninth Circuit in Mikulsky v. Bloomingdale's (June 2025) let a § 631 claim proceed, finding the plaintiff adequately alleged the site conspired with its session-replay vendor to intercept communication contents. On the defense-friendly side, the same court in Thomas v. Papa John's affirmed dismissal, reinforcing the party exception, and a February 2026 ruling in Maghoney v. Dotdash Meredith dismissed a session-replay claim for lack of standing. Large settlements also keep landing — healthcare and pixel-tracking cases have produced multi-million-dollar resolutions in 2026. The throughline: outcomes hinge on specific facts, and the safest posture is not to generate the facts in the first place. We track new rulings in our CIPA lawsuit tracker.

Common defenses to a CIPA claim

If you're on the receiving end (with counsel — see the disclaimer), the recurring defenses are:

  • Consent. The visitor agreed to the tracking — strongest when consent was captured before tracking fired, and documented.
  • Party exception. The vendor was a mere tool acting only on the site's behalf, not an independent eavesdropper.
  • Record, not contents. What was captured was addressing/record data (like an IP), not the contents of a communication.
  • No standing / no injury. The plaintiff can't show a concrete injury sufficient to sue.
  • Personal jurisdiction. Contested for out-of-state defendants — though the Ninth Circuit's Briskin v. Shopify reasoning has made this harder to win for interactive commercial sites.

Notice that the strongest, cleanest defense is documented pre-consent — and that's a technical posture you control in advance, not a legal argument you improvise after a letter arrives.

How to make your site "un-claimable"

The uncomfortable truth of CIPA litigation is that the volume model depends on sites failing the first automated scan. Close that gap and you drop off the target list. Concretely:

  • Block third-party trackers until consent. This is the core fix. If no non-essential pixel, replay script, or chat SDK fires before opt-in, there's no pre-consent interception to allege. This is the "without consent" element — removed.
  • Get consent before tracking, per Javier. A banner that appears while trackers are already running is exactly the failure these claims target. The gate has to actually gate.
  • Make declining as easy as accepting. No dark patterns; a real choice is what stands up.
  • Keep a consent record. A timestamped, tamper-evident log of who consented to what and when is the documentation that supports the consent defense if a claim ever comes.
  • Watch for drift. A new marketing tag added months later can silently reopen exposure. Ongoing scanning matters.

ConsentPixel — Privacy · Verified is built around exactly this prevention-first posture: one pixel that blocks non-essential trackers until consent, captures an immutable consent log, and keeps scanning for drift. It's a CIPA-first consent platform rather than a generic cookie banner — because in this litigation, when a tracker fires is the whole ballgame.

⚡ Key takeaways

  • A CIPA claim alleges your site's third-party trackers intercepted a visitor's communication without consent, under California's anti-wiretapping law (§ 631).
  • The load-bearing elements are third-party interception of contents, in transit, without prior consent — and consent is the one you control.
  • Damages are $5,000 per violation or 3× actual, with no proof of harm required — but "per violation" is contested and demand figures are priced to settle.
  • The Javier rule (consent before tracking) is why sites that fire pixels on page load are exposed.
  • The cleanest defense is documented pre-consent — a technical posture you set up in advance, not an argument you make after a letter.
  • Blocking trackers until consent removes the "without consent" element and drops you off the automated-scan target list.

Frequently asked questions

What is a CIPA claim in simple terms?
It's a legal claim that your website's tracking technology — pixels, session-replay scripts, chat widgets — intercepted a visitor's communication without their consent, in violation of the California Invasion of Privacy Act. Most CIPA claims arrive first as a demand letter rather than a filed lawsuit, and they rely on a 1967 anti-wiretapping statute being applied to modern web tracking.
How much is a CIPA claim worth?
CIPA allows statutory damages of $5,000 per violation, or three times actual damages, whichever is greater — and a plaintiff doesn't have to prove financial loss. But that's a potential court-awarded amount, not a guaranteed payout, and how "per violation" is counted is legally contested. In practice, demand letters usually name figures in the tens of thousands, deliberately set below the cost of defending, to encourage a quick settlement.
Can I get a CIPA claim if my business isn't in California?
Yes. CIPA can apply to any website a California resident can visit, regardless of where the business is located. Businesses across the US — and even outside it — have received CIPA demand letters. Recent Ninth Circuit reasoning (including Briskin v. Shopify) has made it harder for out-of-state, interactive commercial sites to defeat these claims on personal-jurisdiction grounds.
What must a plaintiff prove in a CIPA claim?
Under Section 631, generally: that a communication was intercepted in transit; that a third party (not just the website itself) did the intercepting, with the site aiding or conspiring; that the intercepted data was the contents of a communication rather than mere record information like an IP address; and that this happened without valid, all-party consent — which, under Javier, usually needs to be obtained before tracking begins.
What's the best way to avoid CIPA claims?
Block non-essential third-party trackers until a visitor consents, obtain that consent before any tracking fires, make declining as easy as accepting, and keep a timestamped consent log. This removes the "without consent" element the claim depends on and takes your site off the automated-scan target list. A CIPA-first consent platform like ConsentPixel is designed to do exactly this from a single pixel.
Is a CIPA demand letter the same as a lawsuit?
No. A demand letter is a pre-litigation document alleging a CIPA violation and proposing a settlement; a lawsuit is a complaint filed in court. Most website operators encounter CIPA at the demand-letter stage. Ignoring a letter can lead to a filed suit, so the common guidance is to consult a qualified attorney about the letter while separately fixing the underlying technical issue on your site.

The bottom line

A CIPA claim is, at its core, an argument about timing and consent: did a third-party tracker capture a visitor's communication before that visitor agreed to it? Everything else — the sections, the damages math, the case law — hangs off that question.

That's also why CIPA is one of the rare legal risks you can largely engineer away. You can't control which firm sends letters or how a court rules on the party exception. You can control whether your trackers fire before consent. Close that gap, keep the record, and the elements a plaintiff needs simply aren't there.

See what fires before consent on your site

Run the same scan a plaintiff firm would — in about 10 seconds. See every tracker loading before opt-in, then close the gap with one pixel.

Free scan · no account · 14-day trial, no credit card · from $8.99/mo

CP

ConsentPixel Editorial

CIPA & website-privacy research

ConsentPixel — Privacy · Verified is a CIPA-first consent platform that blocks third-party trackers until visitors consent. Our editorial team tracks CIPA litigation so website owners can understand the risk in plain language — and prevent it. We practice what we sell: this site runs privacy-first analytics, not Google Analytics.

This article is for general educational purposes only and is not legal advice. CIPA litigation is unsettled and fact-specific; nothing here creates an attorney–client relationship. If you have received a CIPA demand letter or lawsuit, consult a qualified attorney about your specific situation.

Scroll to Top