If your website runs a Meta Pixel, Google Analytics, a chat widget, or a session replay tool — and most do — and those tools fire before a visitor agrees to them, your business has measurable legal exposure under the California Invasion of Privacy Act. This is not a hypothetical. Plaintiff law firms are scanning sites at industrial scale and sending settlement demands daily.
The good news: CIPA compliance for websites is genuinely achievable, and the core fix is straightforward once you understand what the law actually requires. This guide explains CIPA in plain English, shows why ordinary marketing tools have become a liability, and walks through the concrete steps that move your site from exposed to protected.
Key takeaways
- CIPA is a California wiretapping statute now applied to website trackers; it requires consent before any third-party tool collects or transmits a visitor's data.
- Damages are $5,000 per violation with no proof of harm needed, and exposure multiplies across sessions and third parties.
- Being CCPA compliant does not make you CIPA compliant — they are different laws.
- The fix is a consent mechanism that blocks trackers until opt-in and logs every consent decision with a timestamp.
What is CIPA, and why does it apply to websites?
The California Invasion of Privacy Act (CIPA) was passed in 1967 as an anti-wiretapping law. Its original purpose was to stop people from secretly recording or eavesdropping on telephone calls without the consent of everyone involved. For decades it had nothing to do with the internet.
That changed when plaintiff attorneys began arguing that modern website tracking works like wiretapping. The theory goes like this: when a visitor interacts with your site, that interaction is a "communication." If a third-party tool — say, the Meta Pixel — captures that interaction and transmits it to an outside company in real time, before the visitor has agreed to it, then a third party has intercepted a communication in transit. Under CIPA, that interception without consent is the violation.
Two sections of the statute do most of the work in these cases. Section 631 is the core wiretapping provision covering the unauthorised interception of electronic communications. Section 638.51 covers "pen registers" — processes that record routing and addressing information such as IP addresses and device identifiers. Both were written for telephones, and courts have increasingly extended them to pixels, cookies, session replay tools, and even search-bar functions.
Crucially, CIPA is not limited to California-based businesses. It protects communications involving people in California, which means a website anywhere can be exposed if California residents visit it and tracking fires without consent. For practical purposes, that is nearly every commercial website in the United States.
Why CIPA lawsuits are exploding now
Three forces have combined to turn a dormant law into the most active area of website litigation.
First, the legal threshold questions are largely settled. The earlier wave of cases argued over whether a pixel could even "intercept" a communication or whether a cookie could be a pen register. By 2026, the docket increasingly assumes the answer is yes and has moved on to operational questions: did tracking begin before consent was available, and did the site's actual behaviour match what its banner told users? That shift makes cases easier to bring.
Second, enforcement is automated. Plaintiff firms use scanning tools to crawl thousands of sites, detect trackers firing before consent, and generate demand letters at scale. A handful of firms and individual litigants drive a large share of the volume, and reports describe a dozen or more demand letters going out per day.
Third, the maths favours the plaintiff. At $5,000 per violation with no need to prove any actual harm, and with each session or each third-party recipient arguable as a separate violation, the potential exposure on a moderately trafficked site climbs into serious numbers very quickly. That makes settlement the path of least resistance for many businesses — which in turn funds the next round of letters.
It helps to be realistic about who is actually sending these letters. A relatively small number of plaintiff firms and individual litigants generate a disproportionate share of the volume, using automated tooling to identify targets and standardised letters to pursue them. Some operate as serial filers, sending demands across hundreds of businesses in parallel. The takeaway is not that the practice is unusual but that it is systematic and repeatable — which is precisely why an ordinary small business with no California address and no obvious "data problem" can still receive a letter. You do not have to be doing anything out of the ordinary to be targeted; you only have to be running common marketing tools the way almost everyone runs them.
There is a reputational dimension too. Beyond the settlement cost itself, a publicised privacy claim can erode the trust of customers who increasingly care about how their data is handled. For a brand whose value rests on credibility — a healthcare provider, a financial service, a professional firm — that secondary cost can outweigh the direct legal one.
Not sure if your site is exposed?
Scan your website free and see exactly which trackers fire before consent — in about 10 seconds.
What actually triggers a CIPA claim
Almost every CIPA website case comes down to one fact pattern: a tracking technology sent user data to a third party before the visitor consented. The specific tools named most often include:
- Advertising pixels — the Meta (Facebook) Pixel is the most-cited example, followed by the TikTok Pixel, LinkedIn Insight Tag, and Microsoft/Bing trackers.
- Analytics scripts — Google Analytics and similar tools that load and begin collecting on page load.
- Session replay tools — Hotjar, FullStory, Microsoft Clarity, Lucky Orange, and Inspectlet, which record user behaviour in detail.
- Chat widgets and search bars — features that transmit what a user types to a third-party service.
The unifying issue is firing order. A tool that fires the instant the page loads, before any consent choice exists, is the textbook trigger. A tool that is properly held back until the visitor opts in is not.
You can see this for yourself in about a minute. Open your site in a private/incognito window, open your browser's network inspector, and watch which third-party requests fire before you click anything on a consent banner. Every third-party request that appears before consent is a potential CIPA exposure point.
Which industries are most exposed
While any site with California traffic can be targeted, some sectors draw more attention because their data is more sensitive or their traffic is higher. E-commerce stores are frequent targets because they run the heaviest advertising-pixel stacks. Healthcare, legal, and financial services attract scrutiny because the data flowing through their forms and chat tools is more sensitive, which makes the alleged interception look more serious. Media and publishing sites are exposed simply through volume — large traffic means a large number of potential per-session violations. If your business sits in any of these categories, treat CIPA compliance as a priority rather than a someday task.
Why "but everyone uses these tools" is not a defence
The most common reaction to learning about CIPA is disbelief: surely a tool installed on millions of websites cannot be illegal? But ubiquity is not consent. The Meta Pixel appears on a large share of the most-visited sites on the internet, and that is exactly why it features in so many claims. The law does not ask whether a practice is common; it asks whether a third party intercepted a communication before the user agreed. Widespread use makes you part of a large pool of targets, not a protected one.
CIPA vs CCPA: why compliance with one is not the other
This is the single most common and most dangerous misconception. Many businesses believe that because they added a CCPA notice or a "Do Not Sell My Personal Information" link, they are covered. They are not — at least not for CIPA.
| CIPA | CCPA / CPRA | |
|---|---|---|
| What it is | A wiretapping statute | A consumer-data-rights law |
| Core requirement | Consent before interception/tracking | Rights to know, delete, and opt out of sale |
| Consent model | Prior opt-in for tracking | Primarily opt-out for sale/sharing |
| Who can sue | Private individuals (per-violation damages) | Largely regulator-enforced; limited private right |
| Damages | $5,000 per violation, no harm needed | Civil penalties; narrower private statutory damages |
The practical consequence: a site can be fully CCPA compliant and still violate CIPA, because CCPA generally allows tracking to happen with an opt-out, while CIPA demands consent first. If your trackers fire before opt-in, a CCPA banner does not save you.
What CIPA compliance actually requires
Stripped to its essentials, a CIPA-compliant website does four things. These also happen to mirror what regulators expect under broader privacy frameworks, so getting them right pays off well beyond CIPA.
1. Block tracking until consent
No non-essential third-party tool — pixel, analytics, replay, or chat — should fire until the visitor has actively consented. This is the heart of compliance and the one thing that resolves the core issue in nearly every demand letter.
2. Offer a real, balanced choice
The consent interface must present "accept" and "decline" options of roughly equal prominence, give enough information for an informed choice, and let users withdraw consent later. A banner that only offers "Accept" — or buries the decline option — is itself a risk, and increasingly a target.
3. Control firing order at the technical layer
Having a consent platform is no longer the end of the analysis. What matters now is whether your setup genuinely controls when tags fire, so that nothing runs before a choice is recorded, and whether the actual tracking behaviour matches what your banner claims. A banner that says trackers are blocked while tags quietly fire underneath is worse than no banner at all.
4. Log every consent decision
Each acceptance or rejection should be recorded with a timestamp and retained. These logs are your primary evidence that consent was obtained before tracking began. Without them, you cannot demonstrate to a court or a plaintiff firm that your implementation was compliant at the time of the alleged violation.
How to make your website CIPA compliant: step by step
Here is the practical sequence, in the order we recommend tackling it.
- Inventory your trackers. List every third-party script on your site — pixels, analytics, replay tools, chat, embeds. The incognito + network-inspector method above is a fast way to find what fires before consent.
- Remove what you do not need. Every unused chat widget, abandoned analytics tag, or legacy pixel is pure risk with no benefit. Delete them.
- Install a consent mechanism that blocks by default. Deploy a consent management solution that holds all non-essential tags until opt-in, rather than one that merely displays a banner while tags fire underneath.
- Wire it into your tag manager. If you use Google Tag Manager, gate tags behind consent state so firing order is enforced, not assumed. Enable Google Consent Mode v2 where relevant.
- Make your banner balanced and honest. Equal-prominence accept/decline, clear information, easy withdrawal, and behaviour that matches the promise.
- Align your policies. Your privacy policy and cookie policy should name your tracking tools and describe what they collect. Make your practices match your policies.
- Turn on consent logging. Ensure every decision is timestamped and stored so you can prove compliance later.
- Honour GPC and re-test. Confirm opt-out signals are respected and re-run the incognito test to verify nothing fires before consent.
Common mistakes that leave sites exposed
Even well-intentioned businesses trip over the same recurring errors. Watch for these:
- A "cookie banner" that does not block anything. Many banners simply display a notice while tags fire underneath regardless of what the user clicks. This is the single most common false sense of security — and from a CIPA standpoint, it offers little protection because tracking still happens before consent.
- Consent that is only enforced for cookies, not for scripts. Blocking cookies while the underlying pixel script still loads and transmits data misses the point. The interception is the script sending data, not just the cookie being set.
- No consent logs. A site may genuinely be configured correctly, but without timestamped records it cannot prove that to a court months later. Configuration without evidence is a weak position.
- Policy-practice mismatch. A privacy policy that describes one set of tools while the site runs another undermines a consent defence and can look like misrepresentation.
- Set and forget. Tag managers accumulate new tools over time as marketing teams add pixels. A site that was compliant six months ago can drift out of compliance the moment a new tag is added without gating. Compliance is a state to maintain, not a box to tick once.
Skip the manual work
ConsentPixel is a single JavaScript pixel built CIPA-first: it blocks trackers until consent, controls firing order, and logs every decision automatically.
What CIPA compliance costs — and what non-compliance costs
One reason businesses delay is a vague sense that "doing privacy properly" will be expensive and disruptive. In practice the economics run strongly the other way. A consent solution that blocks trackers until opt-in and logs decisions is a modest recurring cost — for most small businesses, comparable to a single inexpensive software subscription. The technical lift is small: a properly built consent pixel installs in minutes, not weeks.
Now set that against the other side of the ledger. A single CIPA demand letter commonly seeks a settlement in the tens of thousands of dollars, and contested matters carry legal fees on top. The statutory-damages structure — $5,000 per violation, multiplied across sessions — means a busy site's theoretical exposure can reach well beyond any settlement figure. Even the most conservative comparison puts the cost of compliance at a tiny fraction of the cost of a single letter. This is the rare risk where the protective measure is cheap, fast, and clearly worth it.
What to do if you receive a CIPA demand letter
A demand letter is not the same as a lawsuit — it is an invitation to settle before litigation. But it cannot be ignored; non-response commonly leads to an actual filing. If one arrives, take these immediate steps before changing anything:
- Preserve your current configuration. Document the present state of your tag manager and pixel setup, and pull any existing consent logs, before you alter the site. This evidence matters.
- Do not silently "fix and forget". Changing your site without preserving the prior state can complicate your defence.
- Engage counsel with privacy-litigation experience. The statute's language is notoriously contested, and early-dismissal outcomes are inconsistent, so specialist advice is worthwhile.
- Then remediate properly using the steps above, so you are not exposed to the next letter.
For a deeper walkthrough, see our dedicated guide on responding to a CIPA demand letter, which breaks the process down section by section.
Will the law change? SB 690 and the 2026 outlook
There is reform on the table. SB 690 is a proposed bill aimed at curbing CIPA suits against ordinary website owners. It is worth watching — but it is not a reason to wait.
As of 2026, SB 690 has not become effective law, and analysts expect that even if it passes, relief would likely be prospective only and would not arrive before 2027 at the earliest. In the meantime, CIPA suits over pixels, analytics, chat widgets, and replay tools continue, with the same $5,000-per-violation exposure and the same inconsistent early-dismissal outcomes. The sensible posture is to assume the current legal environment persists and to get compliant now.
Frequently asked questions
Yes. CIPA can apply to any website that California residents can visit, regardless of where your business is located. The statute protects communications involving people in California, so a business anywhere in the world can face exposure if it receives California traffic and runs tracking technologies without prior consent.
No. CCPA and CIPA are different laws with different requirements. CCPA focuses on giving California residents rights over their data, including the right to opt out of sale. CIPA is a wiretapping statute that requires prior consent before tracking technologies intercept a communication. A site can satisfy CCPA and still violate CIPA if trackers fire before the visitor consents.
CIPA provides statutory damages of $5,000 per violation with no proof of harm required. Because each affected session or each third-party recipient can be argued as a separate violation, exposure scales quickly. Demand-letter settlement requests commonly range from roughly $10,000 to $200,000 or more depending on traffic volume, the number of non-compliant tools, and how the business responds.
The most frequently cited tools are third-party advertising and analytics pixels such as the Meta (Facebook) Pixel, Google Analytics, the TikTok Pixel, and Microsoft/Bing trackers, along with session replay tools, chat widgets, and search-bar functions that transmit user input to a third party. The common thread is a tool that sends user data to an outside party before the visitor has consented.
A privacy policy helps but is not sufficient on its own. A policy that specifically names your tracking tools and explains what they collect strengthens a consent defence, but CIPA centres on whether tracking fired before the user consented. Without a consent mechanism that blocks trackers until opt-in and logs that decision, a privacy policy alone leaves you exposed.
Not in the near term. SB 690 is a proposed reform aimed at curbing CIPA suits against website owners, but as of 2026 it has not become effective law, and analysts expect any relief would be prospective and would not arrive before 2027 at the earliest. Until then, CIPA suits over pixels, analytics, chat widgets, and replay tools continue, so near-term compliance remains essential.
The bottom line
CIPA turned a 1967 wiretapping law into 2026's most active website-litigation risk, and the trigger is almost always the same: a tracker that fired before the visitor agreed to it. The exposure is real — $5,000 per violation, multiplied across sessions — but the remedy is well-defined. Block non-essential trackers until consent, control firing order at the technical layer, present an honest and balanced choice, honour opt-out signals, and log every decision.
Do those things and you move from being a scanner's easy target to a site that can demonstrate compliance. The cost of getting this right is a tiny fraction of a single demand letter — which is exactly why there is no good reason to leave it for later.
See your CIPA exposure in 10 seconds
ConsentPixel scans your site, shows which trackers fire before consent, and fixes the problem with a single pixel — CIPA-first, not just another cookie banner.
Scan your site free