What is CIPA?

The California Invasion of Privacy Act (CIPA) is a California state law that prohibits the unauthorised interception, recording, or wiretapping of private communications. Originally enacted in 1967 — before the internet existed — CIPA was designed to protect phone conversations from illegal surveillance. Its core provisions are codified under California Penal Code Sections 630–638.

For decades, CIPA sat quietly in the background, primarily used in criminal wiretapping cases. Then something changed. As websites began deploying increasingly sophisticated tracking technologies — session-replay tools, chat widgets, pixel-level analytics — privacy attorneys noticed an uncomfortable truth: these tools were doing, in digital form, exactly what the old wiretapping statute prohibited.

Courts agreed. Starting in 2020 and accelerating dramatically through 2024 and 2025, plaintiffs' law firms began filing hundreds of CIPA lawsuits against website operators across every industry. The argument is straightforward: if your website records what a visitor types, where their mouse moves, or what they click — without telling them first — you may be wiretapping them under California law.

⚖️ The Law
CIPA's Section 631 prohibits any person from "wiretapping, reading, or attempting to read or learn the contents or meaning of any message, report, or communication" while it is "in transit." Courts have held that data sent from a user's browser to a third-party tracking server while the user is on your website qualifies as a communication "in transit."

The key provision: Section 631

While CIPA has multiple sections, the one most relevant to website owners is Section 631, which targets the interception of communications. This is distinct from simply collecting data after it lands on your servers — Section 631 applies the moment the data leaves the visitor's browser.

This is why session-replay tools are particularly exposed. When a visitor loads your website and Hotjar or FullStory fires, that script immediately starts transmitting mouse movements, keystrokes, and page interactions to a third-party server — not yours. That transmission, without the visitor's prior consent, is what plaintiffs argue constitutes illegal interception.

CIPA also contains a critically important feature that distinguishes it from most other privacy laws: it allows private individuals to sue. You don't need a government regulator to investigate and bring a case. Any California resident who visited your website while these tools were running can potentially file a lawsuit — and attorneys have been doing exactly that at scale.

How CIPA Applies to Modern Websites

The extension of CIPA to websites isn't a legal grey area anymore — it's been tested, argued, and repeatedly upheld in California courts. Understanding why it applies requires understanding three things: who counts as a "party" to the communication, what "interception" means digitally, and crucially, who CIPA protects.

The third-party wiretap theory

Traditionally, if two parties consent to a recording, wiretapping laws don't apply. California is a two-party consent state, meaning both the sender and receiver of a communication must consent to recording. Website operators have sometimes argued they consented to the recording by deploying the tool — making it a one-party affair.

Courts have largely rejected this argument under what's called the "third-party wiretap" theory. Here's the logic: when Hotjar (for example) collects data from your visitor's browser, the data goes to Hotjar's servers — a third party that is neither the visitor nor the website owner. That third-party interception is what triggers liability under Section 631, regardless of whether the website owner consented to the tool's deployment.

⚠️ Important
The third-party wiretap theory means that having a privacy policy that mentions the tool is not enough. Courts have held that buried disclosures in a privacy policy do not constitute the "prior consent" CIPA requires. The visitor must actively, knowingly consent before the tool fires.

Territorial reach: you don't have to be a California company

This is the part that surprises most website owners. CIPA applies based on where your visitors are located, not where your business is. If someone in California visits your website — even once — and your tracking tools collect their data without consent, you potentially have CIPA exposure. A business in New York, Texas, or London is equally exposed as one in San Francisco.

Because approximately 39 million people live in California — roughly 12% of the U.S. population — almost every website with meaningful U.S. traffic has California visitors. CIPA is, in practical terms, a national compliance requirement disguised as a state law.

Which Tools Trigger CIPA Liability

Not every analytics tool creates equal CIPA risk. The key factor is whether the tool intercepts communications in real time and transmits them to a third party. Here's a breakdown of the categories courts have focused on:

Hotjar
High risk · Session replay
FullStory
High risk · Session replay
Microsoft Clarity
High risk · Session replay
LogRocket
High risk · Session replay
LiveChat
High risk · Chat interception
Intercom
High risk · Chat interception
Drift
High risk · Chat interception
Meta Pixel
Medium risk · Behavioural data
Google Analytics
Medium risk · Configured carefully
Zendesk Chat
High risk · Chat interception

Session-replay tools: the highest-risk category

Session-replay software captures a near-complete recording of everything a visitor does on your website: every mouse movement, scroll, click, keystroke (including in form fields), and page transition. This is enormously valuable for UX research — and enormously risky under CIPA.

The lawsuits against Sephora, Zillow, and hundreds of other companies have specifically targeted these tools. The argument is simple and courts have found it compelling: you are allowing a third party to watch, in real time, what your visitors are doing — including what they type into forms — without their knowledge or consent.

Live chat widgets: the overlooked risk

Live chat tools are uniquely exposed under CIPA because they literally intercept typed messages. A visitor opens your chat widget and starts typing — that text is being transmitted to the chat provider's servers in real time, before the visitor even hits send. Under the language of Section 631, this is a textbook interception of a communication "in transit."

A 2023 California appellate decision, Javier v. Assurance IQ, directly addressed chat-tool interception and allowed the CIPA claim to proceed, creating a clear precedent that many subsequent lawsuits have relied upon.

Free Scan · No Account Required

Is your website already at CIPA risk?

Scan your site in 10 seconds. We'll detect every session-replay tool, chat widget, and tracking script that could be creating exposure — and tell you exactly what to fix.

Scan My Website Free → No sign-up required. Results in seconds.

The CIPA Lawsuit Wave: Real Cases, Real Numbers

The scale of CIPA litigation isn't theoretical. It's a documented, accelerating trend that has reshaped how businesses need to think about their analytics stack.

1,641+
CIPA wiretapping lawsuits filed against website operators as of early 2026. The majority target companies using session-replay software, live chat tools, and behavioural analytics — often deployed by marketing teams without legal review.

Several high-profile cases illustrate the pattern:

  • Sephora (2022): One of the earliest major defendants, Sephora faced CIPA claims alongside CCPA enforcement, forcing a public settlement and significant operational changes to its analytics stack.
  • Javier v. Assurance IQ (9th Cir. 2022): The Ninth Circuit allowed CIPA claims related to chat tool interception to proceed, rejecting the argument that terms of service constituted valid prior consent.
  • Yoon v. Lululemon (C.D. Cal. 2023): Court addressed the third-party wiretap theory in the context of session-replay tools. The case became a template for subsequent plaintiff filings.
  • Multiple Shopify retailers (2024–2025): A wave of demand letters and lawsuits targeted e-commerce operators using Hotjar and Microsoft Clarity, many resulting in five-figure settlements to avoid litigation costs.
🚨 Financial Exposure
CIPA provides statutory damages of $5,000 per violation or three times actual damages — whichever is greater. In class action lawsuits where thousands of California visitors are affected, aggregate exposure can reach into the millions. For a website with 10,000 California monthly visitors, potential statutory exposure is $50 million. Even if courts moderate actual awards, settlement demands routinely reach $25,000–$500,000.

Why are plaintiff attorneys filing these cases?

The economics are straightforward. CIPA's statutory damages provision means attorneys don't need to prove actual harm — just that the interception occurred. The technical evidence is easy to gather (a quick audit of the website's JavaScript loads is often sufficient). And demand letters, sent to companies using detectable tools like Hotjar or Clarity, often result in rapid settlements — making the lawsuit factory model highly profitable.

Plaintiff law firms including Clarkson Law Firm and others have industrialised this process, filing dozens of similar suits simultaneously. If your website runs one of the high-risk tools listed above and you haven't implemented a compliant consent mechanism, you may already be on a targeting list.

CIPA vs. CCPA vs. GDPR: What's the Difference?

Many website owners conflate CIPA with other privacy laws, particularly CCPA. They are fundamentally different statutes, and compliance with one does not guarantee compliance with the other.

Feature CIPA CCPA/CPRA GDPR
What it governs Interception of communications Collection & sale of personal data Processing of personal data
Consent required Prior consent always Opt-out for most processing Opt-in (in most cases)
Who can sue Any individual visitor AG enforcement + limited private right Supervisory authority + individuals
Damages $5,000/violation or 3× actual $100–$750/consumer per incident Up to 4% global annual turnover
Business size threshold None — applies to all Revenue or data volume thresholds None for established operations
Geographic scope California visitors California consumers EU residents worldwide

The critical practical difference: CCPA allows opt-out for most data processing, meaning you can use tracking tools by default and provide a "Do Not Sell or Share My Personal Information" link. CIPA, by contrast, requires affirmative prior consent before interception occurs. This means your consent banner needs to block tools like Hotjar and FullStory until the visitor actively clicks "Accept" — it cannot load them by default.

It's entirely possible — and frustratingly common — for a website to be CCPA-compliant (with a properly configured opt-out mechanism) while simultaneously violating CIPA (because the session-replay tools load before any consent is obtained).

How to Make Your Website CIPA Compliant

Achieving CIPA compliance is more technically demanding than standard CCPA compliance, but it's entirely achievable. Here's what a compliant implementation requires:

Step 1: Audit which tools you're running

Before you can fix anything, you need a complete picture of every third-party script loading on your website. This includes tools added by your marketing team, embedded via tag managers, or loaded through plugins — many website owners are surprised to find tools they didn't intentionally install. A free scanner can detect all third-party JavaScript loads and flag those with known CIPA exposure.

Step 2: Implement a consent management platform with script blocking

A standard cookie banner that simply displays a notice is insufficient for CIPA compliance. What's required is a consent management platform (CMP) that technically blocks high-risk scripts from firing until consent is obtained. This means:

  • Session-replay tools (Hotjar, FullStory, Clarity) must not load on page load
  • Live chat scripts must not initialise until consent is given
  • The consent must be specific — the visitor must understand what they're consenting to
  • Consent records must be logged and timestamped with a audit trail
✅ Compliant vs Non-Compliant
Non-compliant: Hotjar loads on every page. Banner appears. Visitor can opt out. Recording of pre-consent visits continues.

Compliant: Page loads. Banner fires. Hotjar script is blocked. Visitor clicks "Accept." Hotjar loads and begins recording. Consent timestamp is logged.

Step 3: Disclose which tools are in use

Your Privacy Policy should explicitly name each session-replay and chat tool you use, explain what data it collects, and identify the third-party vendor. Vague references to "analytics tools" or "third-party services" are insufficient — courts have looked unfavourably on disclosures that don't give visitors a realistic understanding of what's happening.

Step 4: Maintain consent logs

If you ever face a CIPA claim, your primary defence will be evidence that the plaintiff gave prior consent before interception occurred. This requires a consent log: a timestamped, visitor-linked record showing when each user consented, what they consented to, and what version of your consent disclosure they saw at the time. Without this log, you have no evidential basis to assert the consent defence.

Step 5: Implement for all relevant jurisdictions simultaneously

While CIPA is California-specific, other states (and the EU) have similar requirements. Building a compliant consent infrastructure for CIPA typically also satisfies GDPR's opt-in requirements for EU visitors and positions you well for emerging state laws in Virginia, Colorado, Texas, and others. Think of CIPA compliance as the floor, not the ceiling.

Frequently Asked Questions About CIPA

CIPA stands for the California Invasion of Privacy Act, codified under California Penal Code Sections 630–638. Originally passed in 1967 as a wiretapping statute, it has been extended by courts to cover digital interception of communications on websites — particularly by session-replay tools, chat widgets, and behavioural analytics software that transmit visitor data to third-party servers without prior consent. Violations carry statutory damages of $5,000 per violation.

Yes. CIPA's jurisdiction is based on the location of the visitor, not the location of the business. If any of your website visitors are in California — and for any website with meaningful U.S. traffic, they almost certainly are — you have potential CIPA exposure. Businesses based in New York, Texas, the UK, and elsewhere have all faced CIPA lawsuits. California has approximately 39 million residents, representing about 12% of the U.S. population.

No. Courts have consistently held that a privacy policy — even one that mentions session-replay tools — does not constitute prior consent under CIPA. CIPA requires affirmative, knowing consent before any interception occurs. This means your tracking tools must be technically blocked until the visitor actively consents via a proper consent mechanism. Passive disclosure in a privacy policy buried in your website footer does not satisfy this requirement.

CCPA (California Consumer Privacy Act) governs the collection, use, and sale of personal information and uses an opt-out model for most processing. CIPA is a wiretapping statute that prohibits interception of communications without prior consent — it requires opt-in before tools fire, not opt-out after they've already loaded. A website can be fully CCPA-compliant (with a proper "Do Not Sell" link) while simultaneously violating CIPA if session-replay tools load before any consent is obtained. The two laws address different risks and require different technical implementations.

Yes — but only with a compliant consent implementation. Both tools can be used legally if your consent management platform blocks them from loading until the visitor provides prior consent. This requires technical script-blocking (not just a notice), proper disclosure naming the specific tool, and a logged record of each consent event. Simply having a cookie banner that allows opt-out is insufficient — the tools must not fire until opt-in consent is received.

Do not ignore it. CIPA demand letters typically assert $5,000 per affected visitor and offer settlement amounts ranging from $5,000 to $500,000+ depending on your traffic volume. Your first step should be to consult a qualified California privacy attorney immediately. Simultaneously: document your website's technical setup at the time in question, gather any consent records you have, and assess what tools were running and when. How quickly and comprehensively you can demonstrate a prior consent mechanism will significantly affect your negotiating position.

The Bottom Line

CIPA started as a telephone wiretapping law six decades ago. In 2026, it is one of the most actively litigated privacy statutes in the United States — and the majority of its targets are ordinary businesses that simply installed a popular analytics tool without understanding the legal implications.

The good news: CIPA compliance is technically achievable. It requires the right consent infrastructure — one that blocks high-risk tools until the visitor actively consents — plus proper disclosure and consent logging. It doesn't require you to give up session-replay or live chat tools entirely.

The critical first step is knowing exactly which tools are running on your website right now. Many businesses are surprised by what they find.

ConsentPixel — Privacy · Verified

Protect your website from CIPA liability today

Scan your site in seconds to detect every tool creating CIPA exposure. Then deploy our compliant consent banner in one line of code — with automatic script blocking, proper disclosure, and timestamped consent logs built in.

Start Free Trial — No Card Required → 14-day free trial · Setup in under 10 minutes