close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

CIPA’s Second Life: Website Wiretapping Litigation Comes of Age—And For Your Company

Michael Simon - July 6, 2026

This post was guest written by Michael Simon (Attorney/Owner, Law+Data, LLC and Chief Strategy Officer, Bells Up AI, LLC), a member of the DataGrail Contributor program.


The California Invasion of Privacy Act, Cal. Penal Code §§ 630-638.55 (enacted by Stats. 1967, ch. 1509, § 1) (“CIPA”), was written in 1967 to protect telephone calls against wiretapping. Nearly sixty years later, CIPA has become the most litigated privacy statute against ordinary websites in the country, not because California updated it for the internet, but because plaintiffs’ firms discovered that it could be stretched to cover modern-day website cookies, pixels, chat widgets, and session replay tools. 

Courts are now doing the stretching, case by case, and the results are so inconsistent that no business with a California-facing websitein other words, every business with a websitecan treat CIPA compliance as a simple box to check.

This article surveys where CIPA litigation stands as of mid-2026, to the extent that there are any coherent trends.  It then turns to the harder question: what a privacy or compliance team can actually do about it, given a legal landscape that has so far refused to come into focus.

How CIPA Ended Up Regulating Cookies

CIPA section 631 prohibits intentionally intercepting or eavesdropping on communications without consent and authorizes statutory damages of the greater of $5,000 per violation or three times actual damageswithout any requirement that the plaintiff prove actual harm. The main theory that plaintiffs advance is that a tracking pixel, analytics cookie, session-replay tool, or embedded chat widget functions as an undisclosed third-party listener, the equivalent of a wiretap “intercepting” the user’s communications with the website. 

A newer, more aggressive theory, built on the 2015 amendments adding sections 638.50–638.53, argues that the same tools are unlawful “pen registers” or “trap and trace devices,” surveillance equipment that historically required a court order to install on a phone line. 

No matter what technicality the claims are based upon, the lack of a damages requirement, a strict per-violation statutory penalty, and a private right of action have combined to make CIPA an especially attractive claim creator for plaintiffs’ class-action firms. CIPA wiretapping decisions in the Northern District of California doubled from December 2025 to January 2026: a pace that shows no sign of slowing.

The Courts Are Genuinely Split on Some of the Most Basic CIPA Issues

What makes CIPA difficult to advise on is the lack of a consistent answer to even some of the most basic questions across courts reading the same statute. 

On the pen-register theory, a Southern District of California court allowed a claim against Kochava to proceed on the theory that “fingerprinting” software amounted to a pen register, while a Los Angeles Superior Court judge reached the opposite conclusion on similar facts involving an IP address, citing public policy concerns about disrupting internet commerce broadly. 

Most recently, a different Los Angeles Superior Court judge dismissed pen-register claims against NetScout with prejudice, holding that sections 638.50–638.53 apply only to telephone communications and not to website software at all, reasoning that if the legislature had meant to cover commercial websites when it added those provisions in 2015, it would have said so. 

The interception/eavesdropping theory under section 631 has fared somewhat better for plaintiffs, particularly where chat functions or session-replay tools are alleged to capture health or financial information, but even there, the results turn on pleading specificity rather than the underlying legal theory. Courts have most recently dismissed complaints that recite only the categories of data a tool is capable of collecting, while complaints that specifically allege what was actually collected have tended to survive. 

Standing is its own battleground. The Ninth Circuit’s 2025 decision in Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025), affirmed dismissal of a website-tracking claim for lack of Article III standing, holding that the plaintiff failed to show “any kind of harm remotely similar to the highly offensive interferences or disclosures that were actionable at common law.” In one month alone, six lower courts considered standing challenges raised on the strength of Popa; five were denied, with courts distinguishing Popa on the ground that cross-site tracking, deceptive opt-out representations, or the sale of identified user profiles to advertisers were materially more invasive than the single-site browsing tracking at issue there.

Even procedural defenses cut in unpredictable directions. A cookie banner that discloses tracking can establish the consent needed to defeat a claim, or it can supply the very representation a plaintiff needs once that disclosure fails to match actual site behavior. One recent decision held that a banner’s own terms-of-service incorporation pulled a class action into arbitration; another held that tracking which began before the user ever reached the banner created a viable claim regardless of what the banner promised.

The Strategic Question: Settle or Fight?

Every demand letter forces the same decision: pay it and move on, or push back. 

Settling a single claim for a few thousand dollars looks cheap in isolation, and for a first-time demand, it often is the right call. The problem is that plaintiffs’ firms keep records, and they talk amongst themselves too. A business that settles quickly and quietly every time quickly becomes loudly known among the firms filing these claims as an easy target. 

Fighting costs more up front, but it tests whether your disclosures and consent flow can actually withstand legal scrutiny, which a quiet settlement never reveals one way or the other. But, to be clear, fighting and then losing is by far the best way to put the target on your back all by yourself, so if you do decide to push back, do the hard work first of making sure you are standing on solid operational practices with documentary proof thereof.

There is no single right answer for every business, and the choice should track the underlying problem, not the size of the demand. A business with a genuinely strong consent posture, accurate disclosures, and a clean technical audit trail is in a good position to fight, because the facts are on its sideand, importantly, provable. More importantly, a business that has done all of that operational work upfront is far less likely to be sued in the first place.

So what can privacy counsel do now to keep the wolves at bay?

The Operational Realities: What This Means for a Compliance Program

Nothing about CIPA resolves into a clean rule a company can implement once and forget. The practical work splits into two questions: how far can you realistically push to eliminate tracking, and if you can’t eliminate it, what can a banner actually accomplish?

Eliminating tracking is rarely the real answer, and proposing it usually fails anyway. 

Analytics, conversion tracking, and chat-based customer support are required features for most organizations, as your marketing, product, and customer service teams depend on them. The business case for keeping analytics is generally stronger than the litigation case for dropping them, given that even compliant disclosure regimes still get sued. There are many hills to die upon in privacy. This is not one of them.

The more useful framing for getting buy-in from a business team is to target tools that don’t earn their keep, rather than attacking tracking as a whole. Start with an audit that asks each tool to justify its presence: what business purpose does this serve, who owns it, would anyone notice if it were gone. This routinely turns up abandoned pixels, legacy SDKs, and duplicate analytics tags that nobody is actually using. Cutting those is an easy sell because it reduces not just your litigation attack-vector surface area but also your marketing team’s vendor spend at the same time. It’s a rare win-win from Legal! 

Cutting the tools the marketing team is actually still using is a much harder conversation. Trying to win it on privacy counsel authority very rarely works. As Teresa Troester-Faulk’s must-read book on operationalizing privacy, “So You Got the Privacy Officer Title. Now What?” makes clear, privacy counsel very rarely has that kind of authority anyway. Besides, even if you had the power to be “The Department of ‘No’,” you don’t want to be; as  Troester-Faulk also argues, the privacy function works best as a team player, building consensus and support throughout the organization, not a lone-wolf crusade.

Try framing the issue as a risk calculation that the business owns, with counsel supplying the exposure data and the business making the call. Timing helps too, because a website update or a new analytics vendor can create opportunities to push for a compliance refresh at the same time that these events generate a whole new set of legacy liabilities. 

Your realistic goal is alignment, not invulnerability. 

No banner configuration can prevent a company from being sued; in fact, many of the firms filing these claims do not appear to be reading banners closely before sending a demand letter. What a banner can do is improve the defense once a claim arrives, and the throughline across this year’s rulings is that courts are reading banners closely to check whether your disclosure’s promises match what your site actually does. That gives your banner program three achievable real-world targets:

First, the banner’s text and the engineering team’s actual configuration need to match, and they need to match continuously, not just at launch. The single most common fact pattern losing cases in 2026 is the gap between the “you can opt out” statement and tracking that continues anyway, whether because of a misconfigured tag manager or because some trackers fire before the banner even loads. This requires a recurring technical audit, not a one-time legal sign-off; privacy counsel cannot certify a banner’s accuracy without periodically checking it against the live site. Most companies do not have a process for that. If yours is one of those, remember the old Zen saying, “The best time to plant a tree is 20 years ago. The second best time is today.”

Second, when terms of service, arbitration clauses, or choice-of-law provisions ride along inside or near the cookie banner, treat that placement as a deliberate legal decision, not an incidental one. Courts have enforced arbitration on the theory that a user who read and accepted the cookie disclosure cannot credibly claim to have missed terms presented in the identical font and placement. That only works, however, if the disclosures are genuinely aligned in prominence, and it invites scrutiny of whether the arbitration terms were buried by design. The oft-derided term “Clickwrap” can actually be your friend here. Disclosures buried in secondary agreements or click-throughs are far less likely to persuade the courts than those that are clear, immediate, and unavoidable. 

All of this means that if, as privacy counsel, your typical delivery mode is “declare it and forget it” by firing off emails, Slack posts, or Word docs to the website team and assuming that they’ll get those disclaimers done the way you would want them to, it’s time to actually go check your website. Once again, do this today. Like using sunscreen or flossing, your future self will thank you.

Third, write your disclosures for a person, not a regulator or a plaintiffs’ lawyer. Skip the AdTech terms to the extent possible; nobody outside a marketing classroom or a courtroom knows what a “pixel” or a “trap and trace device” is. Using jargon doesn’t protect you, it just confuses the one person you actually need to inform, the website visitor. Say plainly what you collect, who you share it with, and why. 

Your banner should tell your website users:

  • What information your company collects
  • Whether you share it with third parties and 
  • For what purposes

Clarity is not a tradeoff to manage here. It is the safest path available.

Where This Leaves Counsel

The honest advice is that CIPA risk can get managed down to a tolerable, defensible baseline through ongoing work, not eliminated through better drafting. That means periodic technical audits paired with legal review (not just legal review alone), a defensible record of what each tracking tool does and why the business keeps it, and disclosures calibrated against the specific theories most likely to be asserted against your industry. Health and financial data draw the most aggressive plaintiffs’ attention and the most scrutiny from the courts, and so disclosures in those sectors warrant the most careful auditing and drafting. 

Expect this area to keep moving: the split among California courts on the pen-register theory remains unresolved, and the tension between CIPA’s vagueness and the CCPA’s demand for specific disclosure has no clean answer yet either. Today’s defensible baseline will not be next year’s, or maybe even next month’s. 

CIPA is not a problem you solve once. Treat it instead as a standing item on your compliance calendar, reviewed as often as the website itself changes, and your company will be in a far better position than the one hoping a single banner update closes the file for good.


Find Michael on Privacy Roundtable, our online community of 2,100+ privacy professionals around the world.

Contact Us image

Let’s get started

Ready to level up your privacy program?

We're here to help.