The CIPA Playbook: Consent, Tracking, and What to Do If You Get a Demand Letter
California’s 1967 Invasion of Privacy Act (CIPA) wasn’t designed for the internet. But over the past three years, courts have extended this wiretapping law to include session replay tools, chat widgets, tracking pixels, and fingerprinting scripts, and plaintiffs’ firms have filed thousands of claims as a result.
While outcomes vary, enough cases have made CIPA claims a lucrative pursuit for plaintiffs, and defending against a CIPA claim is expensive regardless of merit. If your website collects behavioral data from California visitors, CIPA is relevant to you.
This guide covers what the law requires, how litigation has evolved, and what privacy and legal teams are doing to reduce their exposure.
What is CIPA?
CIPA was originally designed to protect the privacy of “confidential communications,” defined as any communication where at least one person expects the conversation to be confined to the parties involved.
Today, CIPA governs a wide range of communication types to ensure they are protected from unauthorized monitoring and surveillance. This includes:
- Any private or confidential communications
- Electronic communications
- Telephone communications
- Digital communications
- Online interactions
- Chat messages
CIPA requires consent from all parties involved before monitoring, recording, or intercepting any form of substantive communication, and violation of the Act is punishable by private right of action for the greater of $5,000 for each illegally recorded communication or three times the actual damages.
Why does CIPA matter now?
Although designed in 1967 to prevent traditional wiretapping, California and federal courts have since extended CIPA to govern modern website communication, addressing modern data collection techniques such as online tracking tools, sessions replay tools, analytical tools, and chatbots.
In practice, this makes CIPA one of the most active sources of privacy litigation in the country. Most U.S. internet privacy laws are enforced primarily by a government agency rather than individuals. CIPA’s private right of action means any individual can sue directly in civil court without waiting for regulatory action. As a result, plaintiffs’ firms have found CIPA claims a reliable vehicle for recovering statutory damages from organizations using standard web tracking technology.
How is CIPA enforced?
CIPA provides a private right of action, meaning individuals can sue directly in civil court rather than waiting for a centralized agency to investigate or act.
Typically, a plaintiff law firm will issue the defendant a demand letter on behalf of a client. If a resolution or settlement is not possible at this stage, the claim will go to civil court. At court, the plaintiff will present technical evidence alleging that tracking or analytics software intercepted communications on the website and that this was not adequately communicated to or consented from the user browsing the website.
If a CIPA claim is successful, the defendant may be required to pay the plaintiff $5,000 per violation or three times the actual damages, whichever is greater. Plaintiffs frequently pair CIPA claims with ECPA claims in the same complaint. A successful ECPA claim adds statutory damages of $100 per day of violation or $10,000, whichever is greater.The exact value in either case is up to judicial discretion, and the defendant may also be ordered to remove the offending technology or improve their consent process.
How is CIPA enforcement changing?
Troutman Pepper & Locke reports that CIPA and related litigation has increased by over 6,000% in the last ten years. This figure only factors in CIPA claims that make it to court and claims that settle after a demand letter. Considering that the majority of CIPA claims are likely settled out of court, the true volume of claim volume is likely far higher.
The surge began in 2022 after a federal court ruling in Javier v. Assurance IQ held that session replay technology can be considered an interception under CIPA.
Additionally, plaintiffs increasingly cite multiple wiretapping laws to support their claims, not just CIPA. Other laws plaintiffs use alongside CIPA in third party tracking and session replay claims include:
- The Electronic Communications Privacy Act (ECPA) (1986), a federal law designed to protect electronic communications in transit. Plaintiffs can file ECPA lawsuits in any state.
- The Video Privacy Protection Act (VPPA) (1988), originally designed to protect video rental viewing history
- All party and two party consent laws, including the Pennsylvania Wiretap Act (1978), Massachusetts Wiretap Act (1968), and the Florida Security of Communications Act (FSCA) (1969), require all parties to consent before a communication can be recorded or intercepted.
More recently, courts in the Northern District of California have also permitted CCPA claims to proceed based on third-party tracker use. The CCPA is typically enforced by the state attorney general and the California Privacy Protection Agency, but allows for a private right of action in cases of a data breach.
In these rulings, courts found that the private right of action does not require a traditional third-party hack, allowing claims based on tracker disclosures to survive early dismissal. It remains to be seen whether the courts will rule that the data trackers process qualifies as personal information. The outcome of this decision could set precedent for potential future claims.
Common plaintiff arguments in CIPA claims
Since the Javier v. Assurance IQ ruling, plaintiff firms have used variations on the following arguments to argue that use of tracking and analytics technology without explicit opt-in consent qualifies as a basis for a CIPA claim:
| Argument | Summary | Notable cases |
| Session replay and analytics theory | Tools like Hotjar and FullStory that record mouse movements, keystrokes, scrolls, and page views are the digital equivalent of wiring a line and recording a conversation, especially when a third party vendor has access to that data. | Javier v. Assurance IQ (dismissed due to statute of limitations); Popa v. Microsoft Corporation (dismissed due to lack of harm) |
| Pen registers | Modern digital tracking technologies like the Meta or TikTok pixel that capture IP addresses and records when a user visits or leaves a website qualify as illegal pen registers under CIPA. These tools capture dialing, routing, addressing, or signaling information transmitted from a device without capturing the content of the communication itself. | Greenley v. Kochava (ruled in favor of plaintiff); Moody v. C2 Educational Systems (ruled in favor of plaintiff) |
| Chat box theory | Third-party chat software behind website virtual assistants act as separate, non-consenting eavesdroppers if they record conversations and pass the data to external servers. | Martin v. Sephora USA (dismissed due to definition of third-party) |
Not all of these approaches are equally successful, and not all of the cited examples successfully won in court.
What types of claims are more likely to succeed in court?
Historically, CIPA claims have been likely to succeed when at least one of the following criteria is met:
- A third-party vendor receives and independently uses user data
- A tracking tool captures routing or signaling information, such as IP addresses, device fingerprints, or URL parameters before a user has an opportunity to consent
- The website’s privacy policy is proven inaccurate
- The data transferred or shared includes sensitive health, financial, or behavioral information tied to identifiable profiles
CIPA claims are less likely to succeed when:
- Chatbot and session replay vendors act as a party to the session rather than an independent eavesdropper
- The data processed by the third party is routine, or in other words, there was no real harm or damages to collect upon
- The website deployed a consent banner that provided a clear and accurate depiction of tracking behaviors and offered an opt-out
- The banner included a link to the website’s Terms of Service, which may also include an arbitration clause
- The offending incident occurred past the statute of limitations
As more cases are successfully dismissed using these arguments, plaintiffs must now show the data collected was sensitive, linked to a personal profile, or shared across websites in a way that goes beyond what any one company could observe on its own.
How to prevent CIPA claims
The most conservative approach to reducing CIPA exposure is to simply not implement the technologies these claims target. The practical challenge is that many of these technologies have become default web operations. Marketing and product teams rely on these tools to improve the product, target spending effectively, and report accurately. A strict approach could limit a business’ ability to compete against others in their market. These tools are also plentiful and relatively light-weight to implement, which means privacy teams must maintain constant vigilance against potential surprises.
Where it’s not possible to avoid tracking scripts and session replay software altogether, privacy teams instead implement a combination of the following strategies depending on their overall exposure and tolerance level:
1. Update your consent opt-in or opt-out model
Start with the basics. CIPA claims argue that an unknown party was privy to private communications. A good defense ensures auditable documentation that any trackers firing were known to the plaintiff before they fired. How do you inform visitors of your trackers and get their consent?
Explicit opt-in consent
This approach treats California visitors the way most companies already treat visitors under GDPR, blocking all non-essential tracking until the visitor gives explicit consent. No analytics, pixels, or session replay fires until the user clicks accept on a cookie banner that discloses all active trackers. The banner can also provide a link to read more about listed trackers elsewhere, but no tracking can begin until explicit consent is provided. If the user ignores or dismisses the banner and continues to browse, this is treated as an opt-out.
While one of the most conservative options available, this approach still isn’t flawless. For instance, as reported earlier, claims can still be filed under regulations beyond California (e.g. ECPA).
Opt-out consent banners
This approach mirrors the opt-in model above, except tracking defaults “on” unless a user exercises a right to disable it. If the user dismisses the banner (for example, clicking the X to close a banner or ignoring the banner while continuing to visit other pages), trackers can start to fire. In some cases, the banner may simply act as an acknowledgment that tracking will begin if the user continues to browse, with no explicit choice available in the banner itself. In others, a choice is presented, but the default option is to accept all tracking.
The approach carries more risk. CIPA claims have been both won and lost where organizations used this method. Even an opt-out banner meeting CCPA compliance standards can face difficulty in court under CIPA in certain conditions. You can make your opt-out banner more defensible by:
- Ensuring the banner is prominently displayed immediately on page load
- Including very clear details on the banner disclosing the tracking that will occur and under what conditions
- Preventing trackers from firing until some form of interaction with the banner, whether that is making a consent choice or dismissing the banner
- Providing an explicit consent choice on the banner to improve auditability that the user definitively saw the disclosures
- Including a link to your terms of service somewhere on the banner
- Maintaining compliance with browser opt-out signals by honoring an opt-out, displaying confirmation of the opt-out as encouraged by recent CCPA amendments, and ensuring that the banner cannot in any way confuse a user into accepting tracking unintentionally after using an opt out signal.
Forced choice banners
Lastly, you could abandon a default opt-in or opt-out model altogether. In this approach, the banner is so clear and conspicuous that the user cannot browse the website or dismiss it until they’ve made a choice to opt into or out of tracking. No default selection is provided. The forced choice makes proving consent simple.
In some cases, organizations have also used a variation on this approach to only permit users to browse if they accept tracking. While the U.S. lacks clear precedent on this, the model has come into deep scrutiny under GDPR, so proceed with caution.
Consent models that won’t work
Whichever consent model you decide is best for your organization, make sure you at least run some form of banner or pop-up disclosing the use of trackers or providing detail on where browsers can read more about them.
While disclosing this information in a centralized privacy policy or triggering the banner only when a user opens it from a link in the footer have been sufficient approaches for many privacy laws, these tactics have not proven successful against CIPA claims. If you use the technology CIPA claims target, visitors must be informed and given the opportunity to consent before tracking begins.
2. Limit trackers’ access to data
Courts still disagree on many points when litigating CIPA claims. In cases where the data the third party accessed was extremely trivial, especially with no truly identifying information, the claim is more likely to be dismissed. While specific definitions vary, routine browsing behavior is often treated as too trivial for a claim, while browsing data related to any sensitive data categories is examined with more scrutiny.
Similarly, some CIPA claims are dismissed when the third party tracker was only functioning as part of the website’s basic services and the third party gained no independent use of user data.
Evaluate vendors carefully and take means to limit their access to visitor data, especially any sensitive data. If your website hosts pages that could imply information about a user’s health, financial, or other sensitive status, consider removing trackers entirely from those pages.
When implementing third-party tools, identify the minimum amount of data the vendor needs to operate effectively, and implement limitations to the vendor’s access beyond that minimum. Many tracking tools can be configured to exclude certain pages, anonymize user identifiers, or restrict data sharing to only what is needed. Courts have repeatedly dismissed cases where the third party had no independent use of the data collected, so building that same limitation into your vendor relationships is one of the most direct ways to reduce exposure.
3. Self-audit consent
Your banner experience doesn’t matter if the choices users make on the banner don’t actually impact tracking. Regularly review your website to confirm that trackers don’t fire after an opt-out. Audit your full list of tracking tools before making any changes to your consent setup, since some trackers are installed directly on a website outside of a consent management platform and will run regardless of what a user chooses on the banner.
Some teams focus their audits on the areas most likely to show up in a lawsuit. Search bars, contact and lead forms, and session replay tools are the most common targets. A practical way to check your exposure is to run through your website as three different users (one who ignores the banner, one who rejects, and one who accepts). Note which trackers run in each scenario and where that data goes. If a tracker fires after a user rejects, that is exactly what a plaintiff attorney looks for.
For DataGrail Consent customers, DataGrail’s AI agent Vera automatically detects new trackers and recommends categories for managing them. This is the core technical control for ensuring non-essential trackers do not run before a visitor has consented.
To review your website’s opt-out compliance, try our complementary consent checker, install our free browser extension, or build your own audit with Claude.
4. Improve your documentation
Being able to produce a timestamped record of what fired, under which consent state, on a specific date is described as a significant advantage when responding to a demand letter. Prevent letters from turning into claims by selecting a consent management platform designed for auditability. Maintain network logs, configuration exports, and consent banner screenshots organized by release date.
Another important avenue of documentation to consider is your risk assessment strategy. If a claim argues that a specific vendor gained independent use of your browser’s data, showing the court that you thoroughly reviewed the vendor and already addressed and/or mitigated any third-party use is a spectacular defence. Risk assessments are especially important if your browsing data might be considered in any way sensitive, as the CCPA’s recent amendments now legally require proactive assessments for processing sensitive data.
For those using DataGrail’s Risk Assessments, Vera can help you validate whether or not a potential new tracker can process personal or sensitive information, and immediately document an auditable mitigation strategy in Risk Register.
What to do if you receive a CIPA demand letter
Receiving a demand letter does not mean the claim is valid. Many claims are generated at scale by a small number of firms using automated scanning tools, and the technical allegations are not always accurate. What separates brands that handle this well from those that scramble is having answers ready before anyone asks.
Here is what some teams are doing when they receive a letter:
1. Do not ignore it
The deadline is real. No response generally strengthens the other side’s position.
2. Check what your site was actually doing
Before deciding how to respond, pull logs from your consent management platform and assess whether your site was actually configured the way the letter claims. This is about understanding your own position. Some CIPA claims aren’t based on what your site actually does, but what a cookie is capable of doing, so it’s important to validate how you actually have your scripts and cookies configured. A demand letter alleging a tracker fired without consent is much easier to respond to when you have records showing what your setup was and when any changes were made.
3. Fact-check the technical allegation
Demand letters are typically built on a HTTP Archive (HAR) file, a snapshot of network activity captured in a single browser session at a specific moment in time. That snapshot can contain errors, reflect outdated behavior, or be misread. Running the same analysis yourself before engaging in settlement or strategy lets you identify those inconsistencies and respond to what the evidence actually shows rather than taking the allegation at face value.
4. Get outside counsel involved early
CIPA litigation is technical, fast-moving, and fact-specific. How a company responds, and whether to settle, fight, or remediate, is a decision that benefits from past experience. If this is your first CIPA claim, consider engaging outside privacy counsel.
5. Use the letter as a forcing function
Regardless of how the claim resolves, treat a demand letter as a prompt to close the gaps that made them a target.
Learning with your community
If you need more help thinking through CIPA claims and your consent management platform, consider joining the Privacy Roundtable Slack community. 2,000+ privacy practitioners world wide gather here to discuss privacy best practices and share resources. You’re not alone identifying the best next step for your team.
This article is provided for general informational purposes only and does not constitute legal advice. If you have received a demand letter or are evaluating your exposure, consult qualified legal counsel before taking action.
