It has been amply documented how the California Plaintiffs’ Bar has exploited the California Invasion of Privacy Act (“CIPA”)–explicitly designed during the Cold War to address telephonic wiretapping and eavesdropping—to assert claims relating to the commonplace Internet use of website tracking technologies and chat features against corporate defendants. CIPA was enacted under the California Penal Code as a wiretap law to protect individuals from the unauthorized interception and eavesdropping of their confidential telephone calls.
Some early successes for creative Plaintiffs counsel contributed to a surge of Plaintiffs claims under CIPA asserting theories of liability relying on expansive notions of the scope of individual privacy pertaining to online personal information.
However, more recently, the tide may be turning in favor of corporate targets of these claims. Significant victories have been won in individual court decisions, often at the summary judgment stage. Moreover, recent California legislation has been enacted in the California Senate that would restrict the use of the CIPA statute to prosecute claims for the use of tracking technologies for a “commercial business purpose.” While the full impact of these developments remains to be seen, they may have a chilling effect on future litigation claims, or at least a possible slowing of the pace of new claims being made.
Promising California Legislative Reform Stalls
On June 3, 2025, the California Senate unanimously passed Senate Bill 690(SB 690), which would amend the CIPA law to provide for a first ever “commercial business purpose” exception to CIPA that would limit abusive lawsuits. SB 690 would bar private lawsuits for the processing of personal information for a commercial business purpose, effectively eliminating the private right of action for a wide range of CIPA claims related to online business activities. Significantly, the Senate Bill was amended prior to passage to remove its retroactivity provision, meaning that it will not apply to pending cases, but only prospectively to future cases once the legislation becomes law. The bill has moved to the California Assembly for further consideration.
Despite this promising development in the California Senate, the bill’s author, Sen. Anna Caballero, abruptly announced on July 2, 2025 that the bill would be made into a “two-year bill”, meaning Assembly consideration of this legislation will be paused until at least 2026 due to continued opposition from consumer privacy advocates and attorneys groups. This means that SB 690 will like not take effect until 2027 at the earliest. It also means that the current wave of CIPA litigation will continue for at least another year until final legislation is enacted in California.
Courts Remain Skeptical of Application of CIPA Wiretapping Theories to Standard Online Tracking Technologies
Definitive legislation would be the cleanest and most decisive way to curtail alleged misuse of the CIPA statute for civil claims relating to the use of online tracking technologies for a commercial business purpose. Nevertheless, corporate defendants have won several recent court decisions which, together with prior litigated decisions, and considering risk mitigation measures that many companies already take, should strengthen the confidence of corporate defendants that they have strong defenses to any CIPA liability for the use of standard online technologies.
For example, a number of cases have already interpreted Section 631(a) of CIPA as applying only to telephonic communications and not to Internet communications or technologies. Furthermore, consent banners and pop-up notices on websites preceding the use of web pixels or cookies, as well as explicit notices of privacy and cookie policies provide consumers with the opt out option to decline consent. If they do not opt out and continue to navigate the website, they have arguably provided knowing consent by continue to browse the site under the website’s terms, and the defendant can claim exemption from liability under CIPA on the basis of consumer consent. Also, many websites using tracking or other online technologies typically pseudonymize or anonymize collected data for commercial purposes without individual identifying data.
Several recent federal court decisions, including one Ninth Circuit decision, have rejected the theory that Section 631(a)’s first clause, which bars wiretapping, even applies to Internet communications. Gutierrez v. Converse Inc., 2025 WL 1895315, at *2 (9th Cir. July 9, 2025)(J. Bybee concurring opinion) (affirming summary judgment against a Section 631(a) claim); Ramos v. Gap, Inc., 2025 WL 2144837 (N.D. Cal. July 29, 2025)(dismissal of lawsuit alleging third party email marketing pixels used by retailer collecting data such as email, email open rates and content click rates were an unlawful wiretap under CIPA); Torres v. Prudential Fin., Inc., 2025 WL 1135088, at *5 (N.D. Cal. Apr. 17, 2025)(rejecting theory that third-party website cookies support a Section 631(a) claim).
Further, in Ramos, the court held that the defendant retailer was a “party to the communication” and therefore could not be held liable under Section 631(a) for wiretapping “private communications.” The court further held there was no interception of protected communication contents under CIPA as opposed to general information “about a user’s communication...” 2025 WL 2144837 at *3-4.
Gutierrez and Torres also establish that claims brought under the second clause of Section 631 (a) for “willfully attempting to learn the contents or meaning of a communication in transit over a wire” are not viable if the data are not accessed in transit (such as over a chat room feature) but rather after transit, such as in the case of access being requested for technical assistance after transit. Gutierrez, 2024 WL 3511648, at *8; Torres, 2025 WL 1135088, at *6.
Prophylactic Steps Can Minimize CIPA Risk
While litigation defenses to CIPA claims are many and varied, so are plaintiffs’ theories of liability. Here are several ways to minimize CIPA litigation risk:
- Know what technologies you are using on your website or in your email communications. Website developers often embed website pixels into a website without considering the consequences. Website pixels differ from cookies and can be launched as soon as a consumer visits a website. They may fall outside a privacy policy or cookie popup consent notice. So plaintiffs lawyers can potentially argue that consumers have no opportunity to consent to website tracking pixels because no notice was given of the data collection practices or of an opportunity to opt out.
- Be aware what information is collected. IP addresses and device IDs are often claimed to be identifiable personal information under CIPA, even though several California courts have held that individuals surfing the Web have no expectation of privacy to their IP address. If you claim the data is anonymized or pseudonymized, be sure that is the case, whether by you, or by an enforceable vendor commitment.
- Be sure to implement adequate notice and consent procedures through pop-ups or other methods, before website pixels or your cookies launch. This can be done by a full-screen pop-up, suspension of pixels until interaction occurs with your cookie pop-up, waiting until the visitor navigates to a second page, or other technical solutions.
- Segregating traffic from California IP addresses, and suppressing the use of pixels just for that state, can be a means to limit any exposure to CIPA claims. This may diminish the commercial ability to track traffic for a major market like California, but that cost could be substantially offset by potentially eliminating CIPA risk.
