On May 13, 2025, a $19.5 million settlement of a California Invasion of Privacy Act (CIPA) class action against a major financial institution and its telemarketing vendor moved one step closer to final approval. The settlement resolves allegations that the defendants violated the CIPA by secretly recording small businesses’ telephone calls without consent.
In their motion for final approval, the plaintiffs touted the average settlement payment of $680.49 per class member, which they described as “an extraordinary result” and which would be the second-largest CIPA settlement to date. This settlement underscores the significant potential exposure associated with failing to properly navigate wiretapping and telemarketing laws, including the CIPA, other state wiretapping laws, the Telephone Consumer Protection Act (TCPA), and state-level analogs to the TCPA.
CIPA
As discussed in a prior alert, the CIPA was originally enacted in 1967 to address nonconsensual recording of phone calls by putting restrictions on recording or listening to private electronic communications. In recent years, plaintiffs’ attorneys have advanced novel theories under the CIPA to seek statutory damages for the use of new online analytics tools. Plaintiffs have alleged that technologies such as website cookies, pixels, and other online analytics tools amount to illegal wiretaps, pen registers, or trap and trace devices.
Although those claims have received justifiably significant attention in recent years, companies and their vendors should not overlook potential liability for CIPA violations arising from more conventional but nonconsensual recordings. CIPA plaintiffs may seek statutory damages of $5,000 per violation or treble their actual damages, whichever is greater.
The Lawsuit
The plaintiffs, two California small businesses, originally filed their putative class action complaint in the United States District Court for the Northern District of California in 2023, asserting violations of the CIPA based on allegations that the vendor cold-called them to market the financial institution’s payment processing capabilities.
The goal of these calls was to schedule follow-up in-person appointments, and the vendor compensated telemarketers based on the number of appointments they scheduled. To ensure accurate reporting of these appointments, the vendor allegedly recorded the entirety of each call, but without telling the call recipients that it was doing so.
The plaintiffs further alleged that both the financial institution and an intermediary company that supervised the vendor for the financial institution were aware of the vendor’s actions on the financial institution’s behalf. Although they had the responsibility and power to supervise or modify the vendor’s conduct, the financial institution and the intermediary did not direct the vendor to stop recording its calls with leads, according to the plaintiffs.
The parties settled the case while the defendants’ motions to dismiss the plaintiffs’ amended complaint were pending.
The Proposed Settlement
On behalf of a class of approximately 102,416, the plaintiffs alleged the defendants’ conduct violated the CIPA, which prohibits recording private telephone communications without the consent of all parties. The parties reached a $19.5 million settlement for about 19,000 submitted claims, which, according to the plaintiffs’ motion for final approval, is the second-largest CIPA settlement ever in absolute dollar terms and the largest ever by per-class member recovery. As the plaintiffs emphasized, “This is a substantial payment for an intrusion of privacy that, on average, lasted 45 seconds and often less than 15 seconds.”
Conclusion
While California is considering amending the CIPA to exempt commercial business purposes and conform to the California Consumer Privacy Act, this recent settlement underscores how costly (and perhaps unexpected) CIPA violations can be. Companies that call their customers and consumers at large should take note of the CIPA’s requirements as well as those of the TCPA, review their vendor contracts for indemnity protections, and ensure third parties are making efforts to comply with the CIPA, the TCPA, and other laws.
[View source.]
