CIPA restricts recording or listening to private electronic communications. The law was originally enacted in 1967 to combat unconsented wiretapping. The law provides for a private right of action in the event a communication is intercepted or recorded without the consent of all parties or when a pen register or a trap and trace device is used without a court order. A stream of putative class action plaintiffs has alleged that website operators have violated CIPA by deploying analytic tools, which the plaintiffs contend amount to pen registers and trap and trace devices. These plaintiffs allege that website privacy policy disclosures, cookie banners and opt-in consents are insufficient to avoid a CIPA violation.
Notably, CIPA’s consent requirements are at odds with the California Consumer Privacy Act (CCPA). The CCPA broadly regulates consumer privacy, including businesses that target California consumers via internet websites. It provides for an opt-out regime – in other words, consumers may exercise their privacy rights by opting out of the sale or sharing of their personal data or the processing of their sensitive personal data.
SB-690
If passed, the CIPA amendment SB-690 would exclude from the wiretapping rules any uses, devices and processes for “commercial business purposes.” The amendment defines “commercial business purposes” as the processing of personal information either “performed to further a business purpose” as defined by the CCPA or “subject to a consumer’s opt-out rights” provided by the CCPA.1 The bill would retroactively apply to any pending CIPA cases, potentially undermining claims pending when the amendment goes into effect.
SB-690 was referred to the Senate Committee on Public Safety, and a hearing was held on April 29, 2025. The hearing provided insight into how supporters and the opposition are thinking about the amendment. The sponsor of the amendment, Senator Anna Caballero, framed CIPA suits as an attempt by plaintiffs to subvert the carefully negotiated CCPA opt-out regime. Senator Caballero emphasized that the CIPA wiretapping suits are a “shakedown” and potentially ruinous to small and medium-sized businesses forced to either settle or pay litigation costs. The amendment, she concluded, would provide businesses with much-needed guidance on how to comply with the law and would ensure that business activities already regulated by the CCPA are not within the purview of CIPA.
The opposition, on the other hand, opposes the amendment unless it is revised to ensure that large tech companies may still be sued under CIPA. They framed CIPA as addressing “hidden tracking,” for which opting in or out is not an option. The opposition proposed an alternative approach of narrowly amending the pen register provision of CIPA, rather than a broad exemption.
Questions from members of the Committee to Senator Caballero focused on the possibility of narrowing the amendment to apply to only small and medium-sized businesses, as well as eliminating the retroactivity provision discussed above. While it is still early in the legislative process, Senator Caballero seemed amenable to eliminating the retroactivity provision, thus allowing pending lawsuits to proceed.
Although the bill was voted out of the Committee on Public Safety and will move to the Appropriations Committee, it remains too soon to tell whether it will become law. Depending on how the amendment is tweaked, and if it is successful, it could stem the tide of CIPA class actions by excluding from wiretapping restrictions those processes tied to legitimate commercial business purposes.
Zhizhi Xu v. Reuters News & Media Inc. and Gabrielli v. Insider, Inc.
More encouraging developments for companies facing CIPA claims came out of the Southern District of New York, where two recent CIPA putative class actions were dismissed for lack of standing.2 In both cases, the plaintiffs alleged that the defendants’ websites contained third-party web trackers that collected plaintiffs’ IP addresses and sent that information to third parties. According to the plaintiffs, the third parties could then use the IP addresses to serve targeted advertisements and conduct website analytics.
The courts in both cases held that the plaintiffs failed to allege a concrete injury in fact as required to satisfy Article III standing. First, neither plaintiff alleged that they were harmed by targeted advertisements or the like and instead alleged that a procedural violation of CIPA was sufficient to confer standing. The courts disagreed, finding that a statutory violation alone is insufficient to confer Article III standing.
Second, the courts took issue with characterizing IP addresses as private or personal information, stating that sharing an IP address without more does not amount to an invasion of privacy, a deprivation of the right to control personal information or public disclosure of private facts for standing purposes. IP addresses are voluntarily shared when a user accesses a website and people are not entitled to a legitimate expectation of privacy in them. While it is clear that a statutory violation alone does not confer standing, the reasoning turned largely on the fact that the IP addresses were the only information at issue. Thus, the dissemination or disclosure of additional information may lead to a different outcome on standing.
Conclusion
In light of these decisions, we expect to see fewer CIPA claims filed in federal court, as the standing analysis in California state court is typically less stringent. We also expect to see fewer cases that only allege the improper disclosure of IP addresses, as opposed to disclosure of more sensitive personal information. If CIPA is amended consistent with what is being discussed in the California Legislature, the number of CIPA claims filed anywhere is likely to decrease.
Nonetheless, for businesses looking to avoid CIPA litigation, opt in consent is the safest path. At the same time businesses should ensure, as a technical matter, the cookie consent manager functions as advertised, and not only keeps cookies from firing prior to user consent, but also keeps related tracking technologies like pixels from firing prior to user consent.
Importantly, a business can choose to run the risk of CIPA litigation and absorb the (potentially diminishing) cost associated with CIPA demand letters in an effort to cast a larger marketing net; but it should ensure it maintains appropriate opt out consent (albeit not under European privacy law, which requires opt in consent).
In all events, businesses should ensure their privacy notices are up to date and compliant, especially as they launch new technologies and practices.
__________
1 The CCPA defines “business purpose” as “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.” Cal. Civ. Code § 1798.140 (d). See the statute for specific examples.
Under the CCPA, consumers have the right to opt out of the sale or sharing of personal information. Cal. Civ. Code § 1798.120.
2 Zhizhi Xu v. Reuters News & Media Inc., No. 1:2024cv02466, 2025 WL 488501 (Feb. 13, 2025 S.D.N.Y.); Gabrielli v. Insider, Inc., No. 1:2024cv01566, 2025 WL 522515 (Feb. 18, 2025 S.D.N.Y.).
