Consumer-facing businesses across the U.S. are seeing a surge in demand letters alleging that common website technologies, such as session replay software, chatbots, and pixel trackers, violate decades-old state wiretapping laws, most notably the California Invasion of Privacy Act (CIPA). These letters are often styled to resemble formal complaints and typically follow a similar playbook: they allege that a California resident visited the company’s website, entered information or messages (often through a search bar, form, or chat feature), and that those communications were intercepted in real time by embedded third-party tools without the user’s prior consent.
This client alert explains why these letters are becoming more common, what they typically allege, and practical steps companies can take to help reduce exposure.
What is CIPA?
CIPA is a California statute that was enacted in 1967 amid growing concerns of eavesdropping amid the advancement of wiretapping technology in the 1960s. The law regulates the interception, eavesdropping, and recording of certain communications.
In the context of privacy litigation, CIPA claims most commonly focus on Section 631(a), although plaintiffs have also relied on Sections 632 and 638.51(a) in some complaints. Section 631(a) generally prohibits intentionally intercepting communications while in transit without the consent of all parties to the communication. Section 632 separately regulates the recording or eavesdropping of confidential communications without the consent of all parties. Section 638.51(a) prohibits the use of a pen register without prior consent.
CIPA provides a private right of action with statutory damages of $5,000 per violation or three times actual damages, whichever is greater, and does not require proof of actual harm. This is the key reason CIPA has become an attractive vehicle for plaintiffs. The availability of statutory damages also distinguishes CIPA from more modern consumer privacy regimes, such as the California Consumer Privacy Act (CCPA), the Colorado Privacy Act (CPA), and other recently enacted state privacy laws, which generally do not provide private statutory damages for similar claims.
Critically, courts have held that companies located outside California may still face potential CIPA exposure where the affected website user is located in California. As a result, use of third-party tracking tools on a website accessible to California residents can potentially implicate CIPA, even if the company has no physical presence or targeted operations in the state.
How does CIPA apply to website tracking technologies?
There is no uniform consensus on how CIPA applies to modern web tracking. Although many CIPA claims are dismissed at the pleading stage or on summary judgment, a meaningful number have survived early challenges.
A central issue is what qualifies as the “contents” of a communication. Several courts have allowed claims to proceed where the alleged collection captures the substance or meaning of a communication, rather than only technical data. In Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073 (C.D. Cal. 2021), for example, the court rejected the argument that keystroke data, IP address, and browser data constituted message content. By contrast, in St. Aubin v. Carbon Health Techs., Inc., No. 4:24-cv-00667 (N.D. Cal. Oct. 1, 2024), the court denied a motion to dismiss and held that descriptive URLs may qualify as content where they reveal specific information about a user’s queries.
Courts also scrutinize vendor roles, with higher risk where a vendor can use or monetize data for its own purposes. In Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022), for example, the court found a vendor could qualify as a third-party eavesdropper if it had the capacity to use collected data for its own benefit. By contrast, in Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 2021), the court dismissed a CIPA claim, holding that the defendant’s session replay vendor did not qualify as a third-party eavesdropper where it collected data solely on the defendant’s behalf and was contractually restricted from using the data for its own independent purposes. The court reasoned the vendor’s use of the data was comparable to that of a tape recorder and therefore its conduct did not give rise to liability under the law.
Practical steps to help reduce risk
Effective risk management starts with operational reality. To help mitigate risk under CIPA and similar state wiretapping laws, companies should consider the following steps:
- Audit website tracking technologies. Identify which third-party tools run on the company’s websites, when and how they activate, what data they collect, and where that data is transmitted. The audit should pay close attention to chat features, search bars, forms, and session replay tools. The company should also consider eliminating any tools that provide more risk than value.
- Review and validate consent mechanisms. Cookie banners and consent tools can help mitigate risk, but only if they accurately reflect how tracking technologies actually function. Companies should confirm that banner language, consent options, and technical implementation are aligned in practice. For example, where a banner suggests that tracking will not occur if a user declines, but tracking continues anyway, that mismatch can undermine consent-based defenses and create exposure not only under CIPA, but also under the FTC Act and similar state consumer protection laws.
- Update privacy policies and related disclosures. Privacy policies and related disclosures should accurately describe tracking practices, the categories of data collected, and the role of third-party vendors. Inconsistencies between public disclosures and actual technical behavior are frequently highlighted in demand letters and complaints.
- Manage vendor risk. Companies should evaluate whether vendors are acting as service providers or have the ability to use or monetize data for their own purposes. Vendor agreements should, where appropriate, restrict secondary data use, limit retention, require compliance with applicable privacy laws, and include contractual protections tailored to the company’s risk profile.
- Coordinate CIPA posture with broader privacy compliance. Obligations under the Colorado Privacy Act and similar state laws, particularly around consent, opt-out mechanisms, and transparency, can affect CIPA risk. Companies should assess how global privacy controls, consent signals, and opt-out frameworks operate across jurisdictions and whether those mechanisms are consistently honored in practice.
- Document technical and compliance decisions. Maintaining clear documentation of audits, vendor roles, and implementation decisions can be critical when responding to demand letters or assessing litigation risk.
Many CIPA demand letters appear to be part of a volume-driven strategy that leverages statutory damages, unsettled case law, and confusion about how consent mechanisms and tracking technologies operate in practice to pressure companies into early settlements. Companies that clearly understand the tools deployed on their websites and align consent mechanisms with actual technical behavior will be better positioned to evaluate the merits of these claims and make informed decisions about next steps.
For questions about the California Invasion of Privacy Act or other data privacy topics, please contact Alex Paalborg or a member of the Davis Graham IP & Technology Transactions Group.