CIPA suits: Why a 60-year-old law makes your website a target

Analysis

The California Invasion of Privacy Act is testing modern data privacy boundaries.

Data privacy laws across the United States have expanded greatly over the past five years. Comprehensive laws have been adopted by more than 20 states, and we have seen a corresponding rise in data privacy litigation.

However, many of these lawsuits are not arising under new statutes as might be expected; instead, plaintiffs rely on decades-old wiretapping laws, most prominently the California Invasion of Privacy Act. In the past two years there has been a surge in complaints and class actions under CIPA, as opportunistic plaintiffs have sought to capitalize on overlooked aspects of businesses’ websites with claims under a combination of old and new laws.

Why are “CIPA lawsuits” becoming such a pain point for so many organizations? To answer this, we must examine what CIPA is, and why plaintiffs increasingly seek to exploit a nearly 60-year-old privacy law in tandem with modern data privacy laws that have been in effect for five years or less.

California Invasion of Privacy Act

Enacted in 1967, the California Invasion of Privacy Act was proposed by the California Legislature in response to “advances in science and technology that have led to the development of new devices and techniques for the purposes of eavesdropping . . . [that] cannot be tolerated in a free and civilized society.”

At the time, lawmakers contemplated Cold War era wiretapping and listening devices that were used to intercept private communications. Within this context, CIPA should have gradually faded away as a relic of its time, yet in recent years it has been revived and is now being invoked en masse to target modern technologies that were inconceivable six decades ago. Today, plaintiffs are asserting many wiretapping, eavesdropping, and trap-and-trace claims against businesses' websites. The claims target cookies, pixels, and third-party analytics tools in particular. CIPA has become the primary basis for these complaints, as it offers a broad private right of action, favorable bases for class actions, and no ameliorating safe harbor provisions.

How CIPA claims arise

Although some recent laws include private rights of action, the rights are limited in nature. For example, the California Consumer Privacy Act is restricted to circumstances that primarily involve data breaches. Most state laws do not provide private rights of action, instead giving enforcement authority to government regulators. Certain data privacy activists were displeased with how these limited or nonexistent rights contrasted with those provided by the European Union’s General Data Protection Regulation. The activists resolved to use litigation to assert stronger privacy protections if legislators would not do so through regulation.

It did not take long for less altruistic (opportunistic) plaintiffs to eventually realize that instead of using CIPA-type laws as a means to enhance modern privacy regulations, they could simply capitalize on their right to bring private actions and, in the case of CIPA, pursue recovery for statutory damages of $5,000 per violation or three times their actual damages, whichever is greater. As a result, the past three years have seen a surge in class actions and single-plaintiff complaints asserting increasingly tenuous claims. Courts have so far been reluctant to reject the claims because they are technically within the bounds of the law and longstanding precedent.

Prevalence of CIPA claims

CIPA applies as long as the website user (plaintiff) is located in California, even if the defendant itself is based outside of California or even outside the United States, as recent litigation involving Shopify demonstrates. Courts are also permitting claims to proceed not only against website operations, but also against third-party operations, further expanding potential exposure.

Although “CIPA” is used colloquially as a catch-all label, similar wiretapping and eavesdropping statutes exist in approximately 28 states, with California, Florida, and Illinois seeing the highest volume of claims. Since 2022, nearly 4,000 privacy claims have been filed in states nationwide involving the use of digital tracking technologies. This post-2022 surge is widely attributed to a CIPA decision from the U.S. Court of Appeals for the Ninth Circuit. In Javier v. Assurance IQ, the court held that session replay technology can be an “interception” under CIPA, which significantly expanded the statute’s scope.

The vast majority of CIPA claims are settled privately, meaning the total number of claims (as opposed to actual lawsuits) is probably greater. There is no general consensus, but extrapolating trends reasonably supports an estimate that there may have been 50,000 to 100,000 or more claims since 2022. Individual demand letters and arbitration filings are a hallmark of CIPA challenges. This is reflected in a high volume of dedicated CIPA plaintiff firms and single-plaintiff actions. Even if the case lacks merit, there is still a cost to the organization to investigate the claim, evaluate its technology practices, engage counsel or technical specialists, move to dismiss, or assess settlement and arbitration risks. Demand amounts are typically between $15,000 and $40,000, which may not seem significant, but are tactically calculated to maximize the likelihood that an organization will settle for most or all of the demand just to make the nuisance go away. Otherwise, the organization will assuredly spend more to endure protracted negotiations or to defend through full litigation.

Hidden costs

When CIPA claims do proceed to court, defense costs and settlement costs accumulate quickly. In addition, general liability and cyber insurance policies often exclude private privacy violations. There is a trend for plaintiffs to rely on free website scans to identify potential violations, enabling high-volume targeting. Large enterprises may seem to be prime targets due to their scale, visibility, and perceived ability to absorb settlement and defense costs. However, similar to cybersecurity contexts, it is actually small and mid-sized businesses that are prime targets because they typically lack the specialized legal or technical resources to identify and reduce their exposure to potential claims, or, conversely, to defend and remediate any gaps that give rise to such claims.

Even when a claim is settled, there are many costs and risks still lurking. Many settlements are tacit admissions that an organization has been negligent in ensuring its notices (privacy policies, cookie policies, consent and preference management options) accurately disclose how the website actually functions. Yet, if the defendant does not invest in what is necessary to fully remediate and bring the website/organization into compliance – which often requires specialized technical audits and policy updates from dedicated third-party practitioners – then plaintiffs will pounce by reasserting negligence claims and adding new claims that the organization is now fraudulently misrepresenting its compliance posture. As with many other aspects of data privacy compliance, these are not “check-the-box” or “one-time” exercises, and demand that organizations continuously monitor and manage their digital ecosystems and corresponding policies.

Ignorance is not bliss

Many companies are targeted not once, but multiple times, even when using some of the most basic or common website analytics tools (often involving the use of “pixels” and similar tracking technologies). However, many organizations are suffering “death by a thousand cuts” as they continue to put off meaningful remediation because they vastly underestimate the possibility of subsequent actions and totality of cumulative costs. The relatively low demands from CIPA plaintiffs lull organizations into thinking that a few tweaks to website user experience and inserting boilerplate language into the privacy policy is all it takes to make future problems go away. This is a mistake, and often more expensive in the long run. The cost of meaningful preventive remediation may be greater than the cost of settling and remediating after the fact, at first. But the cost of preventive remediation will assuredly be offset by avoiding many other potential claims in the future. Just as the true value of “cybersecurity” is often unappreciated until a breach shows its value, the true value of “privacy compliance” is similarly unappreciated until plaintiffs and regulators start knocking at the door.

Organizations cannot afford to wait things out and hope that the scrutiny of website tracking technology and user consent will subside any time soon. The California legislature considered Senate Bill 690 in 2025, which would have curtailed the majority of spurious and vexatious suits. However, the measure failed to advance and has actually seemed to motivate plaintiffs to be more active and more aggressive before “loopholes” are closed.

As noted already, courts have until now been reluctant to dismiss these lawsuits as long as they do not appear to be legally defective. More recently, some courts have shown increased willingness to challenge whether the plaintiff has standing and to question whether there has been actual harm, and some are even dismissing suits at the pleading stage for lack of sufficient grounds. However, because there is no safe harbor, other courts are still allowing the cases to proceed.

Even if organizations presumably had their wishes come true and these class action or single-plaintiff action types of suits disappeared, the underlying issues would remain a pressing concern. Regulators, notably those state members of the Privacy Consortium, have launched multiple investigative sweeps that predominantly target websites, as they are public-facing and easily accessible indicators of an organization’s compliance posture. In September 2025, three states launched a coordinated sweep focused on whether organizations are ensuring that individuals are informed about the collection/sharing of their personal data, and subsequently honoring user consents and preferences. These practices continue to be a priority for regulators. Earlier this month, California’s Attorney General announced the largest CCPA settlement to date relating to individuals’ ability to meaningfully manage or limit the collection and sharing of their personal information. Consistent with other California settlements, the monetary amounts seem small in proportion to the size of the organization. However, the administrative penalties – that is, providing updates every 60 days until compliance is reached, and maintaining an assessment/monitoring program for three years that is documented in an annual public report – are “shadow” costs that are likely to exceed the monetary amounts alone.  

Finally, artificial intelligence has upped the ante, as organizations grapple with complex implementation or emerging technologies while at the same time defending against plaintiffs probing for any compliance gap or weakness.

What organizations should do

Organizations should (and must) consider compliance as an ongoing, proactive practice, not a one-time, check-the-box exercise. Focusing on a strong consent framework that provides clear, conspicuous notice and demonstrable consent will greatly mitigate risk. Courts have repeatedly held that retroactive consent, and the mere existence of terms of service and privacy policies, are insufficient to establish valid consent. Organizations should review their website policies to ensure that disclosures accurately reflect actual business practices and data flows. Reviews should occur regularly, at least once a year, and should include third-party websites and practices to ensure that the third parties are not creating more risk for the organization. Transparency, clear disclosure, and data minimization should be top priorities.

The Constangy Cyber Team regularly counsels businesses of all sizes and industries on how to comply with the growing number of data privacy laws and regulations. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.

Subscribe for Updates
Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek