McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

12.11.2025

Does your company operate a website and do business in California? If so, you may soon receive (if you have not already) a letter from a law firm on behalf of a California resident aggrieved by your alleged violation of the California Invasion of Privacy Act (CIPA). Surprisingly, you may find your business accused of unlawfully collecting the consumer’s personal data through illegal use of electronic surveillance tools—namely a pen register, trap and trace device, or wiretap—on your website.

Typical allegations look like this:

  • A named California resident (claimant) visited the target business’s website.
  • At the time of the visit, the business had installed third-party tracking software (such as data broker software [e.g., LiveRamp or NextRoll], the TikTok pixel, or the LinkedIn Insight Tag) on its website. The tracking software, aka the alleged “surveillance tool,” began to collect claimant’s data as soon as they landed on the website—before any pop-up or cookie banner advised them of the collection and/or sought their consent.
  • Captured data is sent to the third party so that it can “reconstruct” the identity of an “otherwise anonymous visitor” by matching it with other information the third party has collected (i.e., “fingerprinting”).
  • The target business can use some of this data for advertising campaigns, conversion tracking, and other business purposes. The third party has access to all of it.
  • The third-party software is a wiretap, pen register, or trap and trace device.

What does this mean?

The CIPA generally forbids installation or use of a pen register or tap and trace device without a court order or consent. The tools addressed here collect communication metadata, but not the contents of the communications. Under the CIPA, a pen register is a device or process that captures information about outgoing electronic communications. A trap and trace device captures information about incoming electronic communications reasonably likely to identify their source.

The CIPA also prohibits an unlawful wiretap, which does capture the contents of the communications. The first wave of CIPA lawsuits involved allegations that the use of website technologies like chatbots and session replay software constitutes wiretapping. The more current CIPA trend is to state claims under the pen register and trap and trace provisions.

The CIPA was enacted in 1967 (when telephones were rotary dialed and a commercial internet was decades away) to curtail eavesdropping on private communications conducted over telephone landlines. At the time, pen registers and trap and trace devices were law enforcement tools used to capture incoming and outgoing telephone numbers on a particular line.  

So, what does this half-century-old law have to do with your company’s internet presence? While the claim letters vary by initiating firm, they center on the target company’s alleged use of third-party website analysis and tracking tools, often called pixels or web beacons. These tools are snippets of JavaScript code that activate when a user performs a tracked action, and send certain data (which may include such points as page views, session duration, referrer URL, IP address, browser and device information, and other interaction metadata) from the visitor’s browser to a third-party server.

It is important to note that there is nothing inherently illegal about the use of tracking pixels in California. They are common website marketing tools used for legitimate commercial purposes such as website and product/service optimization, conversion tracking, and ad retargeting. In fact, while the California Consumer Privacy Act (CCPA) requires covered businesses to notify California consumers if they disclose personal information to third parties for cross-context behavioral advertising and allow them to opt out, opt-in consent is not required to collect personal data for this purpose.          

Defendants have argued that the CIPA was intended to apply only to telephone (and telegraph) communications, and not to internet technologies, which did not exist when the statute was enacted. However, California courts have consistently rejected this position, reasoning that the statute was intended to protect California citizens broadly (not just in the context of a specific technology), and that expanding the scope to internet communications is consistent with prior expansions to cellular and cordless telephone communications. Thus, California courts have held that tracking software can “plausibly” meet the law’s definition of a pen register or trap and trace device, and session replay software, chatbots, and keystroke loggers can “plausibly” constitute wiretapping. However, courts are increasingly scrutinizing whether the statutory elements are met, particularly whether data was intercepted “in transit,” whether the defendant qualifies as a “third party,” or whether the plaintiff suffered any concrete injury. This evolving landscape may constrain the most aggressive CIPA claims, but it does not eliminate risk altogether.

Unlike most data privacy legislation, the CIPA allows people injured by its violation to bring a civil claim for the greater of $5,000 per violation or three times actual damages (if any); however, the claimant does not need to prove they actually suffered any damages.A plaintiff may also seek an injunction, which is a court order requiring the defendant to take actions to remedy the alleged violations. The CIPA also subjects violators to possible criminal penalties, such as fines and even jail time.

Why are data privacy claims being brought under the CIPA instead of the CCPA?

While both the CIPA and the CCPA allow individuals to sue for alleged data privacy violations, plaintiffs are more frequently turning to the CIPA for alleged website tracker-related violations. The CIPA provides a broader right of action and higher statutory damages, and does not require pre-suit notice and opportunity to cure.

Defending against CIPA claims can be expensive and time-consuming, even if a claim is weak on the merits. So why not just bite the bullet and pay the letter-stage settlement demand? From a time-and-money perspective, this may or may not be the right move for your business. Targeted businesses should carefully weigh the specific facts of their situation, how they use particular tools, their litigation risks, and the potential costs. But keep in mind that an early settlement may not buy your company peace. While any settlement agreement should contain confidentiality and non-disparagement provisions, the claimant’s firm may not be willing to settle its entire inventory of claims against you (if more than one) for a nuisance-value amount, and the claimant’s firm cannot settle claims that other, unrelated, firms may have against you.

How to mitigate your risk

Courts continue to grapple with how to treat these website-tracking CIPA claims, and lawmakers have yet to advance legislation that would meaningfully curb the lawsuit surge. In the meantime, a high volume of demand letters is being issued in an effort to capitalize on the legal uncertainty in the face of risky and costly litigation. Against this backdrop, businesses should take practical steps to reduce their exposure and prepare for the possibility of receiving a CIPA demand.

  • Conduct a website audit. Review your website and connect with business units such as marketing and IT to understand what website technologies—including chat widgets, cookies, pixels, session replay tools, and analytics platforms—are on the loading page of your website and all subpages. Ensure you understand what data each tool collects (e.g., keystrokes, clicks, form entries) and where the data is sent.
  • Strengthen notice and consent practices. Update your privacy policy and cookie banner language to clearly explain your use of website technologies. Make sure disclosures are accurate and match actual practices, and that tracking technologies are not employed prior to the site visitor’s consent. The strongest defense to these CIPA claims is consent.
  • Review vendor agreements. Confirm that vendors processing your site-interaction data do so in a manner that is consistent with your instructions and provide contractual assurances regarding data handling. Evaluate whether the vendor is acting as a service provider under applicable privacy laws and whether you retain sufficient control to counter “third-party eavesdropping” theories.

If you have questions about assessing your CIPA risk, contact the authors of this alert or the McCarter attorney with whom you work.

*Donnie Oliver, a law clerk at McCarter not yet admitted to the bar, contributed to this alert.