An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA).
A cottage industry of California plaintiffs’ firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week.
CIPA claims. Plaintiffs are targeting companies for using what have become standard web tracking tools — such as cookies, chat bots, session replay software, and advertising technology pixels (i.e. META, LinkedIn, TikTok) — on the grounds that these tools amount to illegal wiretapping or eavesdropping without proper consent of the website visitor. Plaintiffs are layering on additional claims under other laws to bolster their complaints, including California’s Shine the Light Law, the Unfair Competition Law, and traditional privacy torts. Statutory damages under CIPA are high, with plaintiffs eligible to claim up to $5,000 per violation or three times actual damages, whichever is higher.
State of the law and litigation.
- Courts. So far, state and federal courts are split on whether these tracking technologies violate CIPA’s wiretap and pen register provisions, leading to inconsistent outcomes. Courts also increasingly require plaintiffs to demonstrate actual harm or standing, resulting in some “no-injury” claims being dismissed. That is, if they even go through litigation. Plaintiffs’ opening settlement demands are often less than anticipated defense costs seeking Rule 12 dismissals. Many parties settle early before incurring any material defense costs.
- Legislation. There is legislation (California SB 690) in the works to exempt companies from such claims when such tracking is used for a “commercial business purpose.” As of this bulletin, it has not passed the California legislature.
What should companies do?
- Audit current website tracking technologies and third-party partners. Companies would do well to mitigate the associated risks of such shakedowns or litigation by reviewing their websites for any and all tracking technologies, which data the technologies collect, and any such data shared with third parties.
- Provide sufficient notice. Based on that review, companies should update their privacy policies and any posted terms to disclose such practices.
- Consider Banners. Companies can also consider a banner that greets all first-time visitors and likewise discloses the data collection and sharing practices with a link to the company privacy policy.
Of course, any company receiving such a demand should consult with legal counsel on the basis of the claims and a strategy forward. Our team has handled scores of these cases in 2025. To learn more or get assistance, you can contact our Privacy and Data Security team at Taft.