What Is CIPA?
The California Invasion of Privacy Act (Cal. Penal Code sections 630–638.55) is California's anti-wiretapping and anti-eavesdropping statute. Originally enacted to regulate telephone surveillance, CIPA has become one of the most actively litigated privacy statutes in the country as courts apply its plain language to modern website tracking technologies.
CIPA is not the Children's Internet Protection Act (COPPA), a federal law about filtering content in schools and libraries. The California statute creates a private right of action under section 637.2, allowing any person injured by a violation to recover statutory damages of $2,500 per violation or actual damages, whichever is greater—plus attorney's fees and punitive damages.
What makes CIPA particularly powerful for plaintiff-side litigation is the combination of per-violation statutory damages, broad applicability to common website technologies, and the ability to bring class actions where millions of site visitors are affected.
Why this matters now: Deliberize's scanner has detected CIPA-relevant trackers on over 560 consumer-facing websites. The majority deploy trackers that fire before any user consent interaction—creating exposure under all three CIPA theories.
The Three Theories of Website Liability
CIPA contains multiple provisions, but three sections are most relevant to website tracking. Each maps to a specific category of surveillance technology and carries its own elements and damages framework.
Wiretapping
Intercepting or recording the contents of a communication. Applied to session replay tools that capture keystrokes, mouse movements, form inputs, and page content.
Eavesdropping
Recording a confidential communication without consent. Applied to live chat widgets and AI chatbots where users share personal or sensitive information expecting privacy.
Pen Register
Collecting addressing information—who communicates with whom, when, and from where—without collecting content. Applied to tracking pixels, analytics, and tag managers.
Section 631: Wiretapping — Session Replay
Section 631 prohibits the intentional interception of the contents of a communication by a person who is not a party to the communication. When a website deploys a session replay tool like Hotjar, FullStory, or Microsoft Clarity, it captures the full substance of a visitor's interaction: every keystroke, mouse movement, scroll position, form input, and page element. This is content interception by a third party (the replay vendor) who is not a party to the communication between the user and the website.
Deliberize's scanner detects 13 session replay tools, all classified as critical or high severity under section 631:
| Tracker | Theory | Severity |
|---|---|---|
| Hotjar | Section 631 | Critical |
| FullStory | Section 631 | Critical |
| Microsoft Clarity | Section 631 | Critical |
| Mouseflow | Section 631 | Critical |
| LogRocket | Section 631 | Critical |
| Lucky Orange | Section 631 | Critical |
| Smartlook | Section 631 | Critical |
| Glassbox | Section 631 | Critical |
| Quantum Metric | Section 631 | Critical |
| Inspectlet | Section 631 | Critical |
| Salesforce Interaction Studio | Section 631 | Critical |
| Contentsquare | Section 631 | High |
| Heap Analytics | Section 631 | High |
Section 632: Eavesdropping — Chat Widgets and AI Chatbots
Section 632 makes it a crime to record a confidential communication without the consent of all parties. California is a two-party consent state. When a consumer uses a website's live chat or AI chatbot to discuss a billing dispute, ask about a medical condition, or share personal details, that conversation may be confidential. If the chat vendor records and stores these conversations—often for analytics, training data, or quality assurance—that recording may violate section 632.
This theory has gained momentum as AI chatbots proliferate. Consumers who interact with an AI-powered customer service widget often share sensitive information, not realizing that the conversation is being recorded and processed by a third-party AI vendor.
Deliberize detects 9 chat widgets and 9 AI chatbot platforms under this theory, including Intercom, Drift, Zendesk Chat, and OpenAI-powered widgets.
Section 638.51: Pen Register — Tracking Pixels and Analytics
Section 638.51 prohibits the use of a pen register or trap and trace device without a court order. A pen register records addressing information—the identities and metadata of communications—without capturing content. Tracking pixels like the Meta Pixel, TikTok Pixel, and Google Analytics operate precisely this way: they record who visits a website, when, from where, what pages they view, and what actions they take, and they transmit that addressing information to a third party.
This theory covers the broadest range of common trackers. Deliberize detects 13 tracking pixels, 5 analytics platforms, and several other data collection tools under section 638.51.
Tracker Categories and Legal Exposure
Deliberize's detection engine identifies 55 distinct tracker signatures across seven categories, each mapped to a specific CIPA theory. The detection is based on network request patterns, JavaScript execution signatures, and DOM element analysis—not guesswork.
| Category | Count | CIPA Theory | Example Trackers |
|---|---|---|---|
| Session Replay | 13 | Section 631 | Hotjar, FullStory, Clarity, LogRocket |
| Tracking Pixels | 13 | Section 638.51 | Meta Pixel, TikTok, LinkedIn, Pinterest |
| Chat Widgets | 9 | Section 632 | Intercom, Drift, Zendesk, LiveChat |
| AI Chatbots | 9 | Section 632 | OpenAI widget, Ada, Dialogflow, Watson |
| Analytics | 5 | Section 638.51 | GA4, Mixpanel, Amplitude, Adobe |
| Ad Tracking | 2 | Section 638.51 | DoubleClick, Clarity Conversion API |
| Data Collection | 4 | Section 638.51 | Segment, LiveRamp, FingerprintJS, GTM |
The Consent Battleground
Consent is the central issue in modern CIPA litigation. Defendants argue that consent banners, cookie opt-outs, and terms-of-service provisions constitute valid consent to tracking. Plaintiffs counter that consent is absent, bypassed, or technically ineffective.
Deliberize's scanner performs two-pass consent verification: it visits a site, detects all trackers that fire on initial page load (before any user interaction), then interacts with the consent mechanism (if one exists), opts out, and checks which trackers persist. This produces one of four consent statuses:
CONSENT_INEFFECTIVE is often the strongest plaintiff position. The website deployed a consent mechanism—acknowledging the need for consent—but the mechanism is technically broken. Trackers continue to fire after the user opts out. This undermines the defendant's primary defense while demonstrating knowledge that consent was required.
CONSENT_BYPASSED is nearly as strong. Trackers fire on initial page load, before the user has any opportunity to interact with the consent banner. The consent banner exists but is functionally decorative—the surveillance has already occurred by the time the user sees the opt-out option.
Standing After Popa v. Harriet Carter
The Popa v. Harriet Carter Gifts, Inc. line of cases reshaped the CIPA standing landscape. Courts increasingly scrutinize whether plaintiffs can demonstrate a concrete injury from website tracking, particularly for routine analytics tools.
Deliberize's viability scoring accounts for standing risk by theory:
- Session replay (Section 631) faces the most post-Popa scrutiny. Courts have questioned whether recording mouse movements and scroll behavior constitutes a sufficiently concrete injury. Standing is strongest when the replay captures form inputs, search queries, or other substantive content.
- Chat widget / AI chatbot (Section 632) standing is generally strong because the confidential communication element is clear—users share personal information in a conversational context where privacy is expected.
- Pen register (Section 638.51) standing depends on the nature of the addressing information collected and whether the plaintiff can show the tracker transmitted their data to a third party without consent.
Key factor: Consent status is the strongest predictor of standing. A site with CONSENT_INEFFECTIVE status—where the user actively opted out but tracking persisted—presents the clearest concrete injury: the defendant knew consent was required, the plaintiff withheld it, and the tracking continued anyway.
Statutory Damages
CIPA's damages framework makes class actions economically viable even for relatively modest per-plaintiff injuries:
- Section 637.2(a): Any person injured by a violation of sections 631, 632, or 638.51 may bring a civil action for $2,500 per violation or three times actual damages, whichever is greater.
- Section 637.2(c): Punitive damages are available for willful violations, in addition to statutory damages.
- Attorney's fees: Prevailing plaintiffs may recover reasonable attorney's fees and litigation costs.
The "per violation" calculation is the key class action multiplier. If a website deploys three distinct trackers (one session replay, one tracking pixel, one chat widget), each page visit by each class member may constitute three separate violations. For a site with 100,000 monthly California visitors, the theoretical exposure is substantial.
Federal Wiretap Act Overlay
CIPA claims are California-specific, but the Federal Wiretap Act (18 U.S.C. Section 2511) provides a parallel nationwide cause of action for many of the same tracking behaviors. The federal statute offers:
- $10,000 minimum statutory damages per violation (higher than CIPA's $2,500)
- Applicability in all 50 states—not limited to California residents or California-based websites
- The crime-tort exception, which can overcome one-party consent defenses: if the interception was itself unlawful, one-party consent does not apply
Deliberize's scanner evaluates Federal Wiretap Act exposure alongside CIPA, allowing attorneys to stack claims and expand the putative class beyond California.
Next Steps for Plaintiff Attorneys
If you litigate CIPA, Federal Wiretap Act, or state privacy claims, Deliberize Discover provides the technical evidence foundation your practice needs:
- Browse the database — 560+ websites scanned and scored for CIPA viability, with tracker detections, consent analysis, and standing assessment for each site.
- Review a sample report — See the full analysis including viability scoring, case law citations, complaint outlines, and damages estimates.
- Check a specific website — Use the Privacy Claim Checker to see if a particular website appears in our scan database.
Further Reading
- The 55-Signature Tracker Detection Guide — every tracker we detect, mapped to its CIPA theory and severity.
- Why Consent Banners Fail as a Legal Defense — technical analysis of consent bypass and ineffectiveness.
- CIPA Statutory Damages Calculator — estimate class action recovery by tracker count and traffic.
- Federal Wiretap Act: Nationwide Claims — how to expand beyond California with 18 U.S.C. §2511.
Find viable privacy cases in minutes
560+ websites scanned. 55 tracker signatures. Litigation-ready evidence packages with case law, complaint outlines, and damages estimates.
Browse the Case DatabaseDeliberize LLC is a technology company, not a law firm, and does not provide legal advice. All reports and analysis are investigative tools that require independent review by a licensed attorney.