The Statutory Framework

The California Invasion of Privacy Act creates a private right of action that makes website tracking litigation economically viable at class scale. The damages framework is codified in Cal. Penal Code section 637.2, which provides three independent avenues for recovery.

Section 637.2(a) is the core damages provision. Any person who has been injured by a violation of CIPA sections 631 (wiretapping), 632 (eavesdropping), or 638.51 (pen register) may bring a civil action to recover the greater of $2,500 per violation or three times the amount of actual damages sustained. This is not an either/or election made at the outset—the statute guarantees the plaintiff will receive whichever amount is larger, ensuring a meaningful floor even when actual damages are difficult to quantify.

The statutory minimum of $2,500 per violation is what makes CIPA class actions viable. Individual actual damages from a single tracking pixel firing on a single page visit may be nominal or difficult to prove. But when that violation is multiplied across thousands of class members and multiple trackers, the aggregate statutory exposure becomes substantial.

Section 637.2(c) authorizes punitive damages for willful violations, in addition to statutory damages. A defendant that knowingly deploys tracking technologies without consent—or that implements a consent banner it knows to be technically ineffective—faces punitive damages on top of the per-violation minimum. Punitive damages are not capped by the statute and are determined by the trier of fact based on the reprehensibility of the defendant's conduct, the ratio to compensatory damages, and comparable civil penalties.

Attorney's fees are available to prevailing plaintiffs under section 637.2. This fee-shifting provision is critical because it aligns economic incentives: plaintiff firms can take CIPA cases on contingency knowing that reasonable fees and litigation costs are recoverable separately from damages. This is one reason CIPA has attracted significant plaintiff-side interest over the past several years.

Key distinction: CIPA's $2,500 minimum is a floor, not a ceiling. Where actual damages exceed $2,500 per violation—or where treble damages (3x actual) exceed the statutory minimum—the plaintiff recovers the larger amount. In practice, most class actions rely on the statutory minimum because individual actual damages are difficult to quantify at scale.

Per-Violation vs. Per-Plaintiff Calculations

The single most important question in CIPA damages analysis is how courts define a "violation." The statute says $2,500 per violation, but what constitutes one violation? This is where theoretical exposure can become enormous—and where defendants argue for more conservative calculations.

The Multiplication Effect

Consider a typical scenario: an e-commerce website deploys the Meta Pixel (section 638.51), Hotjar session replay (section 631), and an Intercom chat widget (section 632). The site receives 100,000 unique visitors per month from California. Under the most aggressive per-violation interpretation:

Each distinct tracker constitutes a separate violation per visit: 3 trackers
Each page visit triggers each tracker independently: assume 3 page views per session = 9 violations per visitor
Each class member multiplied: 100,000 monthly CA visitors × 9 = 900,000 violations per month
At $2,500 each: $2.25 billion in monthly theoretical exposure

These numbers are theoretical maximums. No court has awarded damages at this scale, and multiple judicial doctrines work to constrain the final calculation. But the theoretical exposure is what drives settlement dynamics—defendants facing even a fraction of this number have strong incentive to resolve claims early.

Judicial Approaches

Courts have taken varying approaches to the "per violation" question:

Per-tracker-per-visit: Each distinct tracker that fires on each page load is a separate violation. This produces the largest numbers and is the plaintiff-side position in most cases.
Per-session: All tracker firings during a single browsing session constitute one violation per tracker. This reduces the multiplier but still produces significant exposure for high-traffic sites.
Per-plaintiff: Each class member's entire course of dealing with the website is one violation per tracker. This is the most defendant-friendly interpretation and produces the smallest numbers.
Per-tracker: All visits by all plaintiffs to a site using one tracker constitute a single violation of that tracker. This is the most aggressive defense position and rarely adopted.

The calculation method adopted by a court or agreed to in a settlement typically falls somewhere between per-tracker-per-visit and per-session. Settlement agreements often use a blended approach that accounts for the uncertainty.

Practical impact: The ambiguity in "per violation" is itself a litigation tool. Plaintiffs file with the per-tracker-per-visit theory to establish maximum exposure, then negotiate settlements based on a more conservative calculation. The gap between the two numbers is the settlement range.

Damages by Theory

Different CIPA sections and federal overlay statutes carry different damages ranges. The applicable rate depends on which statutory theory the tracker's behavior maps to.

Statute	Theory	Applies To	Damages per Violation	Additional
Cal. Penal Code §631	Wiretapping	Session replay tools (Hotjar, FullStory, Clarity, etc.)	$2,500–$5,000	+ punitive for willful
Cal. Penal Code §632	Eavesdropping	Chat widgets, AI chatbots (Intercom, Drift, OpenAI widget)	$2,500–$5,000	+ punitive for willful
Cal. Penal Code §638.51	Pen register	Tracking pixels, analytics (Meta Pixel, GA4, TikTok)	$2,500 minimum	+ punitive for willful
18 U.S.C. §2511	Federal Wiretap	Same conduct, nationwide class	$10,000 minimum	+ punitive + equitable

The $5,000 upper range for sections 631 and 632 applies when courts calculate damages as "three times actual damages" under section 637.2(a) and actual damages exceed approximately $833 per violation, or when the court considers the severity of the intrusion in setting the per-violation amount. Some courts have interpreted the statute to allow up to $5,000 per violation for particularly egregious conduct even without a treble-damages finding.

The Federal Wiretap Act (18 U.S.C. §2520) provides a separate and independent cause of action with a $10,000 minimum per violation. Because the federal statute applies nationwide, it can dramatically expand the putative class beyond California residents. Plaintiff attorneys often stack federal claims alongside CIPA to increase both the class size and the per-violation floor. The crime-tort exception under 18 U.S.C. §2511(2)(d) can overcome one-party consent defenses, making the federal claim viable even in states that otherwise follow one-party consent rules.

Additionally, treble damages under section 637.2(a) apply when actual damages exceed the statutory minimum. In cases involving financial, health, or educational data, actual damages from identity theft, discrimination, or reputational harm can be substantial, pushing the treble-damages amount well above $2,500.

Interactive Damages Estimator

Damages Estimator

Number of distinct trackers detected (each tracker = separate violation)

Estimated monthly California visitors (unique visitors from CA)

Statutory rate per violation

Estimated Exposure

Per-Visitor Exposure

$7,500

trackers × rate

Monthly Exposure

$375,000,000

per-visitor × visitors

Annual Class Exposure

$4,500,000,000

monthly × 12

Disclaimer: This is a simplified estimate for illustrative purposes only. Actual recovery depends on class certification, judicial interpretation of "per violation," settlement dynamics, standing challenges, and other factors. This calculator assumes one violation per tracker per visitor per month. Courts may calculate violations differently. Deliberize LLC does not provide legal advice.

Factors That Increase Recovery

Not all CIPA cases are created equal. Several factors can significantly increase the expected recovery in a privacy class action, both by strengthening the underlying claims and by amplifying the damages multiplier.

Sector overlays amplify damages narratives. When a website operates in a regulated sector, additional statutory theories can be stacked alongside CIPA:
- GLBA (Gramm-Leach-Bliley Act) for financial services—sharing customer financial data with tracking vendors violates federal privacy obligations
- FERPA (Family Educational Rights and Privacy Act) for education—student browsing data transmitted to analytics vendors triggers separate liability
- COPPA (Children's Online Privacy Protection Act) for child-directed sites—collecting data from children under 13 without verifiable parental consent adds federal exposure
- HIPAA (Health Insurance Portability and Accountability Act) for healthcare—tracking pixels on patient portals that transmit health-related browsing data create devastating fact patterns
Consent status is the strongest predictor of case value. The consent spectrum directly impacts both liability and damages:
- CONSENT_INEFFECTIVE (strongest)—the defendant deployed a consent mechanism, acknowledging the need for consent, but the mechanism is technically broken. Trackers persist after opt-out. This demonstrates both knowledge and willfulness.
- CONSENT_BYPASSED (strong)—trackers fire on page load before the user interacts with the consent banner. The banner is functionally decorative.
- NO_CONSENT (strong)—no consent mechanism exists at all, meaning no defense of implied consent through interaction with a consent banner.
Evidence quality determines case viability. Litigation-ready forensic evidence—HAR files, DOM snapshots, network request logs, screenshots with timestamps—eliminates the "we removed the tracker" defense and preserves the factual record for class certification proceedings.
Multiple statutory theories stack damages. A site with session replay (section 631), a chat widget (section 632), and tracking pixels (section 638.51) faces separate damages calculations under each theory. Add the Federal Wiretap Act overlay and the exposure compounds further.
High traffic amplifies class size. Sites with significant California visitor volume create larger putative classes. Deliberize's case database scores sites partly on traffic estimates to help attorneys identify high-impact targets.
Willful conduct triggers punitive damages. Evidence that the defendant was on notice of violations—through prior lawsuits, demand letters, privacy audit findings, or documented complaints—and continued deploying trackers supports a punitive damages award under section 637.2(c).

Factors That Reduce Recovery

Defendants and their counsel have developed several lines of defense that can reduce or defeat CIPA damages claims. Plaintiff attorneys should anticipate and prepare for these arguments.

Standing challenges post-Popa. After Popa v. Harriet Carter Gifts, Inc., courts increasingly scrutinize whether website tracking causes a concrete injury sufficient for Article III standing. Session replay claims (section 631) face the most skepticism, particularly when the replay captured only mouse movements and scroll behavior rather than substantive form inputs or search queries. Section 632 claims involving chat widgets generally survive standing challenges because the confidential communication element is more concrete. For a detailed analysis of standing after Popa, see the litigation guide.
Class certification hurdles. Defendants argue that individualized questions—such as whether each class member actually interacted with a chat widget, whether each member's communications were confidential, or whether each member's consent banner experience was identical—predominate over common questions. Robust forensic evidence showing that trackers fire identically for all visitors helps overcome this objection.
Preemption arguments. Some defendants argue that federal statutes like the Stored Communications Act (18 U.S.C. §2701) or Section 230 of the Communications Decency Act preempt state wiretapping claims. These arguments have had mixed success. Courts have generally held that CIPA is not preempted where it regulates conduct (real-time interception) rather than stored data.
Arbitration clauses. Mandatory arbitration provisions in website terms of service can force class members into individual arbitration, defeating the class mechanism. However, enforceability depends on whether the arbitration clause was conspicuous and whether the user manifested assent (browsewrap vs. clickwrap).
Consent defenses. Defendants argue that their consent mechanisms constitute valid consent under CIPA. The strength of this defense depends entirely on whether the consent mechanism actually works—Deliberize's two-pass consent verification produces objective evidence of whether trackers respect opt-out choices.
Due process limitations on statutory damages. In extreme cases, defendants invoke due process constraints on the aggregate statutory damages award, arguing that per-violation damages multiplied across a large class produce a constitutionally excessive total. Courts have occasionally reduced statutory damages awards on this basis, though the doctrine remains contested.

See viability scores and damages estimates for real websites

560+ websites scanned and scored. Each site includes tracker detections, consent analysis, statutory theory mapping, and estimated damages exposure.

Browse the Case Database

Related Resources

CIPA Litigation Guide — Three theories of liability, tracker categories, consent analysis, and standing
Tracker Detection Guide — 55 tracker signatures across seven categories
Consent Defense Analysis — How consent status affects case viability
Federal Wiretap Act Overlay — Nationwide claims with $10,000 minimum per violation
Case Database — Browse 560+ scanned websites with viability scores
Sample Report — Full litigation research memo with damages estimates

Deliberize LLC is a technology company, not a law firm, and does not provide legal advice. All reports and analysis are investigative tools that require independent review by a licensed attorney.