Businesses across the country are receiving demand letters alleging that their websites violate California’s decades-old wiretapping law -- the California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 630–638.
The CIPA was enacted in 1967 to address phone and telegraph wiretapping. California plaintiffs’ attorneys and pro se litigants are now claiming that common website technologies, such as cookies, pixels, and similar targeted advertising and analytics technologies violate the CIPA when they capture browser activity before a user has given meaningful consent. These claims often focus on website tracking tools such as Google Analytics, LinkedIn, Meta Pixel, TikTok Pixel, and other third-party scripts.
At present, courts are split over how whether the CIPA applies to modern website technologies. That uncertainty has fueled a steady flow of demand letters from plaintiffs’ firms and pro se individuals to businesses with an online presence.
Although these letters may look like spam, they should not be ignored. While the legal theory being asserted is aggressive and the question of how CIPA applies to modern web-tracking technology remains legally unsettled, CIPA is nonetheless a genuine statute — one that permits private lawsuits and exposes violators to statutory damages of $5,000 per incidence. Until courts provide more clarity, the best means of protection is compliance.
All businesses with an online presence should:
Update their privacy policy. Confirm that it accurately describes the tracking technologies used, the categories of data collected, and when data may be shared with third parties.
If you have questions or concerns about data privacy or compliance, please contact Brian McCormac or another member of BrownWinick’s data privacy practice.
Thanks to summer associate Kate Muller, who assisted with the drafting of this article.