Insights

The California Invasion of Privacy Act (CIPA): Why Your Website May Already Be a Legal Target

July 10, 2026

What CIPA Actually Is

The California Invasion of Privacy Act (CIPA) is not new. It was enacted in 1967 as a wiretapping law, aimed at recording devices, phone taps, and eavesdropping. Key provisions have been repurposed for the internet era. 

Plaintiffs’ lawyers have spent the last three years arguing that website tracking and data technology falls within CIPA. They’ve claimed chat bot wiretaps a visitor’s conversation, that an analytics or advertising pixel is a surveillance device, and that session-replay software that records mouse movement, scrolling, and keystrokes intercepts a communication in real time. Because CIPA allows a private right of action with statutory damages of $5,000 per violation, and because a violation can be interpreted per visitor session, the exposure for an ordinary website can add up fast.

The 2026 Demand Letter Wave

In recent weeks, we’ve seen a surge of pre-litigation demand letters sent to businesses and law firms of every size, often before any lawsuit is filed. According to reporting on the trend, a small handful of plaintiffs’ firms are responsible for the large majority of these claims; one industry analysis found that just four law firms represented claimants in 72% of all web privacy claims tracked (as reported by Law360).

Not every letter turns into a filed lawsuit, but enough have that businesses across the country are now treating a CIPA letter as a real legal event rather than a nuisance or guidance to avoid.

The Legal Ground Is Shifting But Not Settled

Courts have not agreed on whether CIPA even applies to website software, and 2026 has brought developments on both sides.

There is no statutory safe harbor yet, the case law is split, and the volume of demand letters has not slowed down while everyone waits for clarity.

Tracking & Privacy Foundation

Several terms are important to understand as they relate directly to CIPA claims. Most claims focus on a technical distinction that cookie banners get wrong. Cookie tracking compliance involves allowing essential cookies to load without consent, but everything else — analytics, ad pixels, chat, session replay — must wait for an affirmative opt-in or the site is exposed. 

A cookie is a small text file that a website stores in a visitor's browser to remember information between page loads or visits, things like login status, items in a shopping cart, language preference, or a unique identifier used to track browsing behavior. Cookies are set either by the site itself (first-party) or by third-party services embedded on the page, such as analytics or advertising tools, and it's this second category that has become the focus of CIPA and CCPA compliance concerns.

Global Privacy Control (GPC) adds a second layer of risk, since regulators treat it as a binding opt-out the moment the signal is detected, whether or not the visitor ever touches the cookie banner. Getting the essential/non-essential line right and honoring GPC automatically are the two changes that close the exact gap plaintiffs' letters are built to exploit.
  • Essential cookies (also called “strictly necessary” cookies): Cookies required for the website to work properly.  This includes: 
    • keeping someone logged into an account
    • remembering the contents of a shopping cart
    • enabling checkout
    • load-balancing traffic, or 
    • maintaining basic security. 
      Because they are necessary to run the site, both CCPA and GDPR exempt them from consent requirements; a business may load them automatically without waiting for a banner interaction. A cookie only qualifies as essential if the site cannot deliver the requested service without it. Cookies that are merely “helpful” or “improve the experience”, remembering a language preference, for instance, do not automatically qualify as essential just because a business finds them convenient. 
       
  • Non-essential cookies: Everything else. This category covers analytics and performance cookies (Google Analytics and similar tools that measure traffic and behavior), advertising and tracking cookies (the Meta Pixel, Google Ads tags, TikTok Pixel, and retargeting scripts), and most functionality cookies that personalize a visitor’s experience but are not required to complete their request. 
    This is also the category that matters most for CIPA risk. Current demand letters are built almost entirely around evidence that these tools load cookies before a visitor consents. Other examples of non-essential cookies include chat widgets, session-replay recorders, and ad pixels.   
     
  • Honor Global Privacy Control (GPC): GPC is a browser-level signal built into privacy-focused browsers like Firefox, Brave, and DuckDuckGo, or added via extension, that automatically tells every site a visitor loads, “do not sell or share my personal information.” It is sent with every page request, so the visitor never has to find and click an opt-out link on individual sites.
     
    The California Consumer Privacy Act (CCPA) is the state law giving California residents rights over their personal information, including the right to know what's collected, delete it, and opt out of its sale. The CPRA (California Privacy Rights Act) amended and expanded the CCPA, adding a "share" opt-out (covering data used for cross-context advertising, not just outright sales), a sensitive-data category, and a dedicated enforcement agency, the CPPA. 

    Under the CCPA, a business must treat a detected GPC signal as a legally valid, binding opt-out request, the same as if the visitor had manually opted out through a form. Practically, this means your consent management platform needs to detect the GPC header automatically, apply the opt-out across all non-essential tracking before any script fires, and skip presenting an opt-in choice for something the visitor has already declined. Ignoring GPC, or requiring visitors to separately click through a banner despite the signal being present, is treated by regulators as noncompliant.  

How to Fix Your Cookie Banner and Reduce Exposure

Most cookie banners satisfy CIPA’s and CCPA’s opt-out model but do not address the wiretapping theory behind CIPA claims. This is because they let tracking scripts fire before the visitor makes any choice. Closing that gap requires changes to how the cookie banner and the underlying scripts are configured.  

Recommended step include:

  • Configure your consent management platform (CMP) or cookie banner so that non-essential scripts, analytics tags, ad pixels (Meta, Google, TikTok), chat widgets, and session-replay tools, are technically prevented from loading until the visitor makes an affirmative choice. A banner that discloses tracking while the tags fire in the background underneath it is exactly the fact pattern plaintiffs’ letters target.
  • Default every non-essential category to off. Cookie banners should offer clear “Accept All,” “Reject All,” and “Customize” options with equal visual weight, and every non-essential toggle in the customize view should start in the off position.
  • Never treat inaction as consent. As of 2026, closing the banner, scrolling past it, or continuing to browse cannot be treated as acceptance. Consent must come from an affirmative click, and your CMP’s logs should be able to prove that click happened before the relevant script loaded.
  • Audit chat and session-replay tools specifically. These are the two technologies most frequently named in current demand letters. Confirm whether your live-chat vendor, chatbot, or session-recording tool transmits conversation content or on-page behavior to a third party, and gate that transmission behind the same consent signal as your other trackers, not a separate or looser one.
  • Honor Global Privacy Control (GPC) automatically. If a browser sends a GPC signal, your site should treat it as a valid opt-out request without requiring the visitor to separately interact with the banner.
  • Keep records. Store timestamped consent logs (what was shown, what was clicked, and when) for every visitor session. If a demand letter arrives, being able to show that a specific visitor’s tracking was gated behind actual consent is the strongest practical defense.  

What This Means for Your Business

CIPA litigation in 2026 sits in an unusual spot: the legal theory is aggressive and, in the view of at least one trial court, may not even apply to websites at all, yet the volume of demand letters keeps growing and the legislature has not yet closed the door. 

To ensure your website is compliant, we recommend updating your website’s cookie banner to gain consent before any tracking tag is fired or used.