Understanding California’s Wiretapping Claims Against Website Tracking

In 2022, the Ninth Circuit ruled in Javier v. Assurance IQ that session replay software used by a website to record user activity before they were provided with a privacy policy violated consent rules under the California Invasion of Privacy Act or CIPA.

Under this decision, session replay is considered a form of wiretapping and tracking before consent is given was deemed unlawful interception.

More lawsuits followed, including D’Antonio v. CNN where a plaintiff alleged CNN was using third party trackers and sharing the data with advertising technology partners to build advertising portfolios.

Many websites have since received wiretapping claims against their website tracking for violating the CIPA. While it’s understandable why this may feel worrying, here are some clear facts and recent legal developments to help reduce confusion.

Table of Contents

  1. What Claims Are Being Filed Against Websites for Tracking Under CIPA?

  2. Which Tracking Technologies Draw the Most Claims?

  3. Key Court Decisions from 2025

  4. How is the CIPA different from California Privacy Laws?

  5. Do I Need to Obtain User Consent to Track Users Under the CIPA?

  6. Can I collect data first, then show a cookie consent banner?

  7. When Using Tracking Tools Likely Doesn’t Qualify as “Wiretapping”

  8. The Importance of Using a Consent Management Platform (CMP)

  9. What to Do If You Receive a Demand Letter

What Claims Are Being Filed Against Websites for Tracking Under CIPA?

Websites with California visitors who deploy tracking technologies on browsers before the user has a chance to receive a privacy policy or cookie notification or interact with a consent banner are at risk of receiving claims for violating the CIPA.

This 1960s wiretapping law has been referenced to demonstrate the ways tracking people’s online internet behaviors without their knowledge or consent might be considered a form of “secret interception” under the CIPA, which is a violation of the law.

Which Tracking Technologies Draw the Most Claims?

Plaintiffs are looking for specific technologies that send visitor data or typed input to a third party before consent.

Tracking technology Why it’s targeted
Meta pixel/the Facebook pixel The single most frequently named tool. It sends page views, events, and identifiers to Meta.
Google Ads conversion and remarketing tags Send conversion and audience data to Google for advertising.
Google Analytics Very common, and named often because it captures page paths, events, and identifiers.
TikTok Pixel Sends events and identifiers to TikTok for advertising and measurement.
LinkedIn Insight Tag Sends professional audience and conversion data to LinkedIn.
Session replay and session recording tools Reconstruct a visitor’s full session, and can capture form inputs and on-screen content.
Heatmap and behavior analytics tools Record clicks, scrolling, movement, and sometimes keystrokes.
Third-party live chat and chatbots Risk rises when conversation content or identifiers route through an outside provider.
Search bars and on-site forms Transmit what a visitor types to a third party. A recent wave of letters focuses on a name or query typed into a search field being sent to an analytics or advertising service before consent.

This list shifts as new tools appear and as the case law moves, so treat it as a starting point.

The controlling question is always the same: does a third party receive data before the visitor has made a choice.

Key Court Decisions from 2025

In 2025, there were several key court decisions that impacted consent for website tracking under the CIPA, including the following:

  • Lakes v. Ubisoft (N.D. Cal. 2025): Emphasized that consent via banners/terms of use defeats Wiretap Act, Califorina Invasion of Privacy Act (CIPA), and Video Privacy Protection Act (VPPA) claims.
  • Saedi v. Clearblue (C.D. Cal. 2025): Involves Wiretap Act claims barred by ‘party exemption’; Health Insurance Portability and Accountability Act (HIPAA) is inapplicable to non-covered entities. Dismissed with leave to amend, though the court expressed “serious doubt” deficiencies could be cured.
  • Torres v. Prudential (2025): Requires proof data was read ‘in transit’ for vendor liability. This case involved session replay software (ActiveProspect), not tracking pixels. The court held that session replay data does not become readable until after storage and reassembly, so the “in transit” requirement was not met.

The table below also lists several recent California Superior Court Decisions from 2024-2025 regarding claims against the CIPA and website tracking.

Court Case Decision
Sanchez v. Cars.com Dismissed pen register claims, holding that CIPA doesn’t apply to pen registers.
Casillas v. Transitions Optical Found that IP address collection is normal website functionality, not illegal surveillance
Rodriguez v. Plivo Held that routine data collection doesn’t constitute wiretapping
Popa v. Microsoft the court found that data transmitted by tracking pixels — typically URLs, IP addresses, or device identifiers — does not constitute sufficiently private information to establish injury.t Note: this case was brought under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA), not CIPA, and was decided on constitutional standing grounds rather than the merits of a wiretapping claim. The standing framework has since been applied to CIPA cases (e.g., Khamooshi v. Politico LLC, N.D. Cal. 2025)
Gutierrez v. Converse (9th Cir., July 2025) the court affirmed summary judgment against a Section 631(a) claim, with a concurring opinion questioning whether the wiretapping provision even applies to internet communications.

Judges are increasingly recognizing that applying a 1960s wiretapping law to modern website functionality would make basic internet operations illegal.

As one court noted, treating routine IP address collection as wiretapping would ” risk criminalizing routine website functionality and undermining ordinary internet operations.” (IP and Media Law)

Several recent decisions have dismissed claims on standing or merit grounds where the plaintiff could not demonstrate a genuine privacy harm.

However, outcomes remain mixed, and theories like the pen register or trap-and-trace under Sections 638.50 to 638.51 are still being actively litigated with courts divided.

For example, in Mikulsky v. Bloomingdale’s (9th Cir. 2025), the court revived a CIPA claim, holding that the plaintiff had sufficiently alleged that the “contents” of her communications were captured in real time by a third-party session replay vendor.

This demonstrates that CIPA claims remain viable under certain fact patterns.

How is the CIPA different from California Privacy Laws?

The CIPA is a California wiretapping law, which is different from the state’s privacy laws:

  • Privacy laws: These use an opt-out model and focus on transparency and user control regarding the collection and processing of their personal information.
  • Wiretapping laws: These require all-party consent and focus on secret interception of communications.

Each law type features different standards, remedies, and kinds of enforcement.

You should obtain clear user consent before any tracking begins.

The CIPA expressly prohibits reading or learning the contents of someone’s communications without the consent of all parties involved.

When turned on, script-auto blocking features like Termly’s can help websites align with such technical requirements.

Always audit your site on a regular basis to confirm that your tags are categorized correctly, and that third-party tools are actually responding to and respecting the consent signals.

To confirm your tags truly respect consent, test the live site in a clean browser session as a California visitor.

  • Open the network tab before the page loads, confirm only essential tracking fire before any user choice.
  • Then, click reject and confirm the non-essential trackers stay blocked, then in a fresh session click accept and confirm they fire only then.
  • Check that nothing is hard-coded in the page head, because a pixel hard-coded there can fire before the consent platform or tag manager is able to block it.
  • If your platform lets a specific non-essential technology bypass the blocker, remember that anything listed fires before consent and reintroduces the exact exposure the blocker removes.
  • Keep the high-target tools listed above blocked until consent, and reserve any allowlist, if used at all, for lower-risk first-party tools.

It’s a compliance risk to collect data first and then show a cookie consent banner. Tracking scripts shouldn’t load until after the user agrees to them. Features that enable you to block them by default can assist websites with meeting this guideline.

Below are a few potential methods suggesting when using tracking tools likely wouldn’t qualify as ‘wiretapping’.

No ‘Secret Interception” with Transparency and Consent Mechanisms

Tracking tools are unlikely to qualify as ‘wiretapping’ as recently defined in cases like Javier v. Assurance IQ when transparency is honored and a proper consent mechanism is in place on the website.

In other words, there’s no ‘secret interception’ taking place.

For example, this might include:

  1. Installing a consent banner that loads before non-essential tracking fires, providing users with a chance to see and read the cookie notice and make an informed choice.
  2. A privacy policy is provided that accurately discloses what tracking technologies are in use by the website, what data they collect, and which third parties receive it.
  3. A compliant “Do Not Sell or Share My Personal Information” link is available, as already required by the California Consumer Privacy Act (CCPA) for California visitors.
  4. Recognition of Global Privacy Control (GPC) signals, emphasizing good-faith respect for users’ privacy preferences.
  5. Adequately categorized tags, so consent signals genuinely control whether the tracking fires or not.
  6. A preference center the visitor can reopen at any time, together with a persistent floating button, so consent can be reviewed, changed, or withdrawn well after the first visit and not only accepted once. In Termly, this is the Preference Center opened by a Consent Preferences link, plus the Floating Preferences Center Icon, a small always-visible button you enable in your consent banner settings. 
  7. Independent verification in Google Tag Manager that your tags actually wait for consent. Use Google Tag Manager’s Preview mode, powered by Tag Assistant, to load the site as a first-time visitor with no prior consent, and confirm that advertising and analytics tags stay under Tags Not Fired until a choice is made, then move to Tags Fired only after consent is granted. Gate each non-essential tag behind a consent-based trigger or Google’s consent settings, and re-run the preview after any change, so you have a repeatable way to prove nothing fires early. 

These seven elements make it difficult to argue that any interception was secret, especially if the disclosure is very clear, and if no pixels are fired before the user makes a choice.

The “Party Exception” with Vendor Nuance

Under California law, according to the outcome of Ribas v. Clark 1985, parties to a communication cannot technically ‘wiretap’ their own communications.

It might then be assumed that website owners are party to all interactions on their website and cannot wiretap itself.

However, this triggers liability for third party vendors that access the site’s data and use it for independent purposes.

No “Communication in Transit”

Website tracking usually involves data collection by the intended recipient of the data, for example, the website itself. In many ways, this is fundamentally different from intercepting communications between other parties.

Typically, courts have distinguished between technical metadata, like IP addresses, device type, and browser information, and protected communications content.

However, the line might blur when this tracking captures URLs or form inputs revealing a person’s sensitive personal information, like their health information inputted while browsing, certain financial data, or login details.

California laws like the CIPA, the California Comprehensive Data Access and Fraud Act (CDAFA), and the Unfair Competition Law (UCL) have come up more frequently because of the recent wave of web-tracking lawsuits in California, particularly around pixels, session replay tools, and similar technologies.

Using a consent management platform can help reduce a website’s exposure by providing users with clear notice and choice to opt in, GPC, and ensuring that non-essential tags don’t fire before consent

They also help ensure these non-essential tags and cookies are blocked when someone opts out, depending on how you’ve set things up.

That said, a CMP on its own won’t make a website compliant.

What matters is:

  1. Whether consent signals actually control tracking technologies,
  2. What data they collect and share, and
  3. Whether privacy disclosures (such as privacy policies and cookie notices) match what’s happening in practice.

Termly’s consent banner helps users block scripts and cookies until consent is given and automatically recognizes California visitors to present the appropriate options.

We also help you generate and keep your privacy policy up to date with the required California disclosures.

Termly users can configure the CMP for California as “Opt In” mode, which is actually more restrictive than California law requires, and includes:

  • “Opt In: ask for consent before tracking”: This is the most privacy-protective option, however it is overridden by disabling auto blocker on the website.
  • “Do not sell or share my information” option enabled: Required for CCPA compliance.
  • Respect GPC signal enabled: Shows good faith privacy compliance.
  • Decline button and Preferences button enabled: Gives users full control.

A word of caution before you switch California to opt-in.

Opt-in prior blocking is the strongest answer to the all-party-consent theory, but it is stricter than the California Consumer Privacy Act usually requires, and in practice it sharply reduces the tracking data you collect, because most visitors never click accept.

If your advertising and analytics technologies sit behind consent and few people consent, those technologies rarely fire. In plain terms, opt-in kills most of your California tracking.

The consequences are concrete:

  • Much lower volumes of analytics data,
  • Smaller or empty advertising and retargeting audiences,
  • Weaker conversion tracking and attribution,
  • Less reliable measurement of campaign performance,
  • Less return on advertising spend,
  • Reduced personalization.

The California Consumer Privacy Act itself only requires opt-out for most adult tracking, with opt-in reserved for limited cases such as selling or sharing the personal information of a consumer known to be under sixteen years of age.

So this is a business decision that trades measurable marketing performance for the strongest litigation posture.

Decide where on that spectrum you want to sit, and document the choice.

What to Do If You Receive a Demand Letter

If a demand letter arrives, do not ignore it and do not pay it on reflex.

Ignoring it can turn a letter into a filed lawsuit, and paying without checking the claim funds a model that will send the next letter. Work these steps in order.

1. Preserve evidence and control the conversation

Calendar the deadline and route the letter to one internal owner, not to staff who might reply informally or admit facts.

Immediately preserve the letter and its headers, current website screenshots, your consent platform settings, a tag manager export, the list of installed plugins and apps, cookie and tracker scan results, network tests, consent logs, and the privacy and cookie policy versions in effect on the date the letter references.

Do not quietly strip trackers before preserving evidence, because fixing the site is good, but looking like evidence was destroyed is not.

2. Check insurance first

Review any cyber, media liability, technology errors and omissions, or general liability policy for wrongful data collection, privacy, media, or internet activity coverage, and notify the insurer promptly if the policy requires it.

Many policies now exclude tracking, wiretapping, or wrongful collection claims, so read the wording, but if you are covered the insurer may fund the response.

3. Run a self-audit before paying anyone

Many letters are templated, and the claim may be weaker than it looks. Answer these questions with evidence:

  • Did the named tracker actually exist on the site?
  • Did it fire before the visitor made a consent choice, only after opt-in, or was it blocked for California visitors?
  • What did it transmit: page paths, identifiers, form inputs, search terms, chat content, replay data, or advertising event data?
  • What do your consent logs show for the date referenced?
  • Does what your banner and privacy policy promise match what the trackers actually did?

If the named tracker was absent, fired only after opt-in, or was blocked for California, that is useful leverage to hand to counsel.

Save every result as a dated screenshot or export.

4. Get a right-sized legal read

Do not jump to a full litigation retainer unless the matter has escalated to a filed complaint, an arbitration demand, or a hard court deadline.

Lower-cost routes to counsel exist, take the following for example.

Free and small-fee options:

  • State Bar of California certified Lawyer Referral Services connect you to a screened, insured attorney for a reduced-fee or no-fee initial consultation. Search by county and practice area at calbar.ca.gov.
  • The Los Angeles County Bar Association service, SmartLaw, charges no referral fee and includes a free consultation of up to twenty minutes, at smartlaw.org or 1-866-762-7852.
  • The Bar Association of San Francisco, SF-Marin service, charges thirty-five dollars for a referral that includes the first thirty-minute consultation, at sfbar.org.
  • The Santa Clara County Bar Association charges a forty-five dollar administrative fee and includes a free first thirty-minute consultation, at sccba.com.

Several privacy litigation firms offer a free initial consultation for responding to one of these letters, and will communicate directly with the claimant.

Fixed-fee and limited-scope options:

  • Ask an attorney for limited-scope, or unbundled, work at a flat fee: a single defined deliverable such as reviewing the letter and your consent logs and drafting one response, rather than an open retainer. If it escalates to a filed suit, it usually converts to hourly.
  • Vetted legal marketplaces let you post the matter and receive flat-fee bids, for example UpCounsel and Priori Legal, both with data privacy benches, and ContractsCounsel for scoped document work.

Skip the cheap flat-fee demand-letter tools that appear first in a search, because those prepare letters to send to someone, not to defend a business that received one.

And to check a lawyer’s depth, note that the International Association of Privacy Professionals is not a referral directory.

Use it as a credential filter and look for the American Bar Association accredited Privacy Law Specialist designation, or at a minimum the Certified Information Privacy Professional for the United States and Certified Information Privacy Manager credentials.

5. Fix the root cause in parallel

Even if you settle, the same site can attract the next claimant, so remediate now:

  • Block non-essential trackers before consent,
  • Remove hard-coded pixels,
  • Turn on automatic blocking,
  • Honor Global Privacy Control,
  • Align your notices with actual behavior, and
  • Start keeping consent logs.

Termly support can help you self-audit and put these in place.

Of course, when necessary, consult or confirm with a qualified legal counsel, particularly given the evolving nature of CIPA litigation

DISCLAIMER: This content is for informational purposes only and does not constitute legal advice. It reflects legal developments as of 7/1/2026. CIPA litigation is evolving rapidly, and new decisions may alter the analysis above. For specific legal advice regarding your situation, including whether to respond to a demand letter or lawsuit, please consult with qualified legal counsel experienced in California privacy and wiretapping litigation. Termly is a consent management platform provider and does not provide legal services.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP


Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha Komnenic is a legal counsel and Termly’s Director of Global Privacy, who received her law degree from Belgrade University. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD).

Read all posts by Masha Komnenic CIPP/E, CIPM, CIPT, FIP


Similar Posts

Leave a Reply