Countdown to Data Privacy Day 2026: Understanding the California Invasion of Privacy Act (CIPA): What Businesses Need to Know
January 21, 2026
By: Jessica L. Copeland, Amber L. Lawyer, Shannon A. Knapp, Courtney Ryan
The California Invasion of Privacy Act (CIPA) was enacted in 1967 to protect individuals from unauthorized wiretapping and eavesdropping. Originally intended to target wiretapping and telephone communications, CIPA has since evolved over time to encompass modern technologies, including internet-based communications. Although modern technologies have changed since 1967, CIPA’s core purpose to safeguard confidential conversations and personal information from being intercepted and recorded without consent remains the same. Recently, there has been a sharp increase in threatened and filed lawsuits under CIPA against businesses of all sizes, and with California courts taking these claims seriously, the risk of costly litigation is all too real. For more background related to CIPA, please read our previous information memo.
What Does CIPA Prohibit?
Under CIPA, it is generally unlawful to: (1) intercept or record confidential communications without the consent of all parties to the communication; use electronic tracking devices without authorization; and (2) monitor or record conversations in private settings without consent. Importantly, CIPA applies to communications involving California residents even if the other party is located outside of California. This means that businesses across the country may be subject to CIPA’s provisions and restrictions if they interact with California consumers, particularly via internet-based communications.
Who Does CIPA Apply To?
CIPA applies broadly to both individuals and businesses. Today, many lawsuits and threatened litigation target companies using routine online data processing technologies, such as cookies, pixels, session replay software and chatbots. Many plaintiffs argue that these tools capture user interactions and transmit such information to third parties without proper consent, amounting to unlawful “wiretapping” or “eavesdropping” in violation of CIPA. These threatened lawsuits are not limited to California based or national companies. Small to medium size organizations have also had lawsuits filed against them or have received letters threatening to sue for CIPA violations.
How Can Businesses Protect Themselves?
Businesses can mitigate their exposure to CIPA claims by endeavoring to do the following: (1) review your website’s use of tracking, analytics and chatbot technologies to have a full understanding of the technologies being utilized; (2) ensure proper notice and consent mechanisms are in place, including ensuring privacy policies are regularly reviewed and updated and implementing cookie banners and/or cookie managers; (3) review vendor contracts to ensure that, to the extent applicable, all agreements require compliance with CIPA and limit potential liability; and (4) consider including a venue clause, arbitration clause and/or class action waiver in your company’s website terms of use to mitigate the risk of costly litigation.
Proposed Bill to Amend CIPA
The California Legislature considered a bill that would create a “commercial business purpose” exemption, shielding routine online data processing activities from being treated as unlawful wiretapping or use of a pen register or trap-and‑trace device. Although the bill passed the California Senate unanimously, it has since stalled in the Assembly and will not be reconsidered until later this year. Unfortunately, this leaves risk of CIPA litigation in place for at least another year.
Ensuring your website includes proper CIPA risk mitigation strategies is essential. If your business uses online tracking tools and your website is accessible to California-based consumers, you could be at risk. Please contact Jessica Copeland, CIPP/US, Amber Lawyer, CIPP/E, CIPP/US, CIPM, Shannon Knapp, CIPP/US and CIPP/A or Courtney Ryan to review your practices, implement risk mitigation, and protect your business from a costly threatened CIPA litigation.
