If you’re a Chief Privacy Officer (or any adjacent title), you’ve likely heard the term “CIPA demand letter” at industry events in the past 18 months. What started as a niche litigation strategy has become one of the fastest-growing sources of privacy-related legal risk for companies operating websites, particularly those with third-party tracking technologies, session replay tools, or chat widgets embedded in their pages.

The California Invasion of Privacy Act (CIPA) was written long before the modern web. But plaintiffs’ attorneys have found creative arguments that website analytics and behavioral tracking tools constitute illegal wiretapping under the statute, and some courts have found this plausible. 

The result: a wave of demand letters and class action suits targeting companies of every size.

This guide explains exactly what CIPA says, why website tracking has become a target, what specific technologies create the most risk, and what privacy leaders can do right now to reduce exposure before a letter lands on the general counsel’s desk.

What is CIPA, and Why Is It Being Applied to Websites?

The California Invasion of Privacy Act (California Penal Code §630–638.55) was originally designed to prohibit the interception of telephone and telegraph communications without consent in 1967. At its core, CIPA makes it illegal to read, attempt to read, or learn the contents of a communication without the consent of all parties involved.

The three provisions most relevant to website operators are:

• Section 631, which prohibits the intentional wiretapping or eavesdropping on any telegraph or telephone wire, line, cable, or instrument, including the reading or learning of the contents of any message, report, or communication, with courts having extended this to cover real-time data interception on websites.
• Section 638.51, which specifically governs the use of “pen registers,” devices or processes that capture metadata about communications, with plaintiffs having argued that certain analytics tools function as pen registers. Note: this pen register theory has received a more mixed judicial reception than §631 wiretapping claims, and courts have been more skeptical of applying it broadly to standard analytics tools.
• Section 632, which prohibits the recording of confidential communications without the consent of all parties. While less frequently cited than §631 in website tracking cases, §632 has been invoked in matters involving chat widget interactions where users may have a reasonable expectation that their typed communications are private.

A critical distinction: unlike federal wiretapping law (the Electronic Communications Privacy Act), CIPA requires the consent of all parties to a communication and not just one. This all-party consent requirement is what makes California uniquely plaintiff-friendly and why CIPA demand letters can target any company operating a website accessible to California residents, regardless of where that company is headquartered.

Starting around 2022, plaintiffs’ attorneys began filing tens of thousands of suits arguing that common website technologies intercept user communications in real time and transmit them to third parties without user consent. Their argument: when a visitor types into a chat box, clicks through a funnel, or interacts with a form, and that interaction is captured by a third-party technology and sent to an external server, that constitutes an interception under CIPA. The “third-party wiretapper” framing has been especially effective; plaintiffs argue that even if the website owner has a relationship with the tracking vendor, the user has consented to communicate with the website, not with the vendor.

Courts have been split on the merits, but enough early rulings have permitted cases to proceed to discovery that the demand letter business model has become financially viable for plaintiffs’ firms. Many companies settle rather than face the cost of litigation, and that pattern is accelerating.

What Tracking Technologies Create CIPA Risk?

Not all website technologies carry the same legal exposure. The following categories are most frequently cited in CIPA demand letters.

Session replay and behavioral analytics tools that record mouse movements, keystrokes, scrolls, and form interactions in real time are the most common basis for CIPA claims. Vendors in this category include widely used platforms across marketing and UX research. Plaintiffs argue these tools capture the “contents” of user communications and transmit them to third-party servers in real time.

Third-party chat and live messaging widgets embedded on websites, whether for sales, support, or lead capture, create risk when they send conversation data to external servers. The real-time, conversational nature of these interactions maps most directly to CIPA’s “communication” language.

Analytics and advertising tags from major social and search platforms like Meta, Google, and Tik Tok can also be implicated, particularly when they fire on pages containing sensitive input fields or capture interaction data before a user submits a form.

Some martech tools are designed to capture form field data as it’s being typed, before submission. This is a high-risk category. Courts have been most receptive to CIPA arguments here because the “interception” happens in real time, before the user has completed any action.

The Anatomy of a CIPA Demand Letter

Understanding how these cases typically unfold helps privacy leaders triage risk and build defensible programs.

Most CIPA demand letters don’t begin with a consumer complaint. They begin with a law firm scanning websites for specific tag signatures, either manually or using automated tooling. If they detect the presence of a session replay tool, certain chat widgets, or specific tracking pixels on pages where users enter personal or sensitive information, they draft a demand letter. The letter typically alleges that the company has violated CIPA Section 631, invokes the statute’s private right of action, and offers to settle in exchange for a payment, typically in the range of $5,000 to $50,000 per demand, though class actions can reach into the millions. It is important to note that the $5,000–$50,000 figure represents typical negotiated settlement demand amounts, not the full statutory exposure. Under §637.2, the statutory damages floor is $5,000 per violation, meaning per user, per session; and the actual theoretical exposure for a high-traffic website scales far above these settlement figures. This creates leverage that makes settlement economically rational for many legal teams, regardless of whether the company believes it has violated the law.

The most common defense is consent: if users are informed about and agree to the use of tracking technologies, the interception argument loses its foundation. This is where consent management platforms (CMPs) enter the picture. But the consent defense is only as strong as its implementation. If a CMP is configured to present a consent banner but tags fire before consent is recorded, the defense fails. If the consent language doesn’t specifically name the tracking vendors in use, courts have been skeptical.

What Does a Defensible CIPA Compliance Program Look Like?

This is where privacy leaders can move from reactive to proactive. A defensible program has four layers.

• Audit website technologies
• Coordinate with third-party vendors
• Review privacy policies and T&C’s
• Review consent frameworks

You cannot govern what you cannot see. Most organizations are surprised by the number of tags firing on their websites when they conduct a full audit. Marketing teams deploy and modify tags frequently, often outside formal change management processes. Shadow IT in the form of unvetted martech tools is common. A complete tracker inventory should include every tag and script firing on every page (not just the homepage), third-party connections initiated by first-party tags, tags firing in pre-consent states, and tags loading on pages with sensitive input fields like forms, checkout, and support chat.

Having a CMP is not the same as having a working consent program. Validation means continuously testing whether tags that should be blocked before consent are actually blocked. Key failure modes include tags firing on page load before the consent banner renders, tags firing when a user dismisses or ignores the banner without consenting, tags re-firing after a user opts out, and consent configurations that haven’t been updated to reflect new tag deployments.

Not all third-party vendors create equal CIPA exposure. For each tag in your inventory, privacy teams should assess whether the vendor receives real-time communication data, whether they operate as a “third-party interceptor” under the session replay or live chat models, and what data processing agreements govern the relationship.

The consent defense requires more than configuration. It requires proof. An audit trail documenting that your consent program was functioning as designed, that tag inventory was complete and current, and that tags were blocked appropriately creates the evidentiary foundation for a consent defense. This is especially important given how quickly martech stacks change.

How ObservePoint Addresses CIPA Risk

ObservePoint is a web governance platform built specifically to give privacy and compliance teams visibility into what’s happening in their technology stack, not based on documentation or configuration files, but on what’s actually firing on their live website.

The platform addresses each layer of a defensible CIPA compliance program. ObservePoint continuously scans your website and surfaces every tag, cookie, and script firing, including those deployed by third-party tags unknown to your privacy team. Unlike manual audits, ObservePoint can be run at the customer’s chosen cadence and configured to send alerts for any new tags, broken tech, or unapproved cookies. The platform also tests your CMP implementation by simulating user journeys across consent states like pre-consent, post-consent, post-opt-out, and documenting exactly which tags fire at each stage. When a tag fires in a pre-consent state, the platform alerts the responsible team and creates a timestamped record.

Because CIPA risk isn’t a point-in-time problem but an ongoing operational risk driven by continuous tag deployment, ObservePoint’s monitoring surfaces new risks as they emerge. And every scan, every violation, every remediation is logged and exportable. Extended data retention plans can keep your data for up to 7 years. If a demand letter arrives, your legal team has documented evidence of a functioning compliance program, not just policy documents.

For Current Customers: How We Reconfigured Our Chatbot for California

This was a multi-step process for the marketing operations team to accomplish with the assistance of the product team, so if you need help, please reach out to your CSM. Outlined below are the general steps we took to reconfigure our chatbot tag so that it would only fire after explicit consent was given by California users: 

1. Confirm how your chatbot tag is classified in your CMP, OneTrust, in our case. The chatbot was listed under the Functional Cookies category.
2. Check how your TMS is configured. We had a trigger set up in Google Tag Manager, so the chatbot tag would only fire after the user consented to the Functional Cookie category.
3. Run an Audit in ObservePoint to establish a baseline; document which tags are firing for California users before making any changes.
4. Identify the consent behavior setting for the Functional category in OneTrust and change it from “Always Active” to opted-out by default for California users. This ensures that users in California must actively opt in before the Functional category, and any tags tied to it are enabled.
5. Publish the updated consent category configuration in OneTrust so the changes take effect on your site.
6. Sync ObservePoint with the updated consent categories from OneTrust so your audit environment reflects the new configuration.
7. Run a new Audit in ObservePoint, simulating a California user visiting the site before consenting.

Frequently Asked Questions

What is CIPA and how does it apply to websites? CIPA stands for the California Invasion of Privacy Act. While originally designed for telephone wiretapping, courts have allowed plaintiffs to apply its provisions to website tracking technologies, particularly tools that capture user interactions in real time and transmit them to third-party servers. Companies operating websites accessible to California residents can face claims under CIPA regardless of where the company is headquartered.

Can a non-California company be sued under CIPA? Yes. CIPA protects California residents, so any company operating a website accessible to California users can be a target, regardless of the company’s location. Given California’s population, most large websites have a meaningful California user base.

What is a CIPA demand letter? A CIPA demand letter is a pre-litigation notice from a plaintiffs’ attorney alleging that a company’s website tracking practices violate CIPA. The letter typically demands a settlement payment to avoid a lawsuit. Because CIPA provides for statutory damages on a per-user basis and includes a private right of action, even smaller companies can face significant theoretical exposure.

Does having a cookie banner protect you from CIPA claims? Not automatically. A cookie banner or consent management platform can support a consent defense, but only if it’s correctly configured and verifiably working. Tags that fire before consent is recorded, or that continue firing after a user opts out, undermine the consent defense even when a banner is present.

What tracking tools are most commonly cited in CIPA lawsuits? Session replay tools, behavioral analytics platforms, third-party chat and live messaging widgets, and advertising pixels are most frequently cited. Form field listeners, tools that capture keystrokes in form fields before submission, represent particularly high-risk technology.

What should a company do if it receives a CIPA demand letter? Engage legal counsel immediately. Do not ignore the letter. Begin documenting your consent program and tag governance practices. Conduct an audit to identify what tags are firing and in what consent states. Your legal team will want to understand the specific technologies cited and whether your consent implementation addresses the alleged violation.

What does a CIPA compliance audit cover? A thorough CIPA compliance audit inventories every tag and tracker firing on your website, tests your consent management implementation across consent states, assesses third-party vendor risk for key tracking tools, and documents findings in a format that supports legal defense.

Conclusion

CIPA demand letters aren’t going away. The litigation model has proven financially sustainable for plaintiffs’ firms, and the structural conditions that created it, such as widespread third-party tracking, inconsistent consent implementations, and limited visibility into what’s actually firing on live websites, haven’t changed.

For privacy leaders, the most effective response isn’t to hope for favorable court outcomes or wait for legislative clarification. It’s to build the kind of documented, continuously monitored compliance program that makes your organization a hard target: one where consent is verifiably working, every tracker is known, and every claim can be met with evidence.

ObservePoint helps privacy teams move from theoretical compliance to demonstrated, defensible compliance. If you’re not certain what’s firing on your website right now or whether your consent management platform is actually blocking what it’s supposed to block, that uncertainty itself is the risk.

_________________________________________________________________________________________________________

This post is for informational purposes only and does not constitute legal advice. If you have received a CIPA demand letter, please consult a qualified privacy attorney.