California Invasion of Privacy Act (CIPA) requirements for website tracking

Cookie Consent Banner, Cookie Policy

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

CIPA requirements for website tracking

The truth is that many modern websites take advantage of tracking tools such as analytics and advertising to reach a broader audience, improve their websites and make more sales. For example, tools such as Meta Pixel, Hotjar, chatbots and session replay software allow businesses to understand how a user interacts with their websites and advertisements. Unfortunately, the use of such tools on websites have recently landed some businesses in hot water under an old privacy law, the California Invasion of Privacy Act, which was passed before such tracking tools were even invented. In this article, we will discuss what CIPA is, who it applies to, the status of recent lawsuits, as well how you can use Termageddon’s cookie consent solution and Cookie Policy generator to help protect yourself and your business. 

What is the California Invasion of Privacy Act? 

The California Invasion of Privacy Act (CIPA) is a privacy law that went into effect in 1994 to protect residents of California from the harms that come when a third party eavesdrops on private communications. The law was originally passed to prevent the eavesdropping of phone calls over landline phones. As technology improved, CIPA was used to protect residents of California from the recording of calls without consent through cell phones and even the Internet (e.g. recording of calls through Zoom or CRM platforms such as Hubspot). 

CIPA applies to any communications with a resident of California, even if your business is not located in California. While “communications” was originally intended to cover phone calls, it has been reinterpreted to cover any communication, including the communication of an individual with a website. The law specifically forbids the use of wiretapping or recording of communications with a resident of California, including communications that take place over the Internet, meaning that interactions with websites (which can be interpreted as communications) may be covered by this law as well. 

Violations of the California Invasion of Privacy Act contain the following elements

  1. A business intentionally used an electronic device to eavesdrop or record a communication; 
  2. The website user had a reasonable expectation that the communication was not being recorded or eavesdropped on; 
  3. The business failed to obtain the consent of all parties to record the communication; 
  4. The website user was harmed; and
  5. The harm was caused by the business. 

CIPA prohibits businesses from installing or using a pen register or trap and trace device without first obtaining a warrant unless the consent of the individual is obtained. A pen register is a device or process that traces outgoing signals from a specific phone or computer to their destination. A trap and trace device is a device or process that records the sources of incoming signals to a specific phone or computer. 

What makes CIPA risky for businesses is that it allows consumers to sue businesses directly for violations and obtain damages of $5,000 per violation. In fact, a very recent trend has emerged where consumers are suing businesses directly arguing that the use of cookies, web beacons, pixels, script or software code that track a user’s location, search terms, browsing history or purchase history act as a “pen register.” The lawsuits argue that the use of such technologies is in violation of CIPA as the technologies eavesdrop communications between an individual and a website. 

Recent CIPA lawsuits 

Once courts determined that the California Invasion of Privacy Act can be used for litigating claims where a resident of California was tracked when using a website, multiple privacy lawsuits have been filed alleging similar violations. In addition, the lawsuits have garnered different results, with some lawsuits being dismissed while others being allowed to proceed forward. 

For example, in Licea v. Old Navy, LLC, a consumer alleged that Old Navy’s website contains a chat feature which allows the recording and creation of transcripts of conversations with the chat in violation of CIPA. However, the Court ruled for Old Navy, finding that since Old Navy was a party to the communications, they could not be held liable for eavesdropping on their own communications. 

In another case, Byars v. Hot Topic, Inc., the Court found that a chat feature was a “tool” and an extension of the website owner, meaning that there was no unlawful third-party interception and the lawsuit was dismissed. 

In another lawsuit, Greenley v. Kochava, Inc., a Court found that the use of software that identifies consumers, gathers data, and correlates that data through fingerprinting can constitute a violation of CIPA and thus the Court refused to dismiss the lawsuit. 

An additional example of these types of lawsuits can be seen in Lesh v. Cable News Network, Inc., where an individual sued CNN for installing three types of tracking software as the user was using the CNN website. 

While California courts are certainly undecided on whether these lawsuits should proceed and there is no real clear guidance as to whether large damages will be applied, the fact is that many more businesses are being sued for violations of CIPA through the use of tracking technologies on websites. At this time, we have seen these lawsuits targeting either large corporations or businesses that work in the healthcare fields. However, with more lawsuits being filed every day, it is likely that small businesses and businesses in other industries will be targeted as well. 

How to avoid CIPA violations 

Since CIPA and the recent lawsuits have been targeting websites that use tracking technologies or other technologies that can intercept communications between the website and a resident of California, websites that use such technologies should first review all of the technologies that are used on the website. For example, if you currently use a chat feature on your website and get no inquiries from the chat feature, you should consider removing it. Or, if you are using a website analytics tool but never view the actual analytics, consider removing that tracking technology from your website. On the other hand, if you are tracking individuals with the Meta pixel to advertise to them later but have no intention of actually running advertisements, you should remove this pixel from your website as well. Removing unnecessary trackers, pixels, and other features from your website could help you avoid violations and lawsuits. 

The second best way to avoid CIPA violations is to obtain the consent of the user prior to tracking them. This is because consent of the individual is an established exception to CIPA. Consent can easily be obtained through a cookie consent banner. It’s important to note that a cookie consent banner only obtains consent for tracking technologies, not phone calls. The banner should have the following features: 

  1. The banner ensure that all third party tracking scripts and technologies are blocked until website visitors consent (i.e. click “accept”) to being tracked; 
  2. The banner should have an “accept” and a “decline” button; 
  3. If a user clicks “decline”, then they should not be tracked; 
  4. The banner should be designed in such a way where the “accept” and “decline” option are given equal prominence; 
  5. The banner should allow the individual to withdraw their consent if they have previously consented to being tracked but have changed their minds; 
  6. The banner should provide individuals with enough information to make an informed decision as to whether or not they would like to be tracked. 

Sound familiar? This is because a CIPA cookie consent banner should follow all of the same rules as the GDPR cookie consent banner. In addition, you should also provide a Cookie Policy to users so that they have adequate information as to what cookies are being used on the website, what their purpose is, and what their duration is. 
With so many lawsuits being filed against businesses and such uncertainty as to how those lawsuits will proceed, the best way to avoid litigation is to either stop tracking users from California or obtain their consent prior to such tracking taking place. If you could currently use features that could track users from California on your website, make sure to check out the Termageddon cookie consent banner and Cookie Policy generator to help you avoid costly litigation.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates