The California Invasion of Privacy Act (CIPA) Explained

Statutory Provisions of CIPA (Cal. Penal Code §§ 630-638.55)

CIPA is a chapter of related provisions, each addressing a different kind of communication or technology. The table below covers every section, what it prohibits, what it applies to, and a brief practical note. Sections shown in bold are the ones that drive most CIPA litigation against businesses or, in the case of § 637.2, authorise it. Website operators, compliance teams, and in-house counsel will find the bolded rows the most directly relevant.

What Does CIPA Prohibit?

CIPA prohibits four categories of conduct without the consent of all parties: wiretapping electronic communications (§ 631), eavesdropping on confidential communications (§ 632), intercepting cellular or cordless calls (§ 632.7), and installing pen register or trap and trace devices (§ 638.51). Violations carry criminal penalties and civil damages of $5,000 per offence under § 637.2.

Wiretapping (§ 631)

Wiretapping under § 631 of the California Penal Code covers four distinct acts:

1. making an unauthorized connection to a telegraph or telephone line
2. willfully reading or attempting to read the contents of any message, report, or communication while it is in transit
3. using or communicating any information obtained that way
4. aiding, agreeing with, employing, or conspiring with any person to do any of the above.

The fourth “aiding and abetting” prong (which in plain English means knowingly helping someone else commit the wiretap) is what enables websites to be sued under CIPA today.

Most courts have ruled that a website cannot “wiretap” its own communications because it is a party to the exchange. The people who sue (the plaintiffs) under CIPA are typically California residents whose data was captured without their consent. Their argument is that while the website didn’t intercept the communication directly, it aided and abetted a third-party vendor (an analytics provider, a session replay tool, or an advertising pixel) that did. The Ninth Circuit accepted this argument in Javier v. Assurance IQ, LLC, No. 21-16351 (9th Cir. May 31, 2022).

Eavesdropping (§ 632)

Section § 632 prohibits “eavesdropping” which is defined as the intentional use of an electronic amplifying or recording device with the intent to overhear or record a “confidential communication” without the consent of all parties. In other words: where wiretapping relates connections to wires and the reading of messages in transit, eaves dropping relates to the act of recording in any setting where the parties had a reasonable expectation of privacy.

What counts as a “confidential communication”?

The statute defines a “confidential communication” at § 632(c) as “any communication carried on in circumstances that reasonably indicate any party desires it be confined to the parties present.” It excludes communications made in a public gathering, in open government proceedings, or in any other circumstance where the parties may reasonably expect to be overheard or recorded. As the California Supreme Court spelled out in Flanagan v. Flanagan, the expectation of confidentiality is objective, not what the speaker personally believed. A conversation in a quiet corner of a coffee shop generally qualifies; a conversation shouted across a crowded lobby generally doesn’t.

When does § 632 apply to the average business

California courts presume internet communications aren’t confidential, and most courts have ruled that web browsing, form submissions, and similar internet activity don’t carry an “objectively reasonable expectation of privacy”. But there are other ways your business could be liable under CIPA’s eavesdropping provisions.

• Call recording. If a website has a “call us” button, click-to-call functionality, or customer service phone line that records conversations, § 632 applies directly to the recording. This is one of the most common CIPA exposure points for businesses.
• Video conferencing. Recording of Zoom, Microsoft Teams, or similar video calls held through a website-based platform falls under § 632 (and Smith v. LoanMe clarified that § 632.7 also applies to participants, not just outsiders).
• Voice features. Voice notes, voice-to-text, voice search, and AI voice assistants that record user speech engage § 632.
• Privacy-sensitive contexts. Telehealth platforms, mental health services, financial advising, and similar contexts can create the kind of reasonable expectation of privacy that overcomes the general internet presumption, opening § 632 exposure for the website operator.
• “Private mode” promises. Brown v. Google allowed § 632 claims based on Google’s “incognito” promises, where the indication of privacy created a context that overcame the presumption that internet communications aren’t confidential.

Cellular and Cordless Phone Interception (§ 632.7)

§ 632.7 prohibits the interception or intentional recording of any communication transmitted between cellular or cordless telephones, or between either and a landline, without the consent of all parties. It is broader than § 632 (eavesdropping) in two important ways:

1. There is no requirement that the communication be “confidential”
2. there is no requirement that the recording party act with malicious intent. Mere interception or recording without all-party consent is enough.

Until 2021, businesses argued they couldn’t be liable under § 632.7 when recording their own calls with California customers, because they were parties to the conversation rather than outsiders eavesdropping. The California Supreme Court rejected that argument in Smith v. LoanMe, Inc., 11 Cal.5th 183 (2021), ruling that § 632.7 applies to participants and eavesdroppers alike. Any business recording cell phone or cordless phone calls with California customers, including customer service lines, sales calls, and collections, now clearly needs the consent of all parties before recording.

Pen register and trap and trace devices (§ 638.51)

A pen register is a device or process that captures the dialing, routing, addressing, or signaling information about an outgoing communication, but not the content of the communication itself. A trap and trace device captures the equivalent metadata about incoming communications, identifying their source. Both definitions appear at § 638.50 and mirror the federal definitions at 18 U.S.C. § 3127.

§ 638.51 prohibits installing or using either kind of device without a court order or the consent of the subscriber being monitored. The statute was originally aimed at telephone metadata: numbers dialed, time stamps, call duration. Since 2023, plaintiff law firms have argued that website tracking pixels, fingerprinting libraries, and analytics scripts function as pen registers because they capture routing and signaling information about a user’s communication with a website, even when they capture no content. The first published decision to accept this theory was Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), and the “pen register theory” has driven much of the CIPA litigation volume since.

Pen Register and Trap and Trace Devices (§ 638.51)

A pen register is a device or process that captures the dialing, routing, addressing, or signaling information about an outgoing communication, but not the content of the communication itself. In its original form, this meant a physical device that recorded every phone number dialed from a particular line without listening to the calls. A trap and trace device captures the equivalent information about incoming communications, identifying their source. Both definitions appear at § 638.50 and mirror the federal definitions at 18 U.S.C. § 3127.

§ 638.51 prohibits installing or using either kind of device without a court order or the consent of the person being monitored. The statute was originally aimed at telephone metadata: numbers dialed, time stamps, call duration. Since 2023, plaintiffs have argued that website tracking pixels, fingerprinting libraries, and analytics scripts function as pen registers because they capture routing and signaling information about a user’s communication with a website, even though they don’t capture the actual content of those communications. The first court ruling to accept this argument was Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), and the “pen register theory” has been the basis for most CIPA lawsuits filed since.

Who Does CIPA Apply To?

CIPA applies to any business or individual that communicates with a California resident, regardless of where the business is located. The statute follows the resident, not the business. A company headquartered in New York that operates a website used by Californians is subject to CIPA in the same way a California company is. Limited exemptions apply to law enforcement under § 633 and certain public utility activities.

CIPA’s Extraterritorial Reach

CIPA applies whenever one party to a communication is a California resident, even if the recording occurs in another state. The California Supreme Court held in Kearney v. Salomon Smith Barney, Inc., 39 Cal.4th 95 (2006) that California law governs when an out-of-state business records calls with its California clients, regardless of whether the business’s home state permits one-party consent.

The facts of Kearney have become the template for modern CIPA enforcement. A Georgia-based brokerage recorded telephone conversations between its Atlanta brokers and California clients without disclosure. Georgia is a one-party consent state, so the recordings were lawful under Georgia law. The brokerage argued that applying CIPA would be an improper extraterritorial reach. The California Supreme Court rejected that argument, finding California had a “strong and continuing interest” in protecting its residents’ privacy that outweighed Georgia’s interest in permitting the recording.

The practical effect is broad. A business in any U.S. state that records calls with California customers, deploys session replay tools that capture California visitors’ interactions, or operates a chatbot serving California users is subject to CIPA. The statute attaches to the resident’s location, not the business’s location. Internet-based services with no California office, no California employees, and no California server can still be sued under CIPA when their tracking or recording involves a California resident, which is why CIPA has become a default privacy compliance concern for any nationally-operating website.

Statutory Exemptions

CIPA contains three chapter-wide exemptions that apply across its prohibitions: § 633 preserves pre-existing law enforcement surveillance authority, § 633.5 allows a party to record without consent to gather evidence of specific serious crimes, and § 633.6 allows domestic violence victims with a protective order to record the restrained person.

§ 633: Law enforcement authority. Sworn law enforcement officers, the Attorney General, district attorneys, and certain other authorised officials may overhear or record communications to the extent they were lawfully empowered to do so under California law in effect immediately before CIPA’s enactment in 1967. The provision preserves pre-existing surveillance authority and does not create new authority.

§ 633.5: Evidence of specified crimes. A party to a confidential communication may record without the consent of the other parties for the purpose of obtaining evidence reasonably believed to relate to extortion, kidnapping, bribery, any felony involving violence against the person (including human trafficking), violations of § 653m (harassing communications), or domestic violence as defined in § 13700. Evidence obtained under this exception is admissible in prosecutions for those crimes.

§ 633.6: Domestic violence victims with a protective order. A victim of domestic violence who has obtained a domestic violence restraining order may record communications from the restrained person where the recording is made for the purpose of gathering evidence of a violation of the order. This is narrower than § 633.5 and is tied specifically to the existence of an active protective order.

Separately, individual prohibition sections contain their own internal carve-outs for public utilities and correctional facilities. These appear at § 632(e), § 632.5(b), § 632.6(b), and § 632.7(b), and exempt utility employees acting within the scope of their work, services furnished pursuant to utility tariffs, and telephone systems used exclusively within state, county, or city correctional facilities. These section-internal exemptions apply only within their respective prohibition sections and are not chapter-wide.

How CIPA Applies to Websites and Online Tracking

Although CIPA was enacted in 1967 to prohibit telephone wiretapping, California and federal courts have extended it to internet communications. The Ninth Circuit’s 2022 decision in Javier v. Assurance IQ opened the door, and plaintiffs have since filed hundreds of CIPA lawsuits per year against websites using chatbots, session replay tools, tracking pixels, and analytics scripts that share visitor data with third-party vendors.

The § 631 “Aiding and Abetting” Theory

Plaintiffs use the fourth prong of § 631(a), which prohibits “aiding, agreeing with, employing, or conspiring with” another person to wiretap a communication. Courts have generally held that a website cannot directly wiretap its own visitors because the website is itself a party to the communication. Plaintiffs instead argue the website aided and abetted a third-party vendor (an analytics provider, a session replay tool, an advertising pixel) that intercepted the data.

The watershed holding in Javier established that consent under CIPA must be prior to the recording, not post-hoc. The plaintiff completed a form on Assurance IQ’s website before being directed to a privacy policy that disclosed third-party data collection by ActiveProspect, an analytics vendor. The Ninth Circuit held that disclosure provided after data was already collected could not retroactively cure the lack of prior consent. The decision undermined the “continued use equals consent” approach common to website privacy policies and remains the most-cited holding in modern CIPA website litigation.

A separate question is whether the interception occurred while the communication was “in transit,” which § 631(a) requires. Federal district courts have split, with some allowing claims to proceed where third-party scripts capture data as users interact with a webpage, and others dismissing where the alleged interception occurred after content was already loaded or after data was at rest on the website’s servers. The split is unresolved at the appellate level.

The § 638.51 “Pen Register” Theory

A newer theory frames tracking pixels, fingerprinting libraries, and analytics scripts as pen registers under § 638.51, on the basis that they capture routing, addressing, or signaling information about a user’s communication with a website, even without capturing content. The theory has gained traction because the pen register definition is broad and turns on whether the technology captures metadata about communications, not whether content is intercepted.

The first published decision to accept the theory was Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023). The court rejected the defendant’s argument that a software development kit (SDK) collecting user data could not qualify as a “device or process” under § 638.51. Greenley’s reasoning has since been extended to cookies, pixels, and fingerprinting libraries in later cases.

In Moody v. C2 Educational Systems, Inc., 742 F. Supp. 3d 1072 (C.D. Cal. 2024), the court accepted that a TikTok fingerprinting script qualified as a pen register, rejecting the argument that fingerprinting differs in kind from a traditional pen register. In Camplisson v. Adidas America, Inc., 2025 WL 3228949 (S.D. Cal. Nov. 18, 2025), the court allowed claims based on the TikTok Pixel and Microsoft Bing tracker to proceed, observing that most courts in California and other districts have now recognised that website-based trackers can plausibly constitute pen registers.

The doctrine is not settled. Several California Superior Court decisions have rejected pen register claims based on IP address collection alone, on the basis that IP addresses are not outgoing communications. Rodriguez v. Plivo, Inc. (Cal. Super. Oct. 2, 2024) and Palacios v. Fandom, Inc. (Cal. Super. Sept. 24, 2024) are representative. Federal courts have similarly dismissed claims where the alleged “pen register” captured only IP addresses and device information. The result is a mixed landscape in which the viability of a pen register theory depends heavily on the specific technology used and the precise scope of data captured.

Technologies Currently Under Litigation

CIPA litigation has targeted a recognisable cluster of website technologies. The common thread is involvement of a third-party vendor that receives, processes, or has access to data captured from a California visitor:

• Session replay tools that record user mouse movements, clicks, scrolls, and form inputs (FullStory, Hotjar, Microsoft Clarity, LogRocket, and similar)
• Third-party chatbots and live chat where the vendor hosts or processes the conversation, rather than the website operator itself
• Advertising and analytics pixels including the Meta Pixel, TikTok Pixel, Microsoft Bing tracker, and LinkedIn Insight Tag
• Browser fingerprinting libraries that capture device, browser, and behavioural signatures
• Google Analytics 4 in configurations that share visitor data with Google Ads or other Google services for advertising purposes
• Programmatic advertising scripts that share visitor data with ad networks, demand-side platforms, and supply-side platforms
• AI chatbots and assistants that transmit user inputs to a third-party large language model provider, which is the newest and least settled category

Use of these technologies does not automatically create CIPA liability, but it creates exposure that compliance teams need to address through consent architecture. The practical steps appear in the compliance section below.

CIPA Violations

1. Businesses intentionally eavesdropping or recording communications using electronic devices.
2. Failure to obtain consent from all parties involved, despite the user expecting privacy.
3. Harm suffered by the website user is attributable to the actions of the business.

Moreover, CIPA prohibits businesses from using pen registers or trap and trace devices without a warrant or individual consent. Pen registers monitor outgoing signals, while trap and trace devices record incoming signals to specific phones or computers.

Of significant concern for businesses is CIPA’s provision allowing consumers to directly sue for violations, potentially resulting in damages of $5,000 per offense. Recent legal actions highlight the use of tracking technologies like cookies or web beacons as potential violations, arguing they function similarly to pen registers, intercepting communications between users and websites.

Applicability

CIPA applies to any business communicating with California residents, regardless of location. Originally targeting landline calls, it now covers all forms of communication, including cell phones and online interactions. This extends to tracking or recording software, such as session replay and chatbots, as using these tools without user consent may be seen as eavesdropping.

Exemptions

CIPA exempts public utilities and correctional facilities. Specifically:

• Public utilities and their employees offer communication services or facilities for construction, maintenance, or operation purposes.
• The use of instruments, equipment, facilities, or services as per public utility tariffs.
• Telephone communication systems are used exclusively within correctional facilities.

Section 632 (e) of CIPA clarifies these exemptions for public utilities and their employees, as well as telephone systems within correctional facilities.

While CIPA applies broadly, Section 632 (e) of CIPA clarifies that certain entities benefit from exemptions, notably public utilities and correctional facilities. However, these exemptions are circumscribed and subject to specific conditions delineated within the legislation.

I’m The One Being Recorded

If you were recorded unlawfully, you may be entitled to compensatory damages. You can file a personal injury lawsuit for privacy violation. Successful claims could result in:

• $5,000 for each violation, or
• Three times the actual damages you suffered.

You can file a lawsuit even if the caller is from another state. As long as you’re in California, you can take legal action. However, there’s a one-year statute of limitations for filing this lawsuit.

Business Requirements

CIPA mandates that businesses must obtain consent before communicating (via phone or internet) with California residents and refrain from using pen registers or trap and trace devices without consent.

1. Communicating Via Phone or the Internet
   CIPA prohibits anyone from intercepting communications without consent, including reading or attempting to learn the contents of messages while in transit. Businesses engaging in any communication with California residents, including using tracking tools for advertising or internet session software, must obtain consent before proceeding.
2. Using Pen Register or Trap and Trace Devices or Processes
   Businesses under CIPA cannot install or use pen registers or trap and trace devices without consent or a court order, except for specific purposes such as testing services or protecting property and rights. A pen register records outputs, while a trap and trace device records incoming information. Recent lawsuits argue that tracking and analytics software, like cookies, may fall under CIPA’s definition of a pen register, as they monitor user-website interactions.

In Greenley v. Kochava, Inc., the court ruled that software correlating consumer data through unique ‘fingerprinting’ qualifies as a pen register under CIPA. Businesses must obtain user consent or a court order before installing or using these devices, except for approved purposes.

How to Comply

To comply with CIPA, follow these steps:

1. Obtain consent from users before accessing their personal information or engaging in communications.
2. Disclose whether you share their communications with any third parties.

Let’s delve into each step further.

1. Obtaining Consent
To obtain consent for recording private conversations, ensure everyone involved agrees, either explicitly or implicitly. Express consent is obtained by asking and receiving affirmation from all parties. Implied consent occurs when the recording is announced, and the conversation proceeds without objections. In California, complying with the Invasion of Privacy Act requires consent from all parties for recording phone calls. 

• • • For instance, if a journalist informs an expert of recording before a phone interview and the expert continues without objection, consent is implied. Overall, obtaining consent ensures compliance with regulations and avoids violating privacy laws.
    • Consent Mechanism: Obtaining consent is crucial, and a simple way to do this is by using a consent mechanism. This mechanism should be user-friendly and readily available, allowing users to express their consent preferences before using your website or services.

California operates under a “two-party consent” rule, meaning all parties must agree to phone call recordings. Implement consent mechanisms whenever you collect personal information, communicate, or use tools that could be perceived as intrusive under CIPA. Embed consent mechanisms alongside legal agreement links like Privacy Policy or Terms and Conditions.

This empowers users to understand data usage and communication practices before consenting. An effective mechanism is the “I Agree” checkbox, typically placed on account creation, checkout, cookie notices, and chat boxes.

2. Notify Users of Communication Sharing with Third Parties

To ensure compliance with CIPA, it’s essential to include a disclosure within your website’s chat box, especially if it’s provided by a third party. This disclosure should inform users that third-party vendors might access chat box communications. This way, consumers have the chance to consent to their messages being shared with third parties before using the chat box.

Enforcement

The California Attorney General enforces the California Invasion of Privacy Act (CIPA). Section 638.55 (b) empowers the Attorney General to compel government entities to adhere to CIPA regulations.

Penalties For Non-Compliance

Non-compliance with the California Invasion of Privacy Act (CIPA) can lead to severe consequences. 

• Offenders may face fines of up to $2,500 per violation and possible imprisonment. 
• Repeat offenders could be fined up to $10,000 per violation, along with up to one year in state prison. 
• Additionally, third parties who unlawfully disclose telegraphic or telephonic communications could be fined up to $5,000 and face up to one year in jail.

California residents have the right to pursue civil action against businesses that violate CIPA, seeking either $5,000 per violation or three times the amount of actual damages, whichever is greater. Businesses may be found in violation if they intentionally eavesdrop or record electronic communications without consent, fail to inform residents of the recording or cause harm by illegally recording or eavesdropping.

Sections 632(a) and 637 of CIPA outline penalties for intentional eavesdropping or recording without consent, including fines and imprisonment. Furthermore, businesses using pen registers or trap and trace devices without court orders or user consent can face fines of up to $2,500 per violation and/or one year in jail, as per Section 638.51.

It’s critical for businesses, especially those accessible to California residents online, to obtain consent before communicating, collecting, or disclosing personal information to avoid costly lawsuits. California residents can bring legal action against violators for damages or $5,000 per violation, as stated in Section 637.2 of CIPA.

CIPA Litigation Developments

Following court rulings allowing claims under the CIPA for tracking California residents on websites, numerous privacy lawsuits have emerged, yielding varied outcomes. For instance:

• In Licea v. Old Navy, LLC, a consumer alleged that Old Navy’s website’s chat feature violated CIPA by recording conversations. However, the court ruled in favor of Old Navy, determining that they couldn’t be liable for eavesdropping on their communications.
• In Byars v. Hot Topic, Inc., the court dismissed a lawsuit regarding a chat feature, considering it an extension of the website owner rather than unlawful third-party interception. 
• In Greenley v. Kochava, Inc., the court refused to dismiss a lawsuit involving software that collects and correlates consumer data, deeming it a violation of CIPA.
• In Lesh v. Cable News Network, Inc., where CNN faced legal action for installing tracking software while users accessed their websites. 

While California courts haven’t definitively ruled on these lawsuits’ outcomes or the extent of damages, the trend indicates a surge in businesses facing legal action over tracking technology used on websites. Although currently targeting large corporations and healthcare businesses, smaller businesses and those in other sectors may soon face similar lawsuits.

Mitigation Strategies

To steer clear of CIPA violations and potential lawsuits, websites employing tracking technologies should undergo a thorough review of all utilized technologies. Consider removing unnecessary features like chat functions or website analytics tools if they serve no practical purpose. Similarly, eliminate tracking technologies, such as Meta pixels for advertising, if not actively used.

Another effective approach is obtaining user consent before tracking them, an established exception under CIPA. This can be achieved through a cookie consent banner, ensuring the following features:

• • Blocking all third-party tracking scripts until users consent (by clicking “accept”).
  • Offering “accept” and “decline” buttons, with “decline” ensuring no tracking.
  • Designing the banner for equal prominence of “accept” and “decline” options.
  • Allowing users to withdraw consent if they change their mind.
  • Providing sufficient information for informed consent.

This cookie consent banner aligns with GDPR regulations. Additionally, furnish users with a Cookie Policy detailing cookie usage, purposes, and durations.

Given the influx of lawsuits and the uncertainty of their outcomes, the safest path to avoid litigation is either refraining from tracking California users or obtaining their prior consent. Utilize tools like the GetTerms cookie banner generator, Cookie Consent Manager and Cookie Policy Generator to lessen the risk of costly legal action.

Wrapping Up

The California Invasion of Privacy Act (CIPA) was created to address wiretapping and eavesdropping concerns and has since been updated to include modern communication technologies and online tracking methods. Created to combat wiretapping and eavesdropping, CIPA now extends its reach to modern communication technologies, including internet interactions and tracking tools. CIPA applies broadly, encompassing any business communicating with California residents, irrespective of their location. However, exemptions exist for public utilities and correctional facilities.

To comply with CIPA, businesses must obtain consent before communicating with California residents and disclose any sharing of communications with third parties. Employing consent mechanisms, such as an “I Agree” checkbox, can facilitate compliance, while disclaimers within chat boxes further reinforce transparency. Enforcement falls under the jurisdiction of the California Attorney General, with penalties for violations ranging up to $5,000 per offense, along with potential imprisonment for repeat offenders.