California Invasion of Privacy Act (“CIPA”) claims are surging, driven in part by a nationwide mass demand campaign from serial claimant Vivek Shah. If your website uses pixels, cookies, analytics tools or chat features, you may already be a target.
Despite significant defense wins, plaintiffs continue filing class actions at a rapid pace. Statutory damages of up to $5,000 per violation and unsettled law keep the economics favorable for claimants.
Below, we explain the current claim landscape, key legal issues and concrete steps to reduce your exposure.
In our December 2025 Legal Alert, we described a rapid increase in class action privacy suits based on website tracking without consent. Six months later, the pace has only accelerated. The strategies below can help you get ahead of it.
So far this year, claimants have filed several hundred CIPA-related suits in California courts. Most are class actions, brought by law firms with expertise in privacy law. Arbitration claims are less prevalent, but exist. One serial claimant, Vivek Shah, has been particularly prolific.
Mr. Shah’s demands look like lawsuits. Each packet contains a cover letter seeking “Informal Dispute Resolution” of “your violation of the California Invasion of Privacy Act (CIPA)” along with a draft complaint to be filed in a court in California if the matter remains unresolved. Out of the many demand packets he has sent in 2026, he has filed 21 lawsuits so far.
What does this mean for you? Take a hard look at your website’s tracking mechanisms, cookie banner, privacy policy, website terms, and any AI-related data collection practices.
Why are CIPA claims still surging? The 1967 California Invasion of Privacy Act was written for wiretaps and telephone surveillance. Today, plaintiffs have retrofitted it for the internet and AI ages. Their argument: collecting IP addresses and visitor data from your website without consent is illegal.
The financial exposure is significant. CIPA provides a private right of action with damages of up to $5,000 per violation or treble damages, whichever is greater, plus injunctive relief. It remains the primary vehicle for website tracking claims targeting third-party pixels, software development kits (SDKs), analytics tools, chat features and website search tools.
The law remains unsettled. Federal courts in California are more willing than their state counterparts to let CIPA claims survive early dismissal. Federal plaintiffs, however, must plead a concrete and particularized injury to their privacy interests to have standing. The California Legislature has yet to step in.
What is a CIPA wiretapping claim? In short, it is the interception of the contents of a web visitor’s communication without consent. Under CIPA § 631(a), a plaintiff must show that a third party intercepted a communication while it was in transit. The “content” at issue is often search queries containing personal information or chat conversations on your website. These claims frequently target chat features, session replay software and embedded third-party scripts.
Court interpretations vary widely. Access to stored or duplicated data may not qualify as “interception” by a “third party.” See, e.g., Torres v. Prudential Fin., Inc., No. 22-CV-07465 (CRB), 2025 WL 1135088, at *4 (N.D. Cal. Apr. 17, 2025) (insurer’s software form provider was a separate third party but was not shown to have later read or deciphered user inputs on forms).
What is a CIPA “pen register” or “trap and trace” claim? In essence, it is the capture of records of your visitor’s activity, not the contents themselves. Under CIPA § 638.50 (pen register) or § 638.51 (trap-and-trace), plaintiffs object to the collection of data about a communication. Think: visit timestamps, add-to-cart actions, button clicks, scrolling and screen movements.
The line between what is the contents and what is a “record” of a communication can be frustratingly blurry. See De Ayora et al. v. Inspire Brands et al., No. 25-CV-03645-AGT, 2026 WL 1653483, at *7 (N.D. Cal. June 8, 2026) (an IP address is metadata, not contents); Mikulsky v. Bloomingdale’s, LLC, No. 24-3564, 2025 WL 1718225, at *1 (9th Cir. June 20, 2025) (website visit data equates to the content of communications, “not merely the real-time capture of information regarding the characteristics of the communications.”) This uncertainty creates meaningful risk, as the same conduct may be treated differently depending on the forum.
The forum matters. California state courts have held that pen register and trap-and-trace claims apply only to telephones, not the internet. See, e.g., Blaker v. NetScout Systems, Inc., No. 25STCV31283, 2026 WL 1709143, at *4 (Cal.Super. May 27, 2026) (“[T]his statute applies to telephonic communications and not to software on a commercial website.”) Federal courts are less willing. See, e.g., In re Apple Data Priv. Litig., No. 5:22-CV-07069-EJD, 2026 WL 146025, at *3 (N.D. Cal. Jan. 20, 2026) (although a close call, the current majority rule in federal district courts is that the pen register statute applies to internet communications.)
Is the alleged injury enough to avoid dismissal? In federal court, a plaintiff must allege a real, concrete and particularized injury, not just an abstract statutory violation. See Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016).
If your website gathers sensitive information (health conditions, financial data, personal identifiers) without consent, the injury likely clears this bar. If it collects only routine technical data, dismissal becomes more likely. A federal court recently dismissed a claim against a nutritional wellness website, finding that the capture of “routing, addressing and signaling information” was too generic to constitute real harm. See Schallert et al. v. Laird Superfood, Inc., No. 2:25-CV-12407-SPG-PVC, 2026 WL 1707585, at *5 (C.D. Cal. June 5, 2026).
A similar hurdle applies to California common law claims like invasion of privacy and intrusion upon seclusion. Even without the federal standing requirement, plaintiffs must show a “highly offensive intrusion” involving the sharing or misuse of sensitive or confidential information. Id.
What other claims accompany CIPA? CIPA plaintiffs will sometimes include an alleged violation of the California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), found at Cal. Penal Code § 502, which makes it illegal to knowingly access, use or interfere with computers, networks or data without permission. See Tsering v. Meta Platforms, Inc., No. 25-CV-01611-RFL, 2026 WL 89320 (N.D. Cal. Jan. 12, 2026) (plaintiff failed to show Meta knew its use and access was without the user’s permission); cf., In re Meta Android Priv. Litig., No. 25-CV-04674-RFL, 2026 WL 1279416 at *9 (N.D. Cal. May 11, 2026) (Meta knowingly used and introduced tracking software that impermissibly circumvented Android’s digital sandbox). CDAFA allows for statutory damages and attorneys’ fees. Those same plaintiffs may argue that the alleged CDAFA violation was an “unlawful” business practice under the California Unfair Competition Law (“UCL”) and seek injunctive relief.
What can you do to mitigate risk? If your website uses third-party tracking tools without a clear consent mechanism, you are in the highest-risk category. Your best defenses are straightforward: a robust consent mechanism, a clear privacy policy, and website terms that include class action waivers.
Cookie banners should contemplate all types of tracking mechanisms on the website, and you must consider the benefit and risk associated with each one. You can conduct a self-audit using the same scanning tools that CIPA claimants use to identify targets. Coordinate with your website technology, legal and marketing teams to make sure your website tracking and marketing are consistent with your business goals and risk tolerance.
Keep an eye on the regulatory horizon. Many privacy regulators now require businesses to honor the Global Privacy Control, a browser-based opt-out signal for data sharing and tracking. More mandates are coming.
The bottom line: if your website collects any visitor data through third-party tools, now is the time to audit your consent mechanisms, review your privacy policies and maintain adequate protections in your website terms. Businesses that act proactively will be in the strongest position when the next demand letter arrives.
If you have questions about CIPA and its risks for your business, please contact Tedrick Housh, Chiara Portner, Alexandra Bass or your regular Lathrop GPM attorney.