Most companies want to understand how visitors interact with their websites. That insight supports better user experiences, improved conversion rates and more effective marketing. However, practices that were once routine are now being challenged under privacy laws that were never written with modern web technologies in mind.
What’s Happening?
As described in our prior alert, an increasing number of plaintiffs and plaintiffs’ firms claim that common website tracking activities occur without adequate consent and violate certain archaic privacy statutes intended to prevent unauthorized wiretapping and recording on traditional telephones, such as the California Invasion of Privacy Act (CIPA) and federal Electronic Communications Privacy Act (ECPA), as well as other state wiretapping statutes. Courts are increasingly being asked to decide whether certain web technologies cross legal lines, while companies are being pushed to settle with these plaintiffs in lieu of lengthy trials.
Some states, including Alaska and New Hampshire, have moved to resolve this issue for businesses by excluding cookies and pixels from their wiretapping statutes. California lawmakers considered SB 690, a bill that would allow businesses to use common web tracking technologies for “the processing of personal information that . . . is performed to further a business purpose,” so long as they comply with the opt-out requirements of the California Consumer Privacy Act (CCPA). The California bill stalled but, if passed, the earliest it would be effective is 2027.
Given the uncertainty in the litigation landscape, companies should focus on practical, defensible steps that reduce risk today rather than worrying about a potential demand letter, lawsuit or future legislative clarity.
Why CIPA, ECPA and Similar Claims Continue
Enacted in 1967 to combat unauthorized wiretapping of telephone calls, CIPA carries statutory damages of up to $5,000 per violation or treble damages. ECPA carries damages of up to $10,000 per violation. With websites being readily available to massive numbers of individuals, class action claims are easier to raise, thereby compounding the potential damages for a violation even without a showing of actual damages.
Plaintiffs apply these wiretapping provisions to website activity, asserting that tools such as cookies, pixels, session replay technology and analytics platforms unlawfully “intercept” communications or capture metadata without consent. These CIPA cases are starting to make their way up to courts of appeal, but there is no reliably predictable outcome in absence of precedent.
Claims often target:
- Searches and the data transmitted through search fields, chat boxes or web forms.
- IP addresses and device identifiers.
- Behavioral data shared with analytics or advertising partners.
Practical Risk‑Reduction Measures Businesses Should Implement
Make Consent Mechanisms Match Reality
Cookie banners and consent tools should describe precisely what actually happens on the site or app, and in a non-confusing and easy-to-read manner.
Recommended action items:
- Ensure banner language clearly explains which categories of tracking are used and for what purposes. Actually obtain meaningful consent, giving users a choice, rather than simply providing a notification without a choice.
- Confirm that trackers do not fire until after the user has made a selection. Banners should clearly identify whether you operate on an opt-in or opt-out basis.
- Align banner text, privacy policy disclosures and backend behavior so there are no inconsistencies a plaintiff could exploit.
Recognize and Transparently Honor Global Privacy Control
Many states now require businesses to treat Global Privacy Control (GPC) signals as a valid opt‑out of certain data sharing or sales. Compliance should not be silent or ambiguous.
Implementation best practices include:
- Configure your site to detect GPC signals at the browser level.
- When a GPC signal is detected, display a short confirmation indicating that the signal is being honored.
- Ensure that honoring GPC actually disables the relevant trackers and sharing activity.
Re‑Evaluate “Do Not Sell or Share” Forms
Do Not Sell or Share forms should not require unnecessary personal information. Risk‑aware adjustments include allowing users to submit opt‑out requests without entering certain personal data.
Test Your Consent Management Platform
Even well‑designed consent tools can fail in practice, so routine testing is essential to ensure that consent choices are accurately captured and enforced across the site.
- Before rolling out a content management platform (CMP), test it to ensure it is working properly.
- Re‑test after site updates, new cookies/trackers or marketing changes.
- Validate GPC.
Institute Internal Controls Around Tracker Deployment
Uncontrolled or ad hoc deployment of tracking technologies is a common source of CIPA exposure, making internal governance and oversight critical.
- Require legal review before deploying new trackers.
- Maintain a tracker inventory.
- Ensure all trackers are integrated into the CMP.
Conduct Periodic Self‑Checks
Because websites evolve constantly, routine reviews help identify compliance gaps early and demonstrate good‑faith efforts to mitigate risk.
- Check website and tracker behavior periodically for gaps, misses and new trackers.
- Review what data is transmitted and when.
- Document remediation efforts.
Looking Ahead
While legislative relief may eventually come, albeit not until at least 2027, businesses should rely on operational discipline today. Ensuring you have accurate disclosures, functioning consent tools, respect for privacy signals and well-defined internal governance will go far in preventing claims and defending them.
If you have questions about CIPA and its risks for your business, please contact Chiara Portner, or your regular Lathrop GPM attorney.