Your Website Is Probably Running Tracking Software. That Has Become a Litigation Problem.

Written By Jonathan Phillips

If you operate an e-commerce website and you have not thought about California's wiretapping statute lately, that is understandable. Most people running online businesses have not spent a lot of time thinking about a 1967 California privacy law. The attorneys filing class action lawsuits against those businesses, however, have thought about it quite a bit.

The California Invasion of Privacy Act, CIPA, is the statute in question. It was enacted to prohibit the unauthorized recording of telephone conversations. It has been reinterpreted, creatively and aggressively, as a weapon against businesses that use standard digital tracking tools on their websites: analytics platforms, chat widgets, session recorders, advertising pixels, and similar software that is, at this point, embedded in the infrastructure of essentially every commercial website on the internet.

The theory is not subtle once you understand it. CIPA prohibits "wiretapping" without consent. Plaintiffs' attorneys have argued that a tracking pixel, a third-party analytics tool, or a live chat widget that routes communications through a third-party server is a "wiretap" under the statute because it allows a third party to intercept the content of a user's communications with the website. Under this reading, if your website uses Google Analytics, a chat tool like Intercom or Drift, a Meta Pixel, or session replay software like Hotjar, and a California resident visits your site, you may have "wiretapped" them in violation of CIPA — even if you disclosed the tracking in a privacy policy.

Courts have not agreed on whether this theory is correct. That has not slowed the filings.

Who Is Filing and What They Are Targeting

The CIPA class action model follows a familiar pattern. A plaintiff — often someone who has filed dozens of similar cases — visits a website and uses a chat feature or simply browses while the site collects analytics data. The plaintiff's attorney then sends a demand letter threatening class action litigation under CIPA, which provides statutory damages of $5,000 per violation. At scale, across a class of thousands of California residents, that number becomes very large very fast.

Scott Ferrell of Pacific Trial Attorneys has been one of the most prominent filers in this space, running a model where a litigation "tester" visits retail websites, uses the chat feature, and the resulting interaction becomes the basis for a CIPA claim. In some cases, the tester does not purchase anything, does not complete a transaction, and sometimes types only a single word before leaving the session. The legal theory does not require a meaningful interaction — it requires only that the tracking occurred.

The businesses targeted are not limited to large retailers. Small and mid-sized e-commerce companies are frequently targeted precisely because they are more likely to settle quickly and less likely to have the legal infrastructure to fight back.

The Legal Landscape, Which Is Genuinely a Mess

Here is the honest assessment of where the law stands: courts are all over the place, and nobody has a clear answer right now.

California state courts have reached different conclusions. Two trial courts dismissed "trap and trace" claims under CIPA Section 638.51, concluding that the statute does not extend to internet communications that collect only device-identifying information. One California appellate court reached the opposite conclusion, creating a direct conflict on the fundamental question of whether common tracking technologies fall within the statute's reach. A federal court in the Central District of California dismissed CIPA claims against a website operator in late 2025, while other federal courts have allowed similar claims to proceed.

The Third Circuit affirmed a dismissal of CIPA claims in 2025. The Ninth Circuit has not resolved the core question. The California Supreme Court has not weighed in. And the California Legislature, which has the power to clarify or amend CIPA to address its application to digital tracking, has not done so — reform legislation remains stalled.

What this means practically is that a business facing a CIPA demand cannot simply look at a list of court decisions and know with confidence whether it would win at trial. The answer depends on the specific tools used, the specific conduct alleged, the jurisdiction where the case is filed, and the judge assigned to it. That uncertainty is, for plaintiffs' attorneys, a feature rather than a bug. Settlement is more attractive when the outcome of litigation is genuinely unpredictable.

Why the "I Have a Privacy Policy" Defense Is Insufficient

Many website operators assume that a privacy policy disclosing the use of tracking tools resolves the CIPA problem. It does not, at least not as the law has been applied in most of these cases. CIPA requires consent, and courts have held that a general privacy policy disclosure does not constitute the kind of affirmative, informed consent the statute requires — particularly where users are not required to read the policy, affirmatively acknowledge it, or opt in before tracking begins.

Banner consents, pop-up cookie notices, and privacy policy acknowledgment checkboxes may help, but their effectiveness depends on how they are implemented, what they say, and how courts in a given jurisdiction have evaluated similar consent mechanisms. The California Supreme Court's eventual resolution of the consent question will matter enormously for how this body of litigation develops. For now, a privacy policy alone is not a reliable defense.

What E-Commerce Businesses Can Do Now

The litigation environment is active and will remain active for the foreseeable future. Reform legislation in California has not moved, and the volume of filings has not meaningfully decreased despite the conflicting court decisions. But there are practical steps that reduce exposure.

The first is to audit what tracking tools your website actually uses. Many businesses run software that was installed by a developer years ago and have not reviewed it since. Third-party analytics, advertising pixels, live chat integrations, session replay tools, and A/B testing software all carry potential CIPA exposure if they involve third-party interception of user communications. Understanding what is running on your site is the prerequisite for everything else.

The second is to implement consent mechanisms that go beyond a privacy policy. Affirmative consent — users actively acknowledging tracking before it begins, with a clear opt-out option — reduces CIPA exposure meaningfully, though it does not eliminate it entirely under all current interpretations of the statute.

The third is to evaluate which tools are genuinely necessary for your business and which ones carry risk that is not justified by the benefit. A live chat widget routed through a third-party server creates more CIPA exposure than most other tracking tools because of the "communication interception" framing plaintiffs use. If you do not use it actively, the cost-benefit analysis of keeping it running may have changed.

The fourth, if your business has already received a demand letter, is to treat it seriously and get legal advice before you respond. The demand letter is designed to generate a quick settlement. Whether settlement is the right outcome for your business depends on an assessment of your specific exposure, the jurisdiction, the plaintiff's track record, and what defenses are available — none of which you can evaluate in isolation.

The Bigger Picture

CIPA litigation is part of a broader pattern of class action filings that target the infrastructure of digital commerce, the tools that businesses use to understand their customers, run their marketing, and operate their websites. TCPA litigation targeting SMS marketing programs, class actions under various state biometric privacy statutes, and similar filings follow the same economic logic: identify a statutory violation that generates large per-violation damages, find a large class of potential plaintiffs, and offer defendants a choice between an uncertain trial and a settlement that is cheaper than the judgment they risk.

The legal theories in these cases are not always frivolous. CIPA may well apply to some of the conduct being challenged, and courts that have allowed these cases to proceed have not been unreasonable in doing so. But the volume of filings and the demand-letter-driven model means that many businesses face these claims regardless of whether their specific conduct actually violates the law.

Knowing what you are running on your website, understanding your actual exposure, and getting advice before a demand becomes a lawsuit is the practical position to be in. The time to think about CIPA compliance is before the demand letter arrives, not after.

Jonathan Phillips counsels e-commerce businesses and brand owners on intellectual property, privacy litigation, and class action defense strategy. If you have received a CIPA demand or want to understand your exposure before one arrives, contact him.

Jonathan Phillips
Next

So Your Amazon Storefront Just Went Dark: What to Do When a Schedule A Lawsuit Hits Before You Know You Are Being Sued