A 1967 wiretapping law is now being used to sue businesses over Meta Pixel and Google Analytics. Here's what you need to know before you panic.
You open your mail and find a letter from a California law firm. It accuses your company of violating something called the California Invasion of Privacy Act by using tracking technologies on your website. The letter mentions "pen registers," which sounds like something from a Cold War spy novel. It demands you pay a settlement or face a class action lawsuit with damages of $5,000 per website visitor.
Your first thought: Is this real?
Your second thought: I don't even know what a pen register is.
Your third thought: How many people have visited our website?
If you've received one of these letters, you're not alone. Thousands of companies have been targeted with CIPA demand letters or lawsuits in the past three years. The plaintiffs' bar has discovered that a statute written to stop the government from tapping phone lines can be twisted to cover the same tracking technologies that power most of the commercial internet. And California's $5,000-per-violation statutory damages provision makes even modest websites look like gold mines.
But here's what the demand letter won't tell you: the law is an absolute mess, courts are split on whether these theories even work, and defendants have been winning cases with increasing frequency. Before you write a check or lose sleep, you should understand what you're actually dealing with.
The Statute That Time Forgot
California passed the Invasion of Privacy Act in 1967. Lyndon Johnson was president. The first Super Bowl had just been played. The internet wouldn't exist for another two decades.
The law was designed to prevent eavesdropping on telephone conversations. It prohibits wiretapping, recording confidential communications, and—in a 2016 amendment—using "pen registers" or "trap and trace devices" without consent. A pen register, in telephone terms, records the numbers dialed from a particular phone line. A trap and trace device captures incoming call information.
The 2016 amendment defined these terms broadly: a pen register is "a device or process that records or decodes dialing, routing, addressing, or signaling information." The California Legislature was thinking about modernizing wiretap laws. What it created, according to plaintiffs' attorneys, was a statute that covers every website using analytics software.
Their argument goes like this: when you visit a website, your browser sends information including your IP address, which is technically "addressing information." If the website uses Meta Pixel, Google Analytics, or similar tools, that information gets transmitted to third parties. Therefore, the website has installed a "pen register" without your consent. Pay up.
If that logic strikes you as a stretch, you're not the only one. Several California judges have called the theory creative, and not in a complimentary way.
What the Lawsuits Actually Claim
CIPA demand letters and complaints typically allege one or more of the following theories.
The first is the pen register theory under Penal Code section 638.51. This claims that tracking pixels, cookies, or analytics code constitute "devices or processes" that capture "addressing or signaling information" when visitors access the website. Some courts have allowed these claims to proceed. Others have dismissed them outright, finding that the statute was never intended to apply to internet communications at all.
The second is the wiretapping theory under section 631. This statute prohibits intercepting the contents of communications without consent. Plaintiffs argue that session replay software, chatbots, or tracking pixels "intercept" user inputs like form entries, search queries, or chat messages. However, website operators generally can't "wiretap" their own conversations. So plaintiffs typically frame these claims as "aiding and abetting" a third-party vendor's interception.
The third is the eavesdropping theory under section 632, which prohibits recording confidential communications without consent. This theory has gained traction against health apps and websites that collect sensitive information, culminating in a major jury verdict against Meta in August 2025.
Each theory has vulnerabilities. The pen register claims face the threshold question of whether the statute applies to the internet at all. The wiretapping claims run into the "party exception"—you can't eavesdrop on your own conversation. The eavesdropping claims require proving the communication was actually confidential. And all of them require showing that any interception happened "in transit," not after transmission.
The Courts Are All Over the Map
If you're hoping for clear guidance on whether your website tracking creates CIPA liability, prepare for disappointment. California courts have issued wildly inconsistent rulings, and no appellate court has definitively resolved the key questions.
Federal district courts in California have generally allowed pen register claims to survive motions to dismiss. In Greenley v. Kochava, a San Diego federal judge found that the statutory language was "expansive" enough to cover software that performs "unique fingerprinting" to track users. That decision opened the floodgates. Similar rulings followed in cases against various companies using TikTok pixels, Meta Pixel, and standard analytics tools.
California state courts, by contrast, have been more skeptical. In Licea v. Hickory Farms, a Los Angeles Superior Court judge dismissed pen register claims because section 638.51 "was intended to apply to telephone-tracking technology, not internet communications." Other state court judges have followed suit, finding that applying CIPA to routine website operations would "render CCPA meaningless" and "punish compliance" with legitimate privacy frameworks.
The Ninth Circuit provided some guidance in June 2025 with a pair of decisions addressing session replay software. In Thomas v. Papa John's, the court affirmed dismissal of claims against a company using FullStory, holding that the vendor was essentially a "tape recorder" held by the website operator rather than an independent eavesdropper. But in Mikulsky v. Bloomingdale's, the court reversed dismissal where the plaintiff adequately alleged that a vendor was intercepting substantive user inputs in real time for its own purposes.
The distinction matters. If a third-party tool merely helps you analyze your own customer interactions, it's probably an extension of your operations. If it's capturing and using customer data independently, that's a different story.
The Frasco Verdict Changed the Calculus
On August 1, 2025, a federal jury in San Francisco found Meta liable for CIPA violations based on its SDK's collection of data from the Flo period-tracking app. This was the first jury verdict holding a software development kit provider liable under California's privacy laws, and it sent shockwaves through the industry.
The case involved particularly sensitive health information—users' menstrual cycles, fertility data, and pregnancy status. The jury found that Meta intentionally eavesdropped on confidential communications without consent. With 38 million potential class members and $5,000 in statutory damages per violation, Meta's exposure is astronomical.
Whether Frasco represents the future of CIPA litigation or an outlier driven by sympathetic facts remains to be seen. Health data occupies a special category in privacy law. A jury might view a period-tracking app's data sharing very differently than a retailer's use of Google Analytics. But plaintiffs' attorneys will certainly cite the verdict in demand letters, and some courts will be influenced by it.
Why Most Demand Letters Overstate the Risk
In my opinion, and you should always consult an attorney—this is not advice to ignore these letters:
The demand letters flooding corporate mailboxes share a common characteristic: they present worst-case scenarios as certainties. They cite favorable decisions while ignoring unfavorable ones. They calculate damages by multiplying $5,000 by total website visitors without acknowledging that no court has ever certified a class and awarded damages on that basis.
Here's what the letters typically omit.
First, courts have increasingly required plaintiffs to show that any interception occurred "in transit"—meaning while the communication was being transmitted, not afterward. If your tracking software processes data after it arrives at its destination, that timing distinction could defeat liability.
Second, the "party exception" remains a significant obstacle. You cannot eavesdrop on your own conversation. Unless a plaintiff can show that a third-party vendor intercepted communications independently and for its own purposes, wiretapping claims against website operators should fail.
Third, consent can be established in multiple ways. While courts have rejected the argument that merely visiting a website constitutes consent, clear disclosure and affirmative acceptance through cookie banners or terms of service may provide a defense.
Fourth, many claims fail on basic pleading requirements. Plaintiffs must allege specific facts showing what information was intercepted, how, and by whom. Conclusory allegations about "tracking technologies" without specifics have been dismissed.
What You Should Actually Do
If you've received a CIPA demand letter, don't ignore it. But don't panic either.
Start by understanding what tracking technologies your website actually uses. Many businesses have no idea what their marketing team or web developer has installed. Conduct an audit. Identify every pixel, cookie, analytics tool, and chatbot. Understand what data each one collects and where it goes.
Next, evaluate your consent mechanisms. Do you have a cookie banner? What does it actually say? Does it appear before tracking begins, or after? Is there an option to decline? The answers matter for determining your exposure.
Then assess the specific claims in the demand letter. Is it alleging pen register violations, wiretapping, eavesdropping, or some combination? Each theory has different elements and different defenses. A letter citing section 638.51 presents different issues than one citing section 631 or 632.
Then call an attorney that handles these cases. With this information, you can have a more productive consultation.
Finally, evaluate the settlement demand against realistic litigation exposure. A $50,000 demand to resolve claims that might be dismissed on a motion to dismiss presents different considerations than a $50,000 demand where the legal theories are sound and class certification is plausible.
Legislative Reform Is (hopefully) Coming—Eventually
California Senate Bill 690, which would have exempted tracking technologies used for "commercial business purposes" from CIPA's pen register provisions, passed the Senate unanimously in June 2025 but stalled in the Assembly. Privacy advocates, including the Electronic Frontier Foundation and the ACLU, opposed the bill as a giveaway to advertisers.
The bill has become a "two-year bill," meaning the earliest it could take effect is 2027. If passed, it would likely end most pen register litigation against standard commercial tracking. But "if" and "2027" don't help you today.
In the meantime, expect continued litigation, continued inconsistent rulings, and continued demand letters. The plaintiffs' bar has found a profitable niche, and they won't abandon it voluntarily.
The Bottom Line
CIPA website tracking litigation represents the collision between a 1967 statute, a 2016 amendment, and 2025 technology. The law was never designed for this purpose, courts are struggling to apply it coherently, and the California Legislature has yet to clean up the mess.
If you've received a demand letter, you have options. The legal theories underlying these claims have real vulnerabilities. Courts have dismissed similar claims for various reasons. Settlements may make sense in some situations, but capitulation isn't your only choice.
Every case depends on its specific facts: what tracking technologies are involved, how they're implemented, what data they collect, and whether consent was obtained. Generic advice is no substitute for a lawyer who can evaluate your particular situation.
If you're staring at a CIPA demand letter and wondering what to do next, we can help you figure that out.
Jon Phillips is an attorney at, the Phillips of, Phillips & Bathke, P.C. He represents businesses in privacy litigation and regulatory matters. If you've received a demand letter or lawsuit involving CIPA, website tracking, or similar claims, contact Jonathan Phillips at jlap@pb-iplaw.com or (309) 834-2296.