CIPA, Explained: How a 1967 Wiretap Law Became the Engine of Website Litigation
A plain-English guide to the three CIPA sections plaintiffs use against websites — what each requires, how it maps to a page load, and where courts disagree.
The California Invasion of Privacy Act was enacted in 1967, in an era of alligator-clip wiretaps and party-line telephones. Its drafters were worried about someone splicing into a phone call. They were not thinking about JavaScript. Yet CIPA has become the single most-used statute in website-tracking litigation, and understanding why requires understanding what the law actually says — because the entire fight is over how a telephone-era text applies to a page load.
This is a reference, not legal advice. The aim is to make the statute legible: what each operative section requires, how plaintiffs map it onto website behavior, and where the courts have genuinely split.
Three sections do the work
Most website CIPA claims are built on one or more of three provisions.
Section 631 — wiretapping. This is the workhorse. In simplified terms, it reaches a party who, without the consent of all parties, intentionally taps a line or uses any "machine, instrument, or contrivance" to read or attempt to read the contents of a communication "while it is in transit." It also reaches anyone who uses information so obtained, or who aids another in doing so. The "in transit" language and the "contents" requirement are not incidental — they are exactly where modern cases are won and lost.
Section 632 — confidential communications. This prohibits using an electronic device to eavesdrop on or record a "confidential communication" without all-party consent. On websites it appears less often than Section 631, because a court must first find that the visitor had an objectively reasonable expectation the communication was not being overheard — a harder showing for an ordinary web page than for a phone call.
Section 638.51 — pen registers and trap-and-trace devices. This is the newer theory and the more contested one. It bars installing or using, without a court order, a "pen register" or "trap and trace device" — defined as a device or process that captures "dialing, routing, addressing, or signaling information," but not the contents, of a communication. Plaintiffs argue that a tracking pixel which records a visitor's IP address and routing metadata is, functionally, a pen register.
The element that anchors everything: consent and the "third party"
California is an all-party consent state, so the recurring question is whether the visitor consented and whether a true third party was listening.
Section 631 claims usually turn on the party exception. A business cannot wiretap its own conversation, so if a vendor (an analytics or session-replay provider) is acting purely as a tool — a tape recorder held by the website, with no independent right to use the data — many courts hold there is no third-party interception and the claim fails. If the vendor instead has the independent capability to use or monetize what it captures, courts have been more willing to treat it as an eavesdropper outside the exception. The factual question of what the vendor may contractually do with the data often decides the motion — one of the procedural defenses that resolve many of these cases before the merits.
Why the damages math drives the docket
CIPA's civil remedy, Section 637.2, lets an injured person recover the greater of $5,000 per violation or three times actual damages, plus injunctive relief — and it does not require proof of actual damages to proceed. Multiply $5,000 by a class of every visitor over a multi-year period and the exposure becomes enormous regardless of whether anyone suffered measurable harm. That arithmetic, more than any single doctrine, is what sustains the volume of filings and the steady stream of pre-suit demand letters. Industry estimates put total CIPA activity since 2022 in the tens of thousands of claims, most resolved privately before any public docket entry.
How the statute maps onto a page load
Translating the text into website behavior makes the theories concrete:
- A Section 631 theory typically targets session-replay scripts and chat tools that capture keystrokes, clicks, and message contents as the visitor interacts — the "contents… in transit" framing.
- A Section 638.51 theory typically targets pixels and trackers that transmit IP address, page URL, and routing metadata on load — the "addressing and signaling information" framing.
- A search-bar variant of the pen-register theory alleges that what a visitor types into site search is routed to a third party.
- The consent timing question — whether anything fired before the visitor agreed — cuts across all of them, because pre-consent firing undercuts the "they consented" defense.
Where courts diverge
This is unsettled law, and the honest summary is that outcomes depend heavily on the section, the forum, and the facts.
On Section 631, courts split on whether session-replay capture is interception "in transit" or merely a recording readable only after storage, and on whether a given vendor falls inside the party exception. On Section 638.51, the divide is sharper still: some federal district courts have read "device or process" broadly enough to let pixel-as-pen-register theories survive a motion to dismiss, while a growing line of California state-court decisions has rejected that reading, treating the pen-register provisions as designed for telephone surveillance rather than commercial websites. We trace that divide in detail in our jurisdiction comparison on the pen-register split. The result is that the same implementation can survive in one courtroom and be dismissed in another.
What is observable on a site
Whatever the courts ultimately decide, the behaviors these claims are built on are visible from the network layer:
- Session-replay or chat scripts capturing input, and when they initialize relative to any consent choice.
- Pixels transmitting IP address, full page URL, and routing metadata on load.
- Search queries routed to third parties.
- Whether anything fires before a visitor interacts with a consent banner, and whether "reject" actually withholds it.
None of that establishes a violation — the law is too contested for that, and much turns on facts a scan cannot see. But it tells you whether your pages exhibit the patterns CIPA plaintiffs build on. Running a detailed scan of your own site can surface most of them quickly.
[Diagram: the three CIPA sections mapped to the website behaviors each targets] [Annotated request waterfall showing a pixel transmitting IP and URL on load, before any consent interaction]
Sources
See what your own pages do
The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.
Run a free scan