It’s 2025, and somehow, we’re still dealing with lawsuits over a law that was born in the pen registers and rotary phones era. That law, the California Invasion of Privacy Act (CIPA), a decades-old statute that’s suddenly found new life in the digital age, could put your company in legal crosshairs based on its website and its tracking technology.
Over the past year, we’ve seen a sharp uptick in demand letters and litigation targeting businesses over alleged privacy violations tied to digital website tools like:
- Chatbots and live chat features
- Website analytics tools
- Ad campaign tracking (Meta Pixel)
- Social media plugins and integrations
In many of these cases, plaintiffs allege that businesses are “eavesdropping” on users, all under the theory that using these technologies without their consent violates CIPA.
Enacted in 1967, CIPA outlawed wiretapping and pen registers, tools used to monitor telephone calls and communication metadata.
Fast forward to today: plaintiffs are arguing that third-party tracking cookies, IP address collection, session replays, and chatbots serve as modern-day equivalents of those old-school surveillance devices. And, surprisingly, some courts are letting these arguments move forward.
What can you do to avoid these types of claims? First, ask yourself some basic questions:
- Do you operate a website or mobile app?
- If yes, you’re already in the conversation. These are the primary platforms where privacy issues pop up.
- Do you use a chatbot or live chat feature?
- If you’ve installed any customer support chat tool, even through a third-party vendor, you could be logging and transmitting data that CIPA litigants say violates user privacy.
- Are you using web analytics, ad tracking, or social media plugins?
- These tools often track user behavior via cookies, beacons, or IP logs, which are now being challenged as CIPA violations.
- Does your website have a privacy policy?
- If so, is it up-to-date and accurate? A vague or outdated policy can hurt you more than it helps.
- Do you have a cookie notice and consent mechanism?
- Simply saying “we use cookies” isn’t enough anymore. Laws increasingly require clear disclosures and opt-in mechanisms, especially in California and Europe.
- Does your chatbot have a disclaimer?
- Users should know what data is collected via chat and how it’s used. No disclaimer could be a big risk.
What actions can you take?
- Update your privacy policy: make sure it reflects all current data practices, including chat features, tracking tools, and any third-party sharing, and that it is compliant with applicable consumer privacy rights laws.
- Give notice and get consent: for tools like analytics and targeted advertising, disclosure is key. In some jurisdictions, prior consent is required before deploying any tracking technology.
- Review your chat tools: add a disclaimer or notification to users when they engage with chat features, explaining how their data is handled.
- Rethink your tech stack: not all third-party vendors are created equal. Vet your service providers, understand their data practices, and ensure contracts include privacy and indemnification clauses.
These CIPA (or trap and trace) lawsuits are not fringe cases anymore. They’re part of a broader wave of privacy litigation targeting the ad tech ecosystem. The claims may sound like a stretch, but courts are entertaining them. Businesses that don’t stay ahead of these developments may find themselves paying to settle lawsuits they didn’t even see coming.
If your business touches user data online, you can’t afford to ignore these issues. A proactive approach to privacy and transparency is no longer optional.