
CIPA Compliance for Business Websites: The 2026 Guide
CIPA, the California Invasion of Privacy Act (Penal Code Sections 630-638), is a 1967 wiretapping law now being used to sue businesses over everyday website tools like chat widgets, tracking pixels, and analytics. Statutory damages run $5,000 per violation, and any business with California visitors is exposed, even outside California.
That last part surprises most business owners. You do not need to be based in California. You do not need to sell to California. If California residents can load your website and your site sends their data to a third party without consent, plaintiff law firms consider you a target.
The Clay Media helps business owners audit, fix, and monitor their websites so a routine marketing tool does not turn into a five-figure demand letter. This guide covers what CIPA is, why lawsuits exploded, which tools create risk, and exactly how to get compliant.
What is the California Invasion of Privacy Act?
CIPA was passed in 1967 to stop people from secretly recording phone calls. California is an all-party consent state: everyone on a call must agree to being recorded. For decades the law lived quietly in that lane.
Then plaintiff attorneys realized the same language could describe modern websites. Three sections do the heavy lifting:
- Section 631 (wiretapping): intercepting a communication in transit without consent. Applied to chat widgets and session replay tools that route visitor conversations and behavior through third-party vendors.
- Section 632 (recording): recording a confidential communication without all-party consent.
- Section 638.51 (pen register): capturing routing and addressing data, like IP addresses and device identifiers, without authorization. This is the theory behind the newer wave of tracking pixel claims.
The penalty structure is what makes CIPA dangerous: $5,000 per violation or three times actual damages, plus attorney fees, with a private right of action. A plaintiff does not need to prove they were harmed in any concrete way to send a demand letter.
Why did CIPA lawsuits explode in 2025 and 2026?
Three reasons: volume economics, unsettled courts, and a stalled fix.
Claim volume has grown every year. Public filings went from a few dozen in 2022 to several hundred in 2024, and 2026 is projected to exceed 3,500 filings, with demand letters estimated in the tens of thousands beyond that. Most claims never become public because businesses settle quietly, typically for amounts between $5,000 and $50,000. For plaintiff firms it is a numbers game: scan websites with automated tools, send boilerplate letters, collect settlements.
Courts remain divided. Some judges have dismissed pen register theories against routine browser tracking, while others have let nearly identical claims proceed into discovery. High-profile settlements keep the incentive alive, including a multimillion-dollar class settlement by a major newspaper over website and app tracking, and a $5 million settlement by a national retail chain whose ad pixels fired before any consent interaction.
SB 690, the California bill that would have created a commercial business purpose exception and shut down most of these claims, stalled in the legislature. Until something like it passes, the demand letters continue.
The 2026 cases have also shifted focus. Early lawsuits argued about whether a pixel could “intercept” anything at all. Current cases assume it can and ask a narrower question: did tracking fire before the visitor consented? If your tags load on page view, before anyone touches your cookie banner, plaintiffs argue the violation already happened. Courts have also targeted the “broken banner” scenario, where a visitor declines tracking and the site keeps tracking anyway.
Which website tools trigger CIPA claims?
If your site sends visitor data to an outside service, it is potential exposure. The most commonly targeted tools:
| Tool on your site | Why plaintiffs target it | CIPA theory |
|---|---|---|
| Meta, Google, TikTok, LinkedIn pixels | Send page views, clicks, and form data to ad platforms | Section 631 / 638.51 |
| Google Analytics and similar | Capture visitor behavior and identifiers | Section 638.51 |
| Live chat and chatbot widgets | Route conversations through third-party vendors | Section 631 |
| Session replay and heatmaps | Record every click, scroll, and keystroke | Section 631 |
| Embedded forms feeding a CRM | Transmit typed content to outside platforms | Section 631 |
| Search bars wired to analytics | Send what visitors type to third parties | Section 631 |
| Email tracking pixels | Report opens without recipient consent | Section 631 emerging |
Almost every modern business website runs several of these. The question is not whether you have exposure. It is whether you have defenses in place.
Not sure what your website is sending, or to whom?
Our Website Security Reinforcement Package includes a full third-party script audit: every pixel, widget, and tracker identified, documented, and locked down. Or start with a free CIPA Exposure Scan below.
How do you make a website CIPA compliant?
Reducing CIPA exposure comes down to four layers. Having a cookie banner is not enough; what matters is what your site actually does before and after a visitor makes a choice.
1. Inventory every third-party tool.
List every pixel, analytics script, chat widget, session recorder, heatmap, and embedded form. Most owners find tools they forgot installing. Remove anything you are not actively using; every unused tracker is pure risk with zero benefit.
2. Install a consent management platform that blocks first.
The banner must stop all non-essential scripts from firing until the visitor consents. Accept and decline options need equal prominence, visitors must be able to withdraw consent later, and the CMP should honor Global Privacy Control signals. Firing order is everything: tags that load a millisecond before consent are exactly what 2026 lawsuits target.
3. Match your policies to reality.
Your privacy policy and cookie policy must accurately describe what you collect, which third parties receive it, and why. A banner that promises no tracking while tracking continues is worse than no banner, because it adds misrepresentation claims on top of CIPA claims.
4. Add disclosures where communication happens.
Chat widgets need clear notice that conversations may be recorded or routed through a vendor. Forms and search features connected to third-party tools need the same transparency.
Then maintain it. Websites change: someone adds a new pixel for a campaign, a plugin update introduces a tracker, a vendor changes what their script collects. Compliance is a state you maintain, not a task you finish. That is why our WordPress Maintenance and Website Management plans include ongoing script monitoring, so a marketing decision made in March does not become a demand letter in June.
What should you do if you receive a CIPA demand letter?
Do not ignore it, and do not panic-pay it. These letters are boilerplate sent in bulk, but ignoring one can convert it into an actual lawsuit with statutory damages and attorney fee exposure. Preserve the letter, document your website’s current configuration, and contact a qualified privacy attorney before responding. Then fix the underlying exposure immediately, because a corrected site strengthens your position and makes the next letter far less likely against the next letter.
How does CIPA fit with your other marketing?
Here is the tension: the same tools that create CIPA risk are the tools that make marketing measurable. Ripping out all analytics and ad pixels is not a real strategy for a growing business. The answer is consent-based tracking done correctly, so you keep your data and your lead generation engine while sharply reducing the legal exposure. Done right, a compliant setup also builds visitor trust, and trust converts.
Start with a free CIPA Exposure Scan
We will scan your website the same way plaintiff firms do: fresh session, no cookies, and document every tracker that fires before consent. You get a plain-English report of your exposure and what to fix. No obligation.
Frequently Asked Questions
Does CIPA apply to businesses outside California?
Yes. CIPA claims are based on where the website visitor is located, not the business. If California residents visit your site and your tracking tools send their data to third parties without consent, out-of-state businesses can and do receive demand letters and lawsuits.
How much are CIPA penalties?
CIPA provides statutory damages of $5,000 per violation or three times actual damages, whichever is greater, plus attorney fees. Demand letters commonly seek settlements between $5,000 and $50,000, and class actions against larger companies have settled for millions.
Is Google Analytics a CIPA violation?
Not automatically, but analytics tools that capture visitor identifiers and behavior before consent are a common basis for CIPA pen register claims. Running analytics behind a consent banner that blocks the script until the visitor agrees substantially reduces the risk.
Is a cookie banner enough to be CIPA compliant?
No. The banner must actually block all non-essential scripts until consent is given, offer equally prominent accept and decline options, and honor the visitor’s choice. 2026 lawsuits specifically target sites where tags fire before consent or where tracking continues after a visitor declines.
What is a CIPA demand letter?
A pre-litigation letter from a plaintiff attorney alleging your website’s tracking tools violated CIPA, typically demanding a settlement to avoid a lawsuit. They are sent in bulk using automated website scans. Ignoring one can result in an actual filing, so respond with counsel and fix the underlying exposure.
How long does CIPA compliance take?
For most small business websites, a full remediation takes one to two weeks: auditing all third-party scripts, removing unused trackers, installing and configuring a consent management platform, updating policies, and adding chat disclosures. Ongoing monitoring keeps the site compliant as it changes.
This guide is for general informational purposes only and does not constitute legal advice. CIPA litigation is evolving and court decisions vary. If you have received a demand letter or face potential litigation, consult a qualified privacy attorney about your specific situation.