CIPA: An Old Law with Modern Risks

The California Invasion of Privacy Act (CIPA), enacted in 1967, was originally designed to prohibit wiretapping without the consent of all parties. Ironically, the law that was put in place decades before most people knew what the internet was creates significant risk for any business with an online presence today. Companies with websites, particularly those using cookies, pixels, chat tools, and other tracking technologies, must take CIPA compliance seriously, as lawsuits and demand letters for alleged violations are on the rise.

CIPA Risks in the Digital Landscape

CIPA was enacted to address concerns about wiretapping and recording communications. The law prohibits recording telephone calls without proper consent and intercepting communications without authorization. However, plaintiffs have increasingly applied CIPA in a new way: arguing that website tracking technologies function as unlawful “wiretaps.”

Allegations in a CIPA lawsuit often include:

• A visitor’s communications with a website are being intercepted
• A third party (e.g., an analytics or advertising provider) receives that data
• The business did not obtain proper prior consent

Regardless of size and industry, businesses need to account for CIPA rules and risks if their website uses any of the following tools:

• Analytics tools
• Advertising pixels
• Session replay software
• Chat functionality
• Third-party marketing tags
• Behavioral advertising tools

How CIPA Compares to the CCPA

California enacted another privacy-focused law with the California Consumer Privacy Act (CCPA). CIPA and the CCPA share some similarities; they both regulate the collection and sharing of personal information and impact digital advertising and tracking.  However, there are differences between the two, so compliance with one doesn’t guarantee compliance with the other. Here are some of the key differences between CIPA and the CCPA.

Opt-Out vs. Opt-In

The CCPA is primarily an opt-out regime. Businesses may collect and share data, but they must provide a clear mechanism for consumers to opt out of the sale or sharing of personal information. Think of CIPA as a two-party consent law. It requires businesses to obtain consent before transmitting communications to third parties.

Private Right of Action

CIPA includes a private right of action, hence the lawsuits we are seeing. The CCPA only allows private lawsuits in the case of data breaches.

	CIPA (California Invasion of Privacy Act)	CCPA / CPRA (California Consumer Privacy Act)
Original Purpose	Enacted to prevent wiretapping and unauthorized interception of communications. Originally focused on phone calls and recordings	Enacted to give California consumers transparency and control over how businesses collect, use, sell, and share personal information
Primary Focus	Interception or recording of communications without consent	Collection, sale, sharing, and use of personal information
Application to Websites	Plaintiffs argue that third-party cookies, pixels, chat tools, or session replay technologies constitute unlawful “interception” of communications	Regulates how businesses disclose tracking practices and provides consumers with the right to opt out of sale/sharing
Consent Standard	Requires prior consent (opt-in) before transmitting communications to third parties	Generally, an opt-out regime for the sale or sharing of personal information
Private Right of Action	A broad private right of action, frequently used in class action lawsuits	Limited private right of action (primarily for certain data breaches)
Enforcement Drivers	Enforced through private litigation and demand letters	Enforced by the California Privacy Protection Agency (CPPA) and the Attorney General; limited private litigation

CIPA Risk Mitigation Strategies

Here are some strategies and actions businesses can take to help ensure the tools on their websites are not exposing them to unnecessary CIPA risks:

• Implement an opt-in model for consent. Businesses should only enable tracking on their website after obtaining affirmative consent. That said, consent must be meaningful. Banner language should be clear, conspicuous, and transparent about the involvement of third-party analytics or advertising technologies.
• Server-side tracking is another option. In this scenario, the data from web trackers is sent to the business’s servers first. This allows businesses to filter the data and determine what will be shared with a third party. Businesses could make another attempt to gain consent before sharing the data.
• Businesses can also anonymize the data, so there is no personal information shared with the third party. The downside is that anonymization makes tracking more difficult.
• Delay the activation of non-essential cookies and scripts until after user interaction with a consent banner.
• Conduct a structured audit of trackers, map data flows, review vendor relationships, and align privacy disclosures with actual technical behavior.

At CompliancePoint, we have an experienced team dedicated to helping businesses leverage the power of web tracking tools while remaining compliant with CIPA and the CCPA. Reach out to us at connect@compliancepoint.com to learn more about our Cookie Management Services.