Is Your Analytics Script a Wiretap Under California Law?

Is your analytics script a wiretap under California law? A growing number of courts and plaintiffs' attorneys are arguing yes, and the law they are using was written in 1967 to stop people from tapping telephone lines. A letter arrives from a firm you've never heard of. It says your Google Analytics script intercepted your visitors without their consent. It demands $15,000 to $40,000. Businesses are getting these every week.

A 1967 phone-tapping law is coming for your website

CIPA is the California Invasion of Privacy Act. It was signed into law in 1967, during the Cold War, to stop the government and corporations from tapping telephone lines without consent. The statute's stated purpose is to protect "the right of privacy of the people of this State." Phone lines, in other words.

The law sat quiet for decades. Then, around 2022, plaintiffs' attorneys noticed one word. The statute doesn't say "telephone." It says "communication." And when you visit a website running Google Analytics, Meta Pixel, or a session replay tool like Hotjar, your interaction with that website is a communication. A third party intercepts it in real time, without your consent.

That's the legal theory. And it's working.

There are two main claims being filed:

The wiretapping theory (Section 631). When your browser loads a page with a third-party tracking script, that script captures your behavior (clicks, scrolls, form inputs, search queries) and sends it to the vendor's servers simultaneously. Under CIPA, this is characterized as a third party intercepting a communication "in transit" without the consent of all parties.

The pen register theory (Section 638.51). Even if a tracking tool doesn't capture the contents of your communication, it captures your IP address, device info, and browsing patterns. Under CIPA, that's characterized as a "pen register", a device that records "dialing, routing, addressing, or signaling information." This theory has a lower bar because it doesn't require capturing what you typed, just metadata about your connection.

Here is the piece that makes it so powerful: California is an all-party consent state. Unlike federal wiretap law, where one party consenting is enough, California requires consent from all parties before any recording or interception begins. Your consent to share data with Google doesn't count. The visitor has to consent too. Before anything fires.

The numbers are staggering

This is not a thought experiment. The lawsuits are real, and they keep coming.

Fisher Phillips' Digital Wiretapping Litigation Map tracks 2,341 lawsuits filed across the United States since 2022. 79% of them (1,845 cases) landed in California. That's the formal count. Once you add the demand letters and the private arbitration filings that never reach a public docket, legal experts put the real number at 50,000 to 100,000 total claims. Most of this is happening out of sight.

And the money is real too. Oracle paid $115 million to settle claims it tracked consumer activity without consent. FuboTV settled for $3.4 million over data it shared through the Meta Pixel and Google Analytics. GameSpot paid $1.2 million for third-party ad trackers that collected IP addresses.

The one that should stop you cold is the Meta/Flo Health case. A federal jury found Meta violated CIPA by intercepting confidential health data from a period-tracking app through the Meta Pixel. The judge signaled damages could reach $8 billion, the math being 1.6 million California class members at $5,000 each. Plaintiffs argued the ceiling could go as high as $190 billion. That is what $5,000 per person looks like when a lot of people are on the list.

And it is speeding up. Courts issued twice as many CIPA decisions in January 2026 as they did in December 2025. That's the curve doubling in a single month. Every major law firm advisory published this year says the same thing: expect continued or increased filing volume through 2026.

Which tools put you at risk

Not every tracking tool carries the same risk. The whole question comes down to one thing: does a third party with its own interests get a copy of your visitors' data? If yes, you have a problem. If no, you mostly don't.

Google Analytics: actively litigated. In Smith v. Google (2024), a federal court denied Google's motion to dismiss. The court found Google builds a "detailed dossier, or digital fingerprint" for each user and feeds the data into its own ad business. So Google is not a tool working for the website. By that reasoning it's an outside party making money off the data it intercepts.

Meta Pixel: the highest-volume target. Hundreds of cases. The Meta Pixel Healthcare Litigation found Meta's Pixel on hospital websites picked up patient health information. The Meta/Flo Health verdict is the first time a jury found liability outright. And courts keep ruling that the words a visitor types into a site's search bar, then sent off to Meta through the Pixel, count as the "contents" of a communication. Not metadata. The message itself.

Session replay tools (Hotjar, FullStory, Microsoft Clarity): mixed but dangerous. In Mikulsky v. Bloomingdale's (2025), the Ninth Circuit reversed a dismissal. It found that session replay software, watching names, addresses, and credit card numbers go in as the visitor types them, was enough to support a CIPA claim. The line they drew: if the vendor uses the data for its own ends, like training models or fingerprinting you across sites, it's an eavesdropper, not a tool.

TikTok Pixel: growing wave. In Camplisson v. Adidas (2025), the court denied dismissal and found the TikTok Pixel and the Microsoft Bing tracker could count as pen registers under CIPA. That cut against four earlier rulings that went the other way. Now there's a split, which is another way of saying nobody knows yet.

Chatbots (Salesforce, Drift, Intercom): mostly dismissed, but not safe. When the chatbot vendor is just a tool doing the website's bidding, courts have thrown out almost every CIPA claim against it. But what about an AI chatbot that keeps your visitors' conversations to train its own models? That's a different question, and it doesn't have a comfortable answer yet.

Website search bars with third-party plugins. If a tool sends your visitors' search queries off to an outside server, you're exposed, plain and simple. Courts have said it directly: search terms are the "contents" of a communication, not just metadata about it.

The pattern is the same every time. A vendor loads JavaScript on your page. The script watches what your visitor does. It ships that off to the vendor's servers. And the vendor uses it for its own ends, ad targeting or model training or profiling you across the web. Do all four and, by the theory courts are accepting, that vendor is a third-party eavesdropper under CIPA. Keep the data inside your own control and the core theory has nothing to bite on.

How plaintiffs find their targets

You might assume this is a big-company problem. It isn't. The plaintiffs' bar has turned target-hunting into an assembly line, and your website might already be on a list somewhere.

The Facebook Activity Report. Any Facebook user can download a report showing every website that sent their browsing data to Meta. As Traverse Legal documented: "Once a plaintiff's Off-Facebook Activity report exposes which websites have transmitted browsing data to Meta, that single download becomes a roadmap for mass filings." One report, a hundred targets.

Free scanning tools. Plaintiffs' firms point tools like BuiltWith, Wappalyzer, and Blacklight at websites to see which tracking scripts are installed. As Constangy's analysis noted: "There is a trend for plaintiffs to rely on free website scans to identify potential violations, enabling high-volume targeting." The same tool your marketing team uses to peek at a competitor's stack is the tool that builds the lawsuit against you.

Tester plaintiffs. Some people visit websites for the sole purpose of generating a CIPA violation. They poke at chat widgets, half-fill forms, and then use the tracking events that fired as the basis for a claim. One court pushed back, finding a tester plaintiff who "actively sought out privacy violations" lacked standing to sue. Helpful, but that defense doesn't work everywhere.

Serial filers drive the volume. A small group of repeat plaintiffs files hundreds, even thousands, of claims. Coalition's data shows just four law firms file 70% of all web privacy claims. One Los Angeles firm alone has filed over 550 CIPA pixel lawsuits and sent thousands of demand letters that never turned into a public case at all. This is a rerun. It's the ADA website accessibility wave all over again, where 18 firms filed 44% of all ADA cases over 14 years.

The $15,000 letter you don't want to receive

Most CIPA claims never make it to a courtroom. The real action is in the demand letters.

A typical one shows up by mail to your registered agent, or by email, and it threatens a lawsuit or an arbitration claim unless you settle inside a short deadline. The ask: $15,000 to $40,000. That number isn't pulled out of a hat. It's set just low enough to be cheaper than paying a lawyer to fight it, which is exactly why so many businesses just pay.

Jackson Walker's privacy team put it plainly: "There is hardly a week that goes by that we do not receive an inquiry from a business that has received a CIPA-complaint letter."

And paying doesn't make it stop. Traverse Legal documented that companies who settle early get marked as "payers," which only brings more letters from the same plaintiffs.

Refuse to pay, and the next step is mass arbitration. Plaintiffs' firms drop hundreds of individual arbitration demands on a single defendant at once, and each one carries its own filing fees. Under current JAMS mass arbitration rules a single demand runs a $7,500 filing fee, and AAA and the other forums set their own. Multiply that by hundreds of demands landing on the same day and the bill itself becomes the weapon. The pressure is the point.

Now the part that makes this genuinely dangerous. Most cyber insurance policies don't cover CIPA claims. Coalition, a major cyber insurer, reported that 70% of wrongful collection claims are CIPA-related, and many policies write in an exclusion for claims arising from "improper tracking, recording, or monitoring of communications." Your insurer can argue that installing a tracking script was a deliberate business choice, which makes any CIPA violation intentional, which can put it outside what the policy will pay for. The coverage you bought may not reach the claim you end up facing.

Cookie banners won't save you

If your first move is "I'll slap on a cookie consent banner and be done," I have bad news.

The Ninth Circuit settled this in Javier v. Assurance IQ (2022): under CIPA, consent has to come before any recording starts. Not after. Not patched in later. Before. A privacy policy a visitor only sees once they've already used your site isn't consent at all. The timing is the whole game.

"By continuing to browse, you agree" banners fail. The visitor's continued browsing happens at the same time as the script, or after it, never before. And for consent to mean anything under CIPA, the browsing itself can't be the thing that creates the consent. By the time they do anything at all, the interception has already happened.

Privacy policies are disclosures, not consent. Courts keep holding that a privacy policy is not a consent mechanism. Burying consent inside a document the visitor will never open does not count as prior consent for the instant your scripts run on page load.

The worst trap of all: scripts that fire before the banner even loads. This is the technical heart of it. Most tag managers load their JavaScript in the document head. The consent banner shows up after that. So the banner can look perfectly correct to a visitor while the tracking tags have already fired before consent was ever recorded. Dollar Tree and Motorola Mobility are both being sued over banners that failed to actually block third-party cookies from firing when visitors clicked "Reject." The button said no. The scripts didn't listen.

What does work. Ubisoft beat its CIPA claims with consent built in layers: a landing-page banner that blocked every nonessential script until the visitor clicked Accept, an account-creation step that required the visitor to accept the Terms and Privacy Policy, and another pass at checkout. The court dismissed all claims with prejudice. That last bit matters: it means the defense was strong enough that the plaintiff couldn't even rewrite the complaint and take another swing.

Here's the one difference that decided it. Ubisoft's banner genuinely blocked the scripts from loading. Most banners don't. If your consent platform doesn't talk to your tag manager and gate when scripts run, the banner is just decoration on top of a tracker that's already firing.

It's not just California anymore

CIPA gets the headlines, but the theory has gone national. Online tracking claims have now been filed across dozens of states, against thousands of separate defendants, over the last three years. California started it. It didn't stay there.

Florida is the next California. The Florida Security of Communications Act (FSCA) is a 1969 all-party consent law that carries up to $1,000 per violation in statutory damages. In March 2025 a federal court refused to dismiss FSCA claims against Orlando Health for running Meta and Google tracking pixels on its patient portal. Hundreds of near-identical small claims came right behind it.

Pennsylvania is a second front, and it's been open a while. The Third Circuit's 2022 ruling in Popa v. Harriet Carter Gifts found that JavaScript rerouting browsing data to a third-party marketing firm counted as an interception under the state wiretap act.

And you don't have to be in California to be sued in California. In Briskin v. Shopify (2025), the Ninth Circuit ruled en banc that Shopify, a Canadian company, could be pulled into California court because its platform collected and made money from California users' data as a matter of ordinary business. Read that again. If your site has California visitors and you collect their data, California court is on the table no matter where you sit.

There is one bright spot, and it's Massachusetts. The state's highest court ruled in Vita v. New England Baptist Hospital (2024) that web browsing is not a "communication" under its wiretap law. If other states pick up that reasoning, the whole expansion could narrow. So far, none have.

The courts are calling it "a total mess"

The law here contradicts itself, confuses everyone, and keeps getting worse. The judges hearing these cases are fed up too.

In October 2025, Judge Vince Chhabria of the Northern District of California ruled for the defense in a Meta Pixel case, then turned around and called CIPA "a total mess" that is "borderline impossible" to apply to how the internet moves data today. He told the California Legislature to "step up" and said "it would probably be best to erase the board entirely and start writing something new." When the judge wants the statute thrown out and rewritten, you know the ground is not stable.

The Ninth Circuit made it murkier still. Inside a 48-hour window in June 2025, two of its own panels sent opposite signals:

• June 18: In Thomas v. Papa John's, the court affirmed dismissal, ruling that "a party to a conversation cannot be liable under section 631 for 'eavesdropping' on its own conversation." A win for defendants.

• June 20: In Mikulsky v. Bloomingdale's, the same court reversed a dismissal, finding the session replay allegations plausibly stated a CIPA claim where the vendor had its own independent data interests. A win for plaintiffs.

Same circuit. Same week. Opposite outcomes.

So what about a legislative fix? There was one. SB 690 would have carved out a "commercial business purpose" exemption to line CIPA up with the CCPA framework. It cleared the California Senate unanimously, 35-0. Then it stalled in the Assembly once the EFF, the ACLU, and plaintiffs' attorneys lined up against it, arguing the exemption was too broad. It's now a two-year bill, which means no relief until 2027 at the earliest. If it ever passes at all.

Duane Morris put it bluntly: "There is no possibility it will take effect before 2027, if it is ever reconsidered at all." So don't plan around a rescue from the legislature. It isn't coming soon.

What to do right now

You don't have to sit and wait for a new law. These are the steps privacy lawyers at Shumaker, Hintze Law, Gunderson Dettmer, and Fisher Phillips keep coming back to:

1. Audit your tracking stack. Point a free tool like Wappalyzer or Blacklight at your own pages and see exactly what fires on load. Plenty of businesses have no clue what their marketing team, or some web agency three years ago, left behind. You can't fix what you don't know is there.

2. Inventory your third-party data recipients. Write down every vendor that gets data off your site: analytics, ad pixels, chat platforms, session replay tools, CRM integrations. For each one, answer a single question. Does it use the data for itself, or only to serve you?

3. Remove high-risk tools you don't need. Installed the Meta Pixel for one Facebook ad campaign back in 2023 and never touched it since? Take it off. Have Hotjar but never watch the recordings? Take it off. Every third-party script you don't use is just attack surface sitting there.

4. If you keep third-party tools, gate them behind real consent. That means a consent platform that hooks into your tag manager and blocks every nonessential script until the visitor clicks Accept. Not "by continuing you agree." Not pre-checked boxes. A real opt-in, before any data leaves your domain.

5. Read your vendor contracts. Make sure each one limits the vendor to using your data only to provide its service to you. If Google's or Meta's terms reserve the right to use it for their own ad targeting, model training, or cross-site profiling, that's the "independent data interest" that turns them into a third-party eavesdropper under CIPA.

6. Have a demand-letter playbook ready. Find outside counsel who knows CIPA before a letter ever shows up. When one does, the deadline is short, and decisions made in a panic tend to be the expensive kind.

The simplest fix: stop sending data to third parties

Every part of CIPA liability traces back to one thing: a third party intercepting your visitors' communications without their consent.

Take the third party out and the whole legal theory falls apart.

The Ninth Circuit confirmed it in so many words. In Thomas v. Papa John's (2025): "a party to a conversation cannot be liable under section 631 for 'eavesdropping' on its own conversation." If the only parties to the communication are you and your visitor, there is no eavesdropper, and no CIPA claim to bring.

Crowell & Moring boiled it down: "If a third-party technology provider does not have the right to make independent use of the communications it records, it is a mere tool of the website operator and is protected by the direct party exception."

That is why the line between third-party and first-party analytics matters so much right now.

When Google gets your visitors' data, it reads it, builds advertising profiles from it, and trains AI models on it. Google is not your tool. Google is a third party with its own commercial interests. A federal court said exactly that when it denied Google's motion to dismiss.

When a privacy-first analytics tool only ever processes data on the website operator's behalf, with no right to use or sell it on its own, the vendor gets treated as an extension of the website operator. No separate party. No interception. No CIPA claim.

That's a difference of structure, not a legal technicality. It's built into how the data flows.

Clickport is built this way from day one. No cookies, no fingerprinting, no third-party data sharing. Your analytics data goes to your dashboard and nowhere else. We don't use it, sell it, train models with it, or build profiles from it.

The CIPA landscape is a mess. Courts are split. The legislature is stuck. The plaintiffs' bar is filing faster than it ever has. But fixing your own website doesn't depend on a judge or a senator. It comes down to one decision you can make today: stop handing your visitors' data to companies that use it for themselves.

You can set up Clickport in five minutes and remove the third-party interception that CIPA is built to punish. No consent banner. No gray area. Just analytics that respect your visitors and keep you off the target list.