Is Your Analytics Script a Wiretap Under California Law?

2,341 lawsuits filed across the United States. $5,000 per violation with no proof of actual harm required. A federal judge signaling $8 billion in potential damages against Meta alone. And the reform bill that would have fixed this? Stalled in committee.

I'm David, founder of Clickport. I build privacy-first analytics, which means I spend a lot of time reading about privacy law. And right now, the single scariest legal development for website owners isn't GDPR, isn't the CCPA, and isn't the cookie consent wars. It's a 1967 California phone-tapping law called CIPA that plaintiffs' attorneys have figured out how to aim at your Google Analytics script.

This isn't a hypothetical risk. Businesses are receiving demand letters every single week. Four law firms are responsible for 70% of all claims. And most cyber insurance policies don't cover it.

Here's everything you need to know.

A 1967 phone-tapping law is coming for your website

CIPA stands for the California Invasion of Privacy Act. It was signed into law in 1967, during the Cold War, to stop the government and corporations from tapping telephone lines without consent. The statute's stated purpose is to protect "the right of privacy of the people of this State."

The law sat relatively quiet for decades. Then, around 2022, plaintiffs' attorneys realized something: the language of CIPA doesn't say "telephone." It says "communication." And when you visit a website that runs Google Analytics, Meta Pixel, or a session replay tool like Hotjar, your interaction with that website is a communication. A communication that a third party is intercepting in real time, without your consent.

That's the legal theory. And it's working.

There are two main claims being filed:

The wiretapping theory (Section 631). When your browser loads a page with a third-party tracking script, that script captures your behavior (clicks, scrolls, form inputs, search queries) and sends it to the vendor's servers simultaneously. Under CIPA, this is characterized as a third party intercepting a communication "in transit" without the consent of all parties.

The pen register theory (Section 638.51). Even if a tracking tool doesn't capture the contents of your communication, it captures your IP address, device info, and browsing patterns. Under CIPA, that's characterized as a "pen register", a device that records "dialing, routing, addressing, or signaling information." This theory has a lower bar because it doesn't require capturing what you typed, just metadata about your connection.

The critical piece that makes this so powerful: CIPA is an all-party consent state. Unlike federal wiretap law, where one party consenting is enough, California requires consent from all parties before any recording or interception begins. Your website's consent to sharing data with Google doesn't count. The visitor has to consent too. Before anything fires.

The numbers are staggering

This isn't a theoretical legal exercise. The litigation is massive and accelerating.

Fisher Phillips' Digital Wiretapping Litigation Map tracks 2,341 lawsuits filed across the United States since 2022. 79% of them (1,845 cases) were filed in California. Beyond the formal lawsuits, legal experts estimate 50,000 to 100,000 total claims when you count pre-suit demand letters and private arbitration filings that never become public.

The settlement amounts are real. Oracle paid $115 million for tracking consumer activity without consent. FuboTV settled for $3.4 million over Meta Pixel and Google Analytics data sharing. GameSpot paid $1.2 million for third-party ad trackers collecting IP addresses.

But the real headline is the Meta/Flo Health case. A federal jury found Meta violated CIPA by intercepting confidential health data from a period-tracking app via the Meta Pixel. The judge signaled damages could reach $8 billion based on 1.6 million California class members at $5,000 each. Plaintiffs argued the theoretical maximum could hit $190 billion.

And the pace is accelerating. Courts issued twice as many CIPA decisions in January 2026 as in December 2025. Every major law firm advisory published this year predicts continued or increased filing volume through 2026.

Which tools put you at risk

Not all tracking tools carry the same CIPA exposure. The legal distinction comes down to one question: does a third party with its own interests receive your visitors' data?

Google Analytics: actively litigated. In Smith v. Google (2024), a federal court denied Google's motion to dismiss, finding that Google creates a "detailed dossier, or digital fingerprint" for each user and uses the data to serve its own ad business. Google is not just a tool serving the website operator. It's an independent third party that profits from intercepted data.

Meta Pixel: the highest-volume target. Hundreds of cases filed. The Meta Pixel Healthcare Litigation found that Meta's Pixel on hospital websites intercepted patient health information. The Meta/Flo Health verdict is the first jury finding of liability. Courts have consistently held that search terms entered into website search bars and transmitted to Meta via the Pixel constitute "contents" of a communication.

Session replay tools (Hotjar, FullStory, Microsoft Clarity): mixed but dangerous. In Mikulsky v. Bloomingdale's (2025), the Ninth Circuit reversed a dismissal, finding that session replay software capturing names, addresses, and credit card information in real time supported a CIPA claim. If the vendor uses data for its own purposes (training models, cross-site fingerprinting), it's an eavesdropper, not a tool.

TikTok Pixel: growing wave. In Camplisson v. Adidas (2025), the court denied dismissal and found the TikTok Pixel and Microsoft Bing tracker could constitute pen registers under CIPA. This directly contradicted four prior rulings, creating a split.

Chatbots (Salesforce, Drift, Intercom): mostly dismissed, but not safe. Courts have nearly uniformly rejected chatbot CIPA claims when the vendor acts purely as the website operator's tool. But if the chatbot vendor uses conversation data for its own AI training? That changes the analysis entirely.

Website search bars with third-party plugins. Any tool that routes your visitors' search queries to an external server is directly exposed. Courts have explicitly held that search terms are "contents" of a communication, not just metadata.

The common thread: if a vendor loads JavaScript on your page, captures visitor behavior, sends it to the vendor's own servers, and the vendor uses that data for its own purposes (ad targeting, model training, cross-site profiling), that vendor is a third-party eavesdropper under CIPA. If the data never leaves your control, the core CIPA theory doesn't apply.

How plaintiffs find their targets

You might think this only happens to big companies. It doesn't. The plaintiffs' bar has industrialized the process of finding targets, and your website might already be on a list.

The Facebook Activity Report. Every Facebook user can download a report showing every website that sent their browsing data to Meta. As Traverse Legal documented: "Once a plaintiff's Off-Facebook Activity report exposes which websites have transmitted browsing data to Meta, that single download becomes a roadmap for mass filings."

Free scanning tools. Plaintiffs' firms use tools like BuiltWith, Wappalyzer, and Blacklight to scan websites and identify installed tracking scripts. As Constangy's analysis noted: "There is a trend for plaintiffs to rely on free website scans to identify potential violations, enabling high-volume targeting." The same tools your marketing team uses to check competitors can be used to build a lawsuit.

Tester plaintiffs. Some individuals visit websites specifically to generate CIPA violations. They interact with chat widgets, fill out partial forms, and use the resulting tracking events as the basis for claims. One court pushed back, finding a tester plaintiff who "actively sought out privacy violations" lacked standing. But this defense is not available everywhere.

Serial filers drive the volume. A small pool of repeat plaintiffs files hundreds or thousands of claims. Coalition's data shows that just four law firms file 70% of all web privacy claims. One Los Angeles firm has filed over 550 CIPA pixel lawsuits and sent thousands of demand letters that never resulted in public litigation. The business model looks strikingly similar to the ADA website accessibility lawsuit wave where 18 firms filed 44% of all ADA cases over 14 years.

The $15,000 letter you don't want to receive

Most CIPA claims never become public lawsuits. The real action happens in demand letters.

A typical demand arrives by mail to your registered agent or by email, threatening to file a lawsuit or arbitration claim unless you settle within a short deadline. The amount: $15,000 to $40,000. That range is not accidental. It's precisely calibrated to be cheaper than hiring a lawyer to fight it.

Jackson Walker's privacy team noted: "There is hardly a week that goes by that we do not receive an inquiry from a business that has received a CIPA-complaint letter."

If you pay, it doesn't end. Traverse Legal documented that companies settling early signal they are "payers," which invites follow-up letters from the same plaintiffs.

If you don't pay, the escalation path is mass arbitration. Plaintiffs' firms flood defendants with hundreds of individual arbitration demands simultaneously. Each demand requires the defendant to pay filing fees of $1,750 or more. 500 arbitration demands = $875,000 in filing fees before any case is heard on the merits.

And here's the part that makes this truly dangerous: most cyber insurance policies don't cover CIPA claims. Coalition, a major cyber insurer, reported that 70% of wrongful collection claims are CIPA-related, and many policies specifically exclude claims arising from "improper tracking, recording, or monitoring of communications." Your insurance company may argue that deploying tracking scripts was a deliberate business decision, making any resulting CIPA violation intentional and therefore uninsurable.

Cookie banners won't save you

If your first instinct is "I'll just add a cookie consent banner," I have bad news.

The Ninth Circuit made this clear in Javier v. Assurance IQ (2022): consent under CIPA must be obtained before any recording begins. Not after. Not retroactively. Before. A privacy policy that users see only after they've already interacted with your site? Not valid consent.

"By continuing to browse, you agree" banners fail. The user's continued navigation happens simultaneously with or after script execution, not before it. For consent to be meaningful under CIPA, the user's browsing cannot be the thing that generates the consent, because the interception has already begun by the time they do anything.

Privacy policies are disclosures, not consent. Courts have consistently held that a privacy policy is not a consent mechanism. Consent buried inside a document the user may never read does not constitute prior consent for the moment scripts execute on page load.

The biggest trap: scripts that fire before the banner loads. This is the core technical vulnerability. Most tag managers load JavaScript in the document head. The consent banner loads later. Even if the banner looks correct to users, tracking tags have already fired before consent was registered. Dollar Tree and Motorola Mobility both face lawsuits over banners that failed to actually block third-party cookies from firing when users clicked "Reject."

What actually works. Ubisoft successfully defeated CIPA claims with a multi-layered consent architecture: a cookie banner on landing that blocked all nonessential scripts until the user clicked Accept, an account-creation flow requiring affirmative acceptance of Terms and Privacy Policy, and a repeat presentation at checkout. The court dismissed all claims with prejudice, meaning it found the defense so strong that the plaintiff couldn't even amend and try again.

The key difference: Ubisoft's banner technically blocked scripts from loading. Most banners don't. If your consent management platform doesn't integrate with your tag manager to gate script execution, the banner is decoration.

It's not just California anymore

CIPA gets the headlines, but the legal theory is spreading nationwide. Online tracking claims have been filed in 315 courts across 45 states, targeting 3,512 unique defendants over three years.

Florida is the next California. The Florida Security of Communications Act (FSCA) is a 1969 all-party consent law with potentially $10,000 per violation in statutory damages. In March 2025, a federal court denied dismissal of FSCA claims against Orlando Health for using Meta and Google tracking pixels on its patient portal. Hundreds of nearly identical small claims have followed.

Pennsylvania is an established second front. The Third Circuit's 2022 decision in Popa v. Harriet Carter Gifts ruled that JavaScript rerouting browsing data to a third-party marketing company constituted an interception under the state wiretap act.

And you don't need to be in California to get sued there. In Briskin v. Shopify (2025), the Ninth Circuit ruled en banc that Shopify, a Canadian company, was subject to California jurisdiction because its platform collected and commercialized California user data as part of normal business operations. If your website has California visitors and collects their data, you can be hauled into California court regardless of where you're based.

The one bright spot: Massachusetts. The state's highest court ruled in Vita v. New England Baptist Hospital (2024) that web browsing is not a "communication" under the state wiretap law. If other states follow this reasoning, it could limit the expansion. So far, they haven't.

The courts are calling it "a total mess"

The legal landscape is contradictory, confusing, and getting worse. Even the judges handling these cases are frustrated.

In October 2025, Judge Vince Chhabria of the Northern District of California ruled in favor of the defense in a Meta Pixel case, then proceeded to call CIPA "a total mess" that is "borderline impossible" to apply to modern internet transmissions. He urged the California Legislature to "step up" and suggested "it would probably be best to erase the board entirely and start writing something new."

The Ninth Circuit made things even more confusing. In a 48-hour window in June 2025, two different panels issued opposite signals:

• June 18: In Thomas v. Papa John's, the court affirmed dismissal, ruling "a party to a conversation cannot be liable under section 631 for 'eavesdropping' on its own conversation." Win for defendants.

• June 20: In Mikulsky v. Bloomingdale's, the same court reversed a dismissal, finding session replay allegations plausibly stated a CIPA claim where the vendor operated with independent data interests. Win for plaintiffs.

Same circuit. Same week. Opposite outcomes.

The legislative fix? SB 690 would have created a "commercial business purpose" exemption aligning CIPA with the CCPA framework. It passed the California Senate unanimously, 35-0. Then it stalled in the Assembly after opposition from the EFF, ACLU, and plaintiffs' attorneys who argued the exemption was too broad. The bill is now a two-year bill, meaning no legislative relief until 2027 at the earliest. If it ever passes at all.

Duane Morris put it bluntly: "There is no possibility it will take effect before 2027, if it is ever reconsidered at all."

What to do right now

You don't need to wait for legislation. Here are the concrete steps that privacy lawyers at Shumaker, Hintze Law, Gunderson Dettmer, and Fisher Phillips are consistently recommending:

1. Audit your tracking stack. Use free tools like Wappalyzer or Blacklight to see exactly what scripts fire on every page load. Many businesses have no idea what their marketing team or a previous web agency installed. You cannot fix what you don't know is there.

2. Inventory your third-party data recipients. List every vendor receiving data from your site: analytics providers, ad pixels, chat platforms, session replay tools, CRM integrations. For each, determine whether the vendor uses data for its own purposes or exclusively to serve you.

3. Remove high-risk tools you don't need. If you installed Meta Pixel for a Facebook ad campaign you ran once in 2023 and never touched again, remove it. If you have Hotjar but never look at the recordings, remove it. Every unnecessary third-party script is attack surface.

4. If keeping third-party tools, gate them behind real consent. A proper consent management platform that integrates with your tag manager and blocks all nonessential scripts until a user affirmatively clicks Accept. Not "by continuing you agree." Not pre-checked boxes. A genuine opt-in before any data leaves your domain.

5. Review vendor contracts. Ensure every vendor contract restricts the vendor to using your data only to provide services to you. If Google or Meta's terms reserve the right to use your data for their own ad targeting, model training, or cross-site profiling, that's the "independent data interest" that makes them a third-party eavesdropper under CIPA.

6. Prepare a demand-letter response playbook. Identify outside counsel familiar with CIPA before you receive a letter. When one arrives, the response deadline is short, and decisions made in panic tend to be expensive.

The simplest fix: stop sending data to third parties

Everything about CIPA liability traces back to one structural problem: a third party intercepting your visitors' communications without their consent.

Remove the third party and the entire legal theory collapses.

The Ninth Circuit confirmed this directly. In Thomas v. Papa John's (2025): "a party to a conversation cannot be liable under section 631 for 'eavesdropping' on its own conversation." When only the website operator and the visitor are parties to the communication, no CIPA claim arises.

Crowell & Moring summarized the principle: "If a third-party technology provider does not have the right to make independent use of the communications it records, it is a mere tool of the website operator and is protected by the direct party exception."

This is why the distinction between third-party and first-party analytics matters so much right now.

When Google receives your visitors' data, it reads it, builds advertising profiles with it, and uses it to train AI models. Google is not your tool. Google is a third party with its own commercial interests. A federal court said exactly this when it denied Google's motion to dismiss.

When a privacy-first analytics tool processes data exclusively on the website operator's behalf, with no right to use or sell it independently, the vendor is treated as an extension of the website operator. No separate third party. No interception. No CIPA claim.

That's the structural difference. Not a legal technicality. An architectural one.

Clickport is built this way from the ground up. No cookies, no fingerprinting, no third-party data sharing. Your analytics data goes to your dashboard and nowhere else. We don't use it, sell it, train models with it, or build profiles from it.

The legal landscape around CIPA is chaotic. Courts are split. The legislature is stuck. The plaintiffs' bar is filing faster than ever. But the fix for your website doesn't require waiting for a judge or a senator. It requires making one decision: stop sending your visitors' data to companies that use it for their own purposes.

You can set up Clickport in five minutes and eliminate the third-party interception that CIPA targets. No consent banner needed. No legal gray area. Just analytics that respect your visitors' privacy and keep you out of the crosshairs.