Glossary · Privacy

California Invasion of Privacy Act (CIPA): Wiretap, Session-Replay & Chat Lawsuits Explained

By Steve Levine · Updated June 21, 2026 · 7 min read

Quick Answer

The California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 630–638, is a 1967 state law that bars the unauthorized recording or interception of confidential communications. Because California requires the consent of all parties to a communication, CIPA carries statutory damages of $5,000 per violation (or three times actual damages, whichever is greater). Written in the telephone era, it is now the engine behind a large wave of class actions against websites that use session-replay software, third-party chat vendors, and tracking “pen register” tools to capture visitor activity allegedly without consent.

What CIPA Is and Why It Exists

The California Invasion of Privacy Act is one of the country's strongest communications-privacy statutes. The Legislature passed it in 1967, declaring that advances in surveillance and recording technology had created a serious threat to the privacy of Californians, and that people should be able to communicate without fear of being secretly recorded. The law sits in the California Penal Code at sections 630 through 638.

CIPA was written for an era of telephone wiretaps and hidden tape recorders, but its broad language has let plaintiffs argue it applies to modern internet tracking. That is why a statute approaching 60 years old now drives some of the most active privacy litigation in the country — much like the federal Video Privacy Protection Act (VPPA) has been revived against website tracking pixels.

The Key Sections — 631, 632, 632.7 & 638.51

CIPA is not a single rule but a set of related prohibitions. The provisions doing the most work in current class actions are:

  1. § 631 — Wiretapping. Bars tapping into, or reading the contents of, a communication while it is in transit over a wire or line without consent. It also reaches anyone who aids or conspires with a wiretapper — the theory used against third-party software vendors that allegedly intercept website traffic.
  2. § 632 — Eavesdropping. Prohibits using an electronic device to record or eavesdrop on a confidential communication without the consent of all parties.
  3. § 632.7 — Cellular and cordless calls. Bars the unauthorized recording of communications made over cellular or cordless phones, regardless of whether the call was “confidential.”
  4. § 638.51 — Pen registers & trap-and-trace. Prohibits installing or using a device that captures routing, addressing, or signaling information without a court order — the newest theory aimed at website tracking tags that collect visitor metadata.
A single website complaint often pleads several of these at once, because the elements and defenses differ and plaintiffs do not yet know which theory a court will accept.

The feature that makes CIPA so powerful is California's all-party (two-party) consent rule. In many states, one participant in a conversation can record it without telling anyone. California is different: recording or intercepting a confidential communication generally requires the consent of everyone involved. If a company records an interaction — or lets a third party do so — without that consent, it can face liability even when no one suffered a measurable financial loss.

For website cases, plaintiffs argue that a visitor never agreed to have a third-party vendor silently capture their keystrokes, chat messages, or browsing activity, and that a buried line in a general privacy policy does not amount to the kind of consent CIPA requires. Defendants respond that visitors did consent, that the vendor was acting as the company's own “tape recorder” rather than an eavesdropping outsider, or that the captured data was not a “communication” at all.

The Website-Tracking Wave — Session Replay, Chat & Pen Registers

Most CIPA cases filed today involve website tracking technology rather than telephones. Three patterns dominate:

Session-replay software. Code that records a visitor's keystrokes, mouse movements, scrolling, and clicks so the activity can be “replayed” later. Plaintiffs allege this is an unconsented interception of their communications with the website under § 631.
Chat wiretapping. Many sites embed a customer-service chat powered by a third-party vendor. Complaints allege the vendor reads, stores, or uses the chat contents for its own purposes — an alleged wiretap the visitor never agreed to.
Pen register / trap-and-trace. A newer theory under § 638.51 argues that tracking pixels and analytics tags act like a “pen register” by capturing the addressing and device information of everyone who loads a page.

This is closely related to the broader Meta Pixel website-tracking class actions, which raise the same wiretap theories. Courts have split sharply on whether a decades-old wiretap statute reaches this conduct: some have let CIPA claims proceed past the pleading stage, while others have dismissed them on the ground that a company cannot “wiretap” its own website or that the tracking tool is not a statutory pen register.

As always, being named in a complaint is not a finding of wrongdoing. At the pleading stage there is no settlement and no claim form — allegations must be proven, a class must be certified, and any recovery is typically years away if a case advances at all.

Damages and Your Rights

CIPA provides a private right of action in Cal. Penal Code § 637.2. A prevailing plaintiff may recover the greater of $5,000 per violation or three times the amount of any actual damages, and may also seek an injunction to stop the conduct. The $5,000 statutory figure matters because it sets a floor — a plaintiff generally does not have to prove a specific dollar loss to seek it, which is why even technical violations can translate into large aggregate exposure across a class.

These are amounts a court may award if a violation is proven; they are not guaranteed and not money that exists simply because a case was filed. How “per violation” is counted — per visit, per interception, or otherwise — is itself contested and can dramatically change the math.

Common Defenses and Open Questions

CIPA litigation is unsettled, and defendants raise several recurring arguments:

Consent. That the visitor agreed to the tracking through a privacy policy, cookie banner, or terms of use.
The “party” exception. That a vendor acting only as a tool for the website is a participant in the communication, not an eavesdropping third party, so § 631 does not apply.
No “contents.” That what was captured was routing or metadata, not the substance of a communication.
Standing and extraterritoriality. Whether the plaintiff suffered a concrete injury, and whether a California statute reaches an interaction involving out-of-state parties.

Because appellate courts have not fully resolved these questions, outcomes vary by court and by the specific technology at issue. If you believe your communications were recorded without consent, the controlling text is CIPA itself (Cal. Penal Code §§ 630–638) and the relevant California and federal decisions interpreting it.

Frequently Asked Questions

What is the California Invasion of Privacy Act?

The California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 630–638, is a 1967 state law that prohibits the unauthorized recording or interception of confidential communications. Because California is an all-party (two-party) consent state, recording or eavesdropping on a communication generally requires the consent of everyone involved. CIPA provides a private right of action with statutory damages of $5,000 per violation or three times actual damages, whichever is greater.

How much can you recover under CIPA?

Under Cal. Penal Code § 637.2, a person harmed by a CIPA violation may recover the greater of $5,000 per violation or three times the amount of actual damages, plus injunctive relief. A plaintiff does not have to prove a specific dollar loss to seek the $5,000 statutory amount. These are amounts a court may award if a violation is proven; they are not a guaranteed payout.

Why are websites being sued under CIPA?

A large wave of CIPA lawsuits targets website tracking technology. Plaintiffs allege that session-replay software (which records keystrokes, mouse movements, and clicks), third-party chat vendors that read or store website chats, and "pen register" or "trap and trace" tracking tools intercept visitors' communications without consent. The theories rely on Penal Code § 631 (wiretapping), § 632.7 (recording phone communications), and § 638.51 (pen registers). Whether these statutes — written for telephone-era wiretaps — reach modern web tracking is unsettled and varies by court.

What is the difference between CIPA and the VPPA?

CIPA is a California state wiretap and eavesdropping law that protects the privacy of communications, while the federal Video Privacy Protection Act (VPPA) specifically protects information about what videos a person watches. The two are often pleaded together against websites that use tracking pixels: the VPPA covers the disclosure of video-viewing data, and CIPA covers the interception or recording of the underlying communications. Their elements, damages, and defenses are different.

Does CIPA only protect California residents?

CIPA is a California statute, and its protections generally turn on conduct connected to California — for example, a communication recorded while a party is in California. Courts have grappled with how the law applies when a website visitor is in California but the company or its tracking vendor is elsewhere. Whether a particular out-of-state interaction falls within CIPA is a fact-specific, frequently litigated question.

Related Terms

About This Page

General legal-information about the California Invasion of Privacy Act, not legal advice. OpenClassActions.com is a consumer news site and is not a law firm or a settlement administrator. Statutes and case law change, and how they apply depends on the facts of a particular situation. For the controlling text, see CIPA itself (Cal. Penal Code §§ 630–638) and the relevant court decisions. If you think your rights were affected, consult a qualified attorney in your jurisdiction.

More on Privacy & Tracking Lawsuits

More Class Actions

WISP / hellowisp.com Meta Pixel Privacy Settlement
With Proof Settlement

WISP / hellowisp.com Meta Pixel Privacy Settlement

$18 flat cash · U.S. hellowisp.com customers · wiretap-theory tracking settlement
$59.5M Flo Period Tracker Privacy Settlement
Notice / PIN Settlement

$59.5M Flo Period Tracker Privacy Settlement

No Proof · Pro rata cash · California users get a 2× share
$10.5M Lemonade Data Disclosure Settlement
With Proof Settlement

$10.5M Lemonade Data Disclosure Settlement

Pro rata cash or up to $10,000 documented loss + credit monitoring
Google Play Children's Privacy Settlement — $8.25M
Notice / PIN Settlement

Google Play Children's Privacy Settlement — $8.25M

No Proof · Est. $40–$200 cash · U.S. kids under 13 who used Google Play apps
All Open Class Action Settlements
With Proof Settlements

All Open Class Action Settlements

Browse settlements currently accepting claims — many with no proof required.