California Invasion of Privacy Act (CIPA)

• 1967 - California enacts the California Invasion of Privacy Act.
• 1970s–1990s - Additional provisions are introduced to address emerging communication technologies.
• 2000s - Courts begin applying the law to digital communications.
• 2022–Present - An increase in lawsuits targets companies using session replay tools, chat monitoring software, and other website technologies that capture user communications.
• Many of these lawsuits rely on Penal Code §§631 and 632, which address wiretapping and recording confidential communications.

CIPA may apply to businesses that interact with individuals located in California.

This includes companies operating:

• Websites
• Mobile applications
• Online customer support tools
• Call centers
• Digital communication platforms

Businesses may be affected if they use technologies that capture or record communications between users and the business.

Examples include:

• Session replay tools
• Chat support systems
• Voice call recording tools
• Behavioral tracking software

If these tools intercept or record confidential communications without appropriate consent, the business may face liability under CIPA.

CIPA includes several exemptions.

These may apply to:

• Law enforcement activities conducted under legal authorization
• Certain communications intercepted by service providers when necessary to deliver services
• Authorized investigations

However, these exemptions typically do not apply to commercial monitoring of website visitors.

Businesses operating websites or digital services should therefore evaluate how their monitoring technologies function and whether they capture communications.

Businesses that collect or record communications should review their practices under the relevant sections of CIPA.

Key provisions include:

• Penal Code §631 (a) : Prohibits unauthorized interception of communications using electronic devices.
• Penal Code §632 (a) : Prohibits recording confidential communications without consent from the involved parties.
• Penal Code §638.51 (a) : Prohibits the installation of a pen register or a trap and trace device (tools that capture information about who a communication is sent to or received from, such as website tracking technologies like pixels or analytics scripts) without a court order.

Businesses should therefore consider the following actions:

• Minimise the amount of personally identifiable information
• Inform users when communications may be recorded or monitored
• Obtain consent before recording begins
• Avoid recording confidential communications without disclosure
• Maintain transparency about communication monitoring practices

Website owners should evaluate whether technologies on their website capture communications between users and the platform.

Technologies commonly involved in CIPA claims include:

• Session replay tools that record user interactions
• Live chat systems that record conversations
• Customer support platforms that log user communications
• Behavioral analytics tools that capture detailed user activity

To address these risks, website operators often implement mechanisms that:

• Notify visitors that communications may be recorded
• Request consent before monitoring begins
• Delay recording until consent is provided
• Provide access to relevant privacy disclosures

These mechanisms are commonly referred to as wiretapping consent prompts or notices.

Businesses should also review broader transparency practices related to communication monitoring.

This may include:

• Providing disclosures within privacy policies
• Explaining when communications may be recorded
• Identifying third-party technologies used to capture communications
• Maintaining records of user consent where recording occurs

Businesses may also review how vendors and service providers process communication data.

Under the California Invasion of Privacy Act, individuals have the right to seek legal remedies if their communications are intercepted or recorded without authorization.

The law allows individuals to bring civil actions against parties that violate the statute. This means a person whose communication was intercepted or recorded without proper consent may file a lawsuit directly against the business or entity involved.

Many recent claims involve allegations that website technologies captured or transmitted user interactions without notice or consent. These claims often focus on tools that monitor communications between a website and its visitors, such as session replay software or chat support platforms.

Individuals bringing claims under CIPA may seek statutory damages or other remedies provided under the law.

CIPA is primarily enforced through civil litigation rather than a single dedicated regulatory authority.

Enforcement may occur through:

• Private lawsuits filed by individuals whose communications were intercepted or recorded without consent
• State prosecutors, including the California Attorney General or local district attorneys, in cases involving criminal violations of the statute

Under California Penal Code §637.2, individuals bringing civil claims may seek:

• $5,000 per violation, or
• Three times the amount of actual damages, whichever is greater.

Because websites may interact with large numbers of users, potential exposure can increase quickly when communication recording occurs without consent.