The California Invasion of Privacy Act
By: Paul Creme | 3/19/25
A recent blog post on our website discussed the increase in the number of states that have adopted several types of privacy statutes modeled after the California Privacy Rights Act (“CPRA”).
There is another statute not as well-known and more limited in scope that companies should also be aware of. It is the California Invasion of Privacy Act (“CIPA”). At this time, it may only impact companies that are located within the state of California, but just as the CPRA applies to a resident in the state of California, the CIPA applies as well if the person accessing your website is a resident of California.
The reason for an increase in threatened actions based on the CIPA is that unlike the CPRA, the former allows for statutory damages of $5,000.00 per person. Some of the demand letters not only threaten legal action, but may become class actions suits, thus increasing the amount of damages. A class of a few hundred people could be a significant exposure.
The basis of the potential litigation is an invasion of privacy by using cookies and/or other website tracking technologies on the website. The argument is that these tracking technologies are an unwelcome invasion of a user’s privacy, like eavesdropping on a private conversation.
Numerous third-party applications integrate with websites to monitor, analyze, and optimize user interactions. Tools like Google Analytics and Hotjar track user behavior, session recordings, and engagement metrics to provide insights into website performance. Additionally, social media tracking pixels such as those from Facebook (Meta) and X (formerly Twitter), collect data on user interactions to enable personalized advertising, retargeting, and content optimization. Other analytics platforms, heat mapping tools, and behavioral tracking services further enhance a businesses’ ability to refine user experiences and improve marketing effectiveness. It is crucial to know which platforms will align with your business’s industry regulations such as HIPAA compliance laws.
The main issue under the CIPA is the absence of consent to using tracking technology. The use of a pen register, a “recording’ of the user’s interactions with the website amount, without a court order or explicit consent is illegal.
While the law remains unsettled, it will not stop the possibility of receiving a demand letter from an aggressive law firm, similar to the cases a few years ago about access under the Americans with Disabilities Act demanding that your company settle or face potential litigation.
The question is, what should a company do now to shield itself from a claim, or at least have a viable defense to a claim?
First, review terms of use and privacy policies that specifically deal with the use of website tracking technology with your legal counsel. Second, review how your company handles the information. Go beyond privacy statues and take inventory of what is on your website and determine if there is any tracking technology. Third, determine whether the tracking technology is critical to the operation of the company. If not, think about disabling it. Finally, make sure that opt out language is clear and allows the user to either opt out or block the tracking.
Please note this not intended to be legal advice and we cannot provide the language best suited to your particular company. This is something you need to work on with your legal counsel, but we can assist in evaluating and perhaps minimizing the potential risk. Contact us if you would like to learn more.