Civil Law

The plaintiffs’ bar has been ramping up lawsuits under the California Invasion of Privacy Act (CIPA) and federal and state wiretapping statutes for years, and the wave is not receding. Tens of thousands of claims have been filed since 2022, with CIPA wiretapping continuing to accelerate in recent months. Meanwhile, plaintiffs are branching out beyond California to Florida, Pennsylvania, and Illinois, and increasingly relying on the federal Electronic Communications Privacy Act (ECPA) to reach companies nationwide.

Companies outside of California are in scope, and if you are in a health-related field your risk is even greater.

1.    What is CIPA and how does it apply to Websites?

CIPA was enacted to protect Californians from secret wiretapping on telephone calls. Today, plaintiffs’ attorneys use it to challenge the tracking technologies virtually every modern website deploys. The core theory: when your website embeds third-party code (analytics, a targeted advertising cookie or a session replay tool) that captures and transmits user interactions to an outside vendor without affirmative consent, that transmission is an unlawful “interception.”

The main CIPA theories in play are wiretapping/interception claims under § 631(a), where plaintiffs allege vendor code intercepts private user interactions like keystrokes and chat messages; pen register/trap and trace claims under §§ 638.50-638.51, where tracking tools allegedly capture routing information like IP addresses; and eavesdropping claims under § 632.7, applying phone-era provisions to web interactions. Federal courts in California have largely found that pixels qualify as pen registers, though state courts have been more skeptical.

2.    Is It Just CIPA? The Rise of ECPA and Multi-State Litigation

No. The exposure is much broader.

First: CIPA itself applies outside of California. Courts have held that as long as the user is in California, CIPA reaches companies based entirely outside the state. When you layer on the federal ECPA, geography is no defense at all. If your website is accessible to California residents (which is to say, every website), you are within reach.

Plaintiffs are increasingly filing claims under the federal Wiretap Act (ECPA, 18 U.S.C. §§ 2510 et seq.) which can be asserted in courts across the country. Courts in Illinois, New York, Virginia, North Carolina, and Florida have already issued ECPA decisions involving tracking pixels.

Florida is the next major battleground. Its Security of Communications Act has “nearly identical language” to CIPA, and Florida now trails only California in lawsuit volume. Pennsylvania (under its own WESCA and the ECPA) and Illinois are also seeing significant activity. A few states have fought back: Tennessee, New Hampshire, and Alaska passed amendments specifically excluding pixels and cookies from their wiretapping laws. Most states have not.

California’s SB 690, which would have created a “commercial business purpose” exception to CIPA, passed the State Senate but stalled in the Assembly and will not take effect before 2027 at the earliest.

3.    Why Are These Lawsuits Surging Now?

Several forces are converging into an imperfect storm. CIPA’s $ 5,000 per violation (and the ECPA’s $ 10,000) requires no proof of actual harm, and when multiplied by website visitors the exposure can be enormous. Class certification is available. Courts remain sharply divided on core questions. This means that many cases are failing, but, from a plaintiffs’ bar perspective, many are going through as well. Thus, a cottage industry of demand letters has emerged, with “hardly a week” passing without a business receiving one.

4.    Which Technologies Are Most Likely to Trigger Claims?

The biggest risk (or target) for plaintiffs has been analytics and targeted advertising trackers; session recording (session replay) tools, chat widgets and chatbots (over 100 lawsuits filed), SDKs embedded in mobile apps, and AI-driven conversation intelligence platforms.

5.    What Qualifies as “Consent” and Why Do Common Banners Fail?

Consent is the gold standard defense, but not all consent works.

If you only disclose tracking in your privacy notice or terms of use, that may not be enough. Courts have rejected browse-wrap privacy policies buried in footer links and generic disclosures that understate actual tracking practices.

A banner that simply tells visitors that trackers are deploying and asks them to click “Ok” or continue browsing has also been held to be insufficient.

Cookie banners with misleading wording, implying that no trackers are deploying when they actually are, or that rejecting trackers will stop the tracking when it does not, have been the subject of many lawsuits.

Importantly, even if you have a proper cookie consent management platform, if it is misconfigured and fails to block the relevant trackers, that puts you at great risk for a claim.

6.    What Damages Are at Stake?

CIPA provides $ 5,000 per violation (or three times actual damages). The federal ECPA provides $ 10,000. Florida’s FSCA provides liquidated damages of at least $ 1,000 per violation. When measured per visitor, even moderate web traffic could produce seven- and eight-figure exposure. This could be compounded by class certification, attorneys’ fees, and defense costs. Many companies settle quickly but the settlement costs are often not insignificant.

7.    What Other Legal Exposure Exists?

Failing to properly disclose the data your website (or app, or chatbot) collects and shares through online trackers can trigger liability under other legal theories as well. This includes enforcement by the Attorney General or the California Privacy Protection Agency under the CCPA/CPRA (the California privacy law), under other state comprehensive privacy laws (21 states and counting), by the FTC under its Section 5 authority (for an unfair or deceptive trade practice), by State AGs under State UDAAP laws (unfair, deceptive, or abusive practices), or by plaintiffs suing under theories of common law negligence and invasion of privacy.

8.    Why Is the Medical Space at Greater Risk?

If you touch health data in any way, your risk is significantly elevated. The ECPA’s one-party consent exception disappears when interception occurs in furtherance of a “crime or tort,” and plaintiffs have had the most success invoking this exception against health care websites, arguing that sharing patient data with advertising platforms violates HIPAA. Courts have repeatedly denied motions to dismiss on this basis.

Beyond wiretapping claims, virtually all state comprehensive privacy laws classify health data as “sensitive data” requiring opt-in consent before collection or processing. This means that deploying tracking pixels on pages where health-related information is collected or inferred, without obtaining affirmative consent, can independently violate these state laws, even apart from any wiretapping theory.

The FTC has also made clear that pixel-based sharing of health data is an enforcement priority. In 2023, the FTC took action against GoodRx for sharing consumers’ prescription and health information with advertising platforms via tracking pixels, resulting in a $ 1.5 million civil penalty and a permanent ban on sharing health data for advertising. The FTC also took action against BetterHelp, the online mental health counseling service, for sharing sensitive mental health information for ad targeting, requiring $ 7.8 million in consumer refunds and a 20-year compliance program. Both cases were brought under the FTC’s Health Breach Notification Rule and Section 5 of the FTC Act.

Washington’s My Health My Data Act adds a separate layer. Its definition of “consumer health data” is extraordinarily broad, covering any information that identifies a consumer seeking services to “assess, measure, improve, or learn about” their health. It requires opt-in consent, a separate homepage privacy policy, and sweeping deletion rights. Lawsuits are already being filed against retailers and tech companies for pixel-based sharing of health data. Nevada’s SB 370 imposes similar requirements. Virginia now prohibits sharing reproductive or sexual health data without consent, with a private right of action.

9.    What to Do If You Receive a Demand Letter

Do not panic, but do not ignore it. Most CIPA disputes begin with a demand letter, and many resolve before litigation. Engage experienced privacy counsel. Counsel will assist you in assessing any legal arguments you could present as well as in validating any technical allegations made by the plaintiff. Based on your particular situation, jurisdiction, factual posture (did you have a proper cookie solution, etc.), and other factors, counsel can help you decide whether an amicable settlement is appropriate or whether litigation is the right path. Then, turn your focus to remediating what needs to be fixed.

10. What to Do Right Now to Reduce Risk

• Audit every tracking technology on your website. You must know what information is collected and whether you need to allow an opt-out.
• Adopt (or fix your) cookie management platform. It should, at minimum, allow and facilitate the rejection of trackers.
• Address your other legal obligations under dedicated privacy laws and consumer protection laws. Be especially vigilant if you handle health data.
• Align your privacy policy with reality. If your policy says “analytics” but you deploy advertising pixels and session replay, you have a gap that plaintiffs will exploit.
• Minimize data collection. Mask form fields, suppress keystroke capture, and disconnect features from third-party tools rather than trusting vendor AI to filter sensitive inputs.
• Update your Terms of Use with conspicuous arbitration clauses and class action waivers, using click-wrap presentation.
• Strengthen vendor contracts. If possible, limit data use to service provision, prohibit secondary uses, and require cooperation and indemnification for privacy claims.

Bottom Line

Pixel wiretapping litigation is not a niche California problem anymore. It is a national, multi-statute litigation wave that touches every company with a website, and it is accelerating. It can find you even if you are not subject to state privacy laws, and even if you have a cookie solution that was not working properly. Importantly, failing to properly disclose and control data collected and shared through cookies and trackers could land you in enforcement actions from state and federal regulators under consumer protection theories. The risk is even greater if you are in a medical or health-related field. Companies that invest now in proper mapping, consent sequencing, tracking audits, vendor governance, and accurate disclosures will be meaningfully better positioned to reduce the chance of claims and lawsuits and to defend claims if they come.

LexBlog