Menu
Is Your Website Violating California Invasion of Privacy Act (CIPA) ?
Are you at risk of liability from California’s privacy laws? Learn how CIPA is coming up in web privacy case law, cookies, and consent - and how privacy best practices may help protect you.
Rob English
Lead Implementation Specialist
A privacy-focused web analytics implementation specialist, with 19 years experience in development across marketing, advertising and analytics.
What You Need to Know About Web Tracking and Consent
Over the last year there has been significant buzz surrounding litigation with companies in violation of the California Invasion of Privacy Act (CIPA) with regards to the web tracking technology being used on their websites.
While instances of this occurring seem to have picked up substantially over the last year or so, litigation against companies dates all the way back to the early 2000s. Privacy advocates at that time filed lawsuits against DoubleClick for being in violation of California’s privacy laws. One of those was CIPA.
Before I dive too far into the details, one thing I must make clear right away is that I am not a lawyer, nor a legal expert of any sort. So, please do not take any advice or tips in this article as legal advice. Always review privacy and compliance concerns and recommendations with your own legal counsel to ensure you are - and will stay - compliant under all necessary global regulations.
What is the California Invasion of Privacy Act (CIPA)?
Not to be confused with the other CIPA (Children's Internet Protection Act), the California Invasion of Privacy Act, relates to the invasion of privacy posed by an individual's conversations or communications being intercepted and listened in on.
Originally enacted in 1967, it was primarily created in response to the fear of wiretapping or eavesdropping of phone calls. Since then, it has gone through several rounds of amendments. As with other California privacy regulations, like the California Privacy Rights Act (CPRA), it applies to individuals and organizations when dealing with communications involving residents of California. Even if your organization does not reside in California, it applies to you if residents of California can use your websites or apps.
While, as I mentioned above, this law has gone through several rounds of amendments (the most recent in 2015), CIPA does not directly call out web tracking technologies.
Why CIPA Poses a Risk for Web Tracking Technologies?
Regardless of whether it specifically calls out web tracking technologies or not, some of the technologies we work with fall into what is being viewed as a grey area under this law, and thus, something that we should all be aware of when working with privacy and compliance.
Key Concerns Under CIPA for Website Tracking:
Placement of cookies and collection of IP addresses (and other PII) without the user's knowledge.
Session replay tools capturing user interactions including form inputs, clicks, and mouse movements.
Use of tracking pixels or tools that may record user behavior without their knowledge.
Some are arguing that these technologies constitute pen registers or trap-and-trace technologies, which have specific rules under CIPA.
What does CIPA state that could put a company's web tracking at odds with it?
Some key areas that are the focal points of these lawsuits are the placement of cookies and the collection of a visitor’s IP address (and other PII) by tracking technologies, unknowingly to the visitor. You may remember that CPRA and the earlier California Consumer Privacy Act (CCPA) only require implied consent, which means a user can technically be tracked unknowingly without providing an explicit “yes, track me” signal under those rules alone. Using cookies and tracking pixels without asking, however, is being regarded as a violation of CIPA. In some cases, these technologies will go so far as to provide session replays of a user's interactions, introducing the potential risk of form interactions or other similar site interactions being recorded as part of them, sharing information that users didn’t intentionally submit.
With regards to these technologies, some are arguing that these constitute pen registers, or trap and trace technologies, for which CIPA has specific rules around using. For context on both of these, the following two definitions have been pulled from the CIPA regulations, here:
Pen registers: “Pen register” means a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication. “Pen register” does not include a device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider, or a device or process used by a provider or customer of a wire communication service for cost accounting or other similar purposes in the ordinary course of its business.
Trap and trace devices: “Trap and trace device” means a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.
I've already implemented consent management and have taken steps to be compliant under CCPA/CPRA, so I'm fine.
Not necessarily! As CIPA states, in the case of electronic or wire communication services one of the stipulations for which a pen register can be used, is "If the consent of the user of that service has been obtained." (638.51 subdivision (b)(5)). And here is where things get a bit complicated... because under CCPA/CPRA the style of consent required for residents of California for tracking, is implied consent... opt-out consent. Meaning residents of California are usually tracked until they explicitly tell you to stop tracking them. So tracking can technically occur without the user “knowing” of the tracking, or having granted consent for it to occur.
How to Ensure CIPA Compliance on Your Website?
1. Initiate or Update Your Privacy Compliance Program
First and foremost, if you do not have an existing privacy and compliance program in your organization, this is a vital first step. With so many global privacy regulations, and content being shareable and viewable from anywhere in the world it means a well documented, implemented and maintained privacy practice is critical to ensuring compliance, not just locally or nationally, but internationally. For many global regulations (CIPA included), it doesn't just apply to companies within that jurisdiction, but to any company who serves content to residents of that jurisdiction and tracks them.
→ Global regulations apply based on user location, not company headquarters. CIPA can apply to any company tracking California residents.
2. Use a Consent Management Platform (CMP)
Consent Management Platforms. Tooling like OneTrust or Osano can help to simplify, and streamline the process of implementing cookie compliance on your website (and in the case of tools like OneTrust, across your organizations entire data ecosystem), making it easier to review, update and implement practices online to inform your users of what technology you are using on your site to track them, and make it as easy as possible for them to opt-in or opt-out, submit Data Subject Access Requests, and just generally understand what your company's privacy policy covers.
—> Check Out Our Consent Mode Blogs:
Step-by-Step Guide to Implementing Google Consent Mode in Tealium iQ
Impact of Consent Mode on Reporting and Transaction Data in GA4
3. Be Transparent About Your Privacy Practices
Make your:
Privacy policies
Cookie consent disclosures
Opt-out mechanisms
...easily accessible and understandable. Do not bury them in legalese or hidden corners of your site.
Be upfront and communicative about your privacy practices and clearly define your privacy policies, cookie policies, and user compliance practices, in an easily digestible format. Make it easy for customers to find how to opt-out of tracking, and how they can reach out to you to access their information if they request it. Don't try to bury this information in a dark corner of your website that users have to go on an Easter egg hunt to find, or obfuscate the meaning under layers and layers of legal jargon.
4. Get Legal Advice
As I stated at the top of this article. I am not a lawyer, so none of what I'm saying in this post should be misconstrued as legal advice. Always reach out to your own internal or external legal resources and privacy team to ensure the proper measures are being taken to keep you compliant under all necessary regulations. This is especially important when your tools or practices sit in a regulatory "grey area."
5. Consider Server-Side Tracking for Added Privacy Controls
Server-side tracking can:
Reduce cookie placement on client browsers
Avoid loading third-party libraries directly on user devices
Obfuscate or anonymize IP addresses (e.g., Google Analytics does this by default)
Important: Server-side tagging helps mitigate privacy risks only when implemented with privacy in mind. It is not a guaranteed compliance solution on its own.
This is often cited in many privacy related topics now, and can be mistaken as a cure-all for non-compliance from a privacy standpoint. It should be treated as one element of privacy compliance, AND it only helps if it's implemented with the intention of mitigating some of these privacy risks. In this particular case, with regards to CIPA, one of the areas of concern that has led to lawsuits being filed, is that user IP addresses are being treated as pen registers. With server-side tracking you add an additional layer between where the tracking occurs (the website) and where the data is sent (think Google Analytics or Facebook). This server-side middleman can obfuscate tracking to a degree in that a), the third-party libraries aren't loaded on a clients device (most of the time...), but from a centralized server b) you can minimize or remove the cookie placement on a clients browser, and c) because it's loaded from a centralized server you can add a 'filter' piece to that middleware to anonymize the IP address sent to the endpoint. Google Analytics does this by default.
6. Implement Opt-in (Explicit consent) tracking for residents of California.
I can already hear the screams echoing from within the walls of your marketing department just in suggesting that. What this means, is whereas previously for any residents of California you could enable tracking of their website visit without their explicit consent, and give them the option to opt-out of tracking after the fact, you would now have to take a GDPR style approach of informing and asking the user for consent upfront before you could track them at all. Implementing an opt-in practice will likely lead to a higher degree of visitors from California choosing to decline tracking, which will have an impact on your being able to analyze their interactions, or retarget ads to them. As scary as opt-in consent may seem, it may be the safest bet to attempt to remain compliant under CIPA, for the time being. With GA4 and other Google product tags like DoubleClick and Google Ads, this gap in unconsented users can be mitigated with Google Consent Mode, and behaviour and conversion modeling. Learn more about how Google Consent Mode can impact tracking here.
Are Courts Enforcing CIPA Against Web Trackers?
So far, the rulings in cases brought before courts in regard to CIPA and web tracking technologies have varied. In some cases, they’ve been thrown out, in others, strong arguments were made in favor of the plaintiffs and judges have ruled to move forward with litigation. In some of these, class actions have been paid out. Given this, I can’t help but wonder if this won’t result in further amendments under CIPA in which web tracking technologies are called out specifically, but that’s just speculation on my part.
While there’s been no definitive ruling to suggest how future cases may be resolved, waiting to see how things play out for others could put your company at risk, especially if you are not up to date on privacy best practices.
If you feel like your site needs a check-up against privacy best practices as they are right now, Napkyn can help.
More Insights
Declutter Your GTM: A Practical Guide to Cleaning Up Tags, Triggers, and Variables
Ricardo Cristofolini
Senior Implementation Specialist, Data Solutions
May 21, 2025
Read More
Is Your Website Violating California Invasion of Privacy Act (CIPA) ?
Rob English
Lead Implementation Specialist
May 14, 2025
Read More
Ready for What? AI Readiness in Marketing Today
Jasmine Libert
Senior Vice President, Data Solutions
Apr 30, 2025
Read More
More Insights
Sign Up For Our Newsletter
Napkyn Inc.
204-78 George Street, Ottawa, Ontario, K1N 5W1, Canada
Napkyn US
6 East 32nd Street, 9th Floor, New York, NY 10016, USA
212-247-0800 | info@napkyn.com
Is Your Website Violating California Invasion of Privacy Act (CIPA) ?
Are you at risk of liability from California’s privacy laws? Learn how CIPA is coming up in web privacy case law, cookies, and consent - and how privacy best practices may help protect you.
Rob English
Lead Implementation Specialist
A privacy-focused web analytics implementation specialist, with 19 years experience in development across marketing, advertising and analytics.
What You Need to Know About Web Tracking and Consent
Over the last year there has been significant buzz surrounding litigation with companies in violation of the California Invasion of Privacy Act (CIPA) with regards to the web tracking technology being used on their websites.
While instances of this occurring seem to have picked up substantially over the last year or so, litigation against companies dates all the way back to the early 2000s. Privacy advocates at that time filed lawsuits against DoubleClick for being in violation of California’s privacy laws. One of those was CIPA.
Before I dive too far into the details, one thing I must make clear right away is that I am not a lawyer, nor a legal expert of any sort. So, please do not take any advice or tips in this article as legal advice. Always review privacy and compliance concerns and recommendations with your own legal counsel to ensure you are - and will stay - compliant under all necessary global regulations.
What is the California Invasion of Privacy Act (CIPA)?
Not to be confused with the other CIPA (Children's Internet Protection Act), the California Invasion of Privacy Act, relates to the invasion of privacy posed by an individual's conversations or communications being intercepted and listened in on.
Originally enacted in 1967, it was primarily created in response to the fear of wiretapping or eavesdropping of phone calls. Since then, it has gone through several rounds of amendments. As with other California privacy regulations, like the California Privacy Rights Act (CPRA), it applies to individuals and organizations when dealing with communications involving residents of California. Even if your organization does not reside in California, it applies to you if residents of California can use your websites or apps.
While, as I mentioned above, this law has gone through several rounds of amendments (the most recent in 2015), CIPA does not directly call out web tracking technologies.
Why CIPA Poses a Risk for Web Tracking Technologies?
Regardless of whether it specifically calls out web tracking technologies or not, some of the technologies we work with fall into what is being viewed as a grey area under this law, and thus, something that we should all be aware of when working with privacy and compliance.
Key Concerns Under CIPA for Website Tracking:
Placement of cookies and collection of IP addresses (and other PII) without the user's knowledge.
Session replay tools capturing user interactions including form inputs, clicks, and mouse movements.
Use of tracking pixels or tools that may record user behavior without their knowledge.
Some are arguing that these technologies constitute pen registers or trap-and-trace technologies, which have specific rules under CIPA.
What does CIPA state that could put a company's web tracking at odds with it?
Some key areas that are the focal points of these lawsuits are the placement of cookies and the collection of a visitor’s IP address (and other PII) by tracking technologies, unknowingly to the visitor. You may remember that CPRA and the earlier California Consumer Privacy Act (CCPA) only require implied consent, which means a user can technically be tracked unknowingly without providing an explicit “yes, track me” signal under those rules alone. Using cookies and tracking pixels without asking, however, is being regarded as a violation of CIPA. In some cases, these technologies will go so far as to provide session replays of a user's interactions, introducing the potential risk of form interactions or other similar site interactions being recorded as part of them, sharing information that users didn’t intentionally submit.
With regards to these technologies, some are arguing that these constitute pen registers, or trap and trace technologies, for which CIPA has specific rules around using. For context on both of these, the following two definitions have been pulled from the CIPA regulations, here:
Pen registers: “Pen register” means a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication. “Pen register” does not include a device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider, or a device or process used by a provider or customer of a wire communication service for cost accounting or other similar purposes in the ordinary course of its business.
Trap and trace devices: “Trap and trace device” means a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.
I've already implemented consent management and have taken steps to be compliant under CCPA/CPRA, so I'm fine.
Not necessarily! As CIPA states, in the case of electronic or wire communication services one of the stipulations for which a pen register can be used, is "If the consent of the user of that service has been obtained." (638.51 subdivision (b)(5)). And here is where things get a bit complicated... because under CCPA/CPRA the style of consent required for residents of California for tracking, is implied consent... opt-out consent. Meaning residents of California are usually tracked until they explicitly tell you to stop tracking them. So tracking can technically occur without the user “knowing” of the tracking, or having granted consent for it to occur.
How to Ensure CIPA Compliance on Your Website?
1. Initiate or Update Your Privacy Compliance Program
First and foremost, if you do not have an existing privacy and compliance program in your organization, this is a vital first step. With so many global privacy regulations, and content being shareable and viewable from anywhere in the world it means a well documented, implemented and maintained privacy practice is critical to ensuring compliance, not just locally or nationally, but internationally. For many global regulations (CIPA included), it doesn't just apply to companies within that jurisdiction, but to any company who serves content to residents of that jurisdiction and tracks them.
→ Global regulations apply based on user location, not company headquarters. CIPA can apply to any company tracking California residents.
2. Use a Consent Management Platform (CMP)
Consent Management Platforms. Tooling like OneTrust or Osano can help to simplify, and streamline the process of implementing cookie compliance on your website (and in the case of tools like OneTrust, across your organizations entire data ecosystem), making it easier to review, update and implement practices online to inform your users of what technology you are using on your site to track them, and make it as easy as possible for them to opt-in or opt-out, submit Data Subject Access Requests, and just generally understand what your company's privacy policy covers.
—> Check Out Our Consent Mode Blogs:
Step-by-Step Guide to Implementing Google Consent Mode in Tealium iQ
Impact of Consent Mode on Reporting and Transaction Data in GA4
3. Be Transparent About Your Privacy Practices
Make your:
Privacy policies
Cookie consent disclosures
Opt-out mechanisms
...easily accessible and understandable. Do not bury them in legalese or hidden corners of your site.
Be upfront and communicative about your privacy practices and clearly define your privacy policies, cookie policies, and user compliance practices, in an easily digestible format. Make it easy for customers to find how to opt-out of tracking, and how they can reach out to you to access their information if they request it. Don't try to bury this information in a dark corner of your website that users have to go on an Easter egg hunt to find, or obfuscate the meaning under layers and layers of legal jargon.
4. Get Legal Advice
As I stated at the top of this article. I am not a lawyer, so none of what I'm saying in this post should be misconstrued as legal advice. Always reach out to your own internal or external legal resources and privacy team to ensure the proper measures are being taken to keep you compliant under all necessary regulations. This is especially important when your tools or practices sit in a regulatory "grey area."
5. Consider Server-Side Tracking for Added Privacy Controls
Server-side tracking can:
Reduce cookie placement on client browsers
Avoid loading third-party libraries directly on user devices
Obfuscate or anonymize IP addresses (e.g., Google Analytics does this by default)
Important: Server-side tagging helps mitigate privacy risks only when implemented with privacy in mind. It is not a guaranteed compliance solution on its own.
This is often cited in many privacy related topics now, and can be mistaken as a cure-all for non-compliance from a privacy standpoint. It should be treated as one element of privacy compliance, AND it only helps if it's implemented with the intention of mitigating some of these privacy risks. In this particular case, with regards to CIPA, one of the areas of concern that has led to lawsuits being filed, is that user IP addresses are being treated as pen registers. With server-side tracking you add an additional layer between where the tracking occurs (the website) and where the data is sent (think Google Analytics or Facebook). This server-side middleman can obfuscate tracking to a degree in that a), the third-party libraries aren't loaded on a clients device (most of the time...), but from a centralized server b) you can minimize or remove the cookie placement on a clients browser, and c) because it's loaded from a centralized server you can add a 'filter' piece to that middleware to anonymize the IP address sent to the endpoint. Google Analytics does this by default.
6. Implement Opt-in (Explicit consent) tracking for residents of California.
I can already hear the screams echoing from within the walls of your marketing department just in suggesting that. What this means, is whereas previously for any residents of California you could enable tracking of their website visit without their explicit consent, and give them the option to opt-out of tracking after the fact, you would now have to take a GDPR style approach of informing and asking the user for consent upfront before you could track them at all. Implementing an opt-in practice will likely lead to a higher degree of visitors from California choosing to decline tracking, which will have an impact on your being able to analyze their interactions, or retarget ads to them. As scary as opt-in consent may seem, it may be the safest bet to attempt to remain compliant under CIPA, for the time being. With GA4 and other Google product tags like DoubleClick and Google Ads, this gap in unconsented users can be mitigated with Google Consent Mode, and behaviour and conversion modeling. Learn more about how Google Consent Mode can impact tracking here.
Are Courts Enforcing CIPA Against Web Trackers?
So far, the rulings in cases brought before courts in regard to CIPA and web tracking technologies have varied. In some cases, they’ve been thrown out, in others, strong arguments were made in favor of the plaintiffs and judges have ruled to move forward with litigation. In some of these, class actions have been paid out. Given this, I can’t help but wonder if this won’t result in further amendments under CIPA in which web tracking technologies are called out specifically, but that’s just speculation on my part.
While there’s been no definitive ruling to suggest how future cases may be resolved, waiting to see how things play out for others could put your company at risk, especially if you are not up to date on privacy best practices.
If you feel like your site needs a check-up against privacy best practices as they are right now, Napkyn can help.
More Insights
What You Need to Know About GA4’s New Cross-Channel Budgeting Tools
Monika Boldak
May 22, 2025
Read More
Declutter Your GTM: A Practical Guide to Cleaning Up Tags, Triggers, and Variables
Ricardo Cristofolini
Senior Implementation Specialist, Data Solutions
May 21, 2025
Read More
Is Your Website Violating California Invasion of Privacy Act (CIPA) ?
Rob English
Lead Implementation Specialist
May 14, 2025
Read More
More Insights
Sign Up For Our Newsletter