CIPA Risk Alert: Why Every Website with California Visitors Needs to Act Now

If your company operates a website that can be accessed by California residents, you are at risk of being targeted by lawsuits under California’s Invasion of Privacy Act (CIPA)—regardless of where your business is located. With courts divided and legislative reform stalled, companies face ongoing legal risks and need to act now to protect themselves.

Understanding California’s Invasion of Privacy Act (CIPA)

California’s Invasion of Privacy Act (CIPA) was enacted in 1967—decades before cookies, pixels, and analytics tools became part of everyday business. Beginning around June 2022, plaintiffs’ firms increasingly began using this outdated law to target ordinary web-tracking technologies. They filed hundreds of lawsuits alleging that websites “intercept” user communications without consent. Many of these cases are class actions brought by repeat plaintiffs or firms that monitor websites for missing cookie banners and pixel tracking practices.

Recent Developments in CIPA Litigation

On October 17, 2025, the federal court in the Northern District of California issued a significant decision that could influence how other courts interpret CIPA in the context of modern web technologies. In Doe v. Eating Recovery Center LLC (ERC), the court found no CIPA violation despite the defendant’s use of the Meta Pixel on their website.

The Case: Doe v. ERC

The plaintiff alleged that a healthcare provider’s website violated CIPA by using the Meta Pixel to share event data with Meta for website analytics purposes. The court rejected that theory, concluding the website’s conduct did not amount to an “interception” under CIPA.

Highlights from the Ruling

• CIPA only covers data intercepted “in transit.”

The court made clear that the law applies only if a third party accesses information while it is being transmitted—not after it arrives on the company’s servers. In this case, because Meta received the data after it reached Eating Recovery Center’s servers, there was no violation.

• The court applied the “rule of lenity.”

Because CIPA is a criminal law, any unclear language must be interpreted in favor of the defendant (the rule of lenity). The judge also noted that the statute was written long before today’s internet technologies existed.

• The court called for legislative reform.

Describing CIPA as 'a total mess,' the judge urged California lawmakers to update the law to address the realities of modern digital communications.

Current Status of CIPA

The California legislature is trying to catch up. Senate Bill 690, which would exempt standard commercial tracking technologies from CIPA, passed the Senate unanimously in June 2025 but has since stalled in the Assembly and is not expected to be taken up again until 2026.

This means, unfortunately, that CIPA lawsuits will continue. Businesses should not assume immunity from litigation—especially as courts outside the Northern District may interpret the law differently. Plaintiffs’ law firms remain aggressive in pursuing these cases.

What Companies Should Be Doing

Even with the favorable Doe v. ERC decision, companies should proactively assess and strengthen their data collection practices to reduce risk. Businesses should take the following proactive steps:

Implementing Effective Cookie Banners

Cookie banners are often the first—and sometimes only—opportunity to obtain user consent and set expectations about data collection. To reduce CIPA risk, companies should ensure their cookie banners:

1. Appear before any non-essential cookies or tracking technologies are activated.

2. Clearly explain what categories of data are collected and for what purposes.

3. Provide users with a genuine choice to accept or reject non-essential cookies.

4. Record and honor user preferences.

   
   

A well-designed cookie banner not only supports compliance with California law but also demonstrates your company’s commitment to transparency and user privacy.

Crafting Comprehensive Privacy Policies

Equally important, privacy policies should clearly describe what tracking technologies (such as cookies, pixels, and analytics tools) are used on the website. They should detail:

• What types of data are collected.

• How that data is used and shared (including any sharing with third parties like advertising or analytics providers).

• What choices users have regarding tracking.

  
  

The policy should also explain how users can exercise their rights to opt out of non-essential tracking and provide contact information for privacy-related inquiries. Keeping privacy policies up to date and aligned with actual practices is essential for both compliance and building user trust.

Conducting Ongoing Inventory of Tracking Tools

Conducting a comprehensive and ongoing inventory of all website tracking tools is crucial. This helps identify exactly what data is being collected, how it is used, where it is sent—including any third-party sharing—and ensures that only necessary tools are deployed. Proactively managing this inventory is critical to reducing legal risk and demonstrating responsible data stewardship.

Understanding your company’s unique risk profile—based on industry, data practices, and third-party vendors—is essential for effective compliance.

The Takeaway

Doe v. ERC signals a possible shift toward a more practical approach in California CIPA litigation. However, until the Legislature modernizes CIPA and courts reach consensus, any company that operates a website accessible to California visitors remains exposed to significant legal and reputational risks.

Our team can help you proactively reduce your risk of CIPA lawsuits, identify practical solutions, and ensure your website and data practices are defensible. Reach out to us for a tailored legal review and actionable guidance.

About the Author

Jacqueline Piscitello is a Founding Partner of ExecutiveGC, LLP where she and her team provide practical, business-focused legal counsel to growing companies. Contact Jacqueline at jackie@executive-gc.com today to discuss how ExecutiveGC can help protect your business