CIPA wiretap cases are targeting session replay, chat tools, and form capture on websites.
The California Invasion of Privacy Act was designed to prevent illegal wiretapping of telephone calls. Plaintiffs' attorneys have successfully argued that session replay tools, live chat widgets, and keystroke capture scripts intercept website visitors' communications in a way that violates Section 631. The litigation wave is significant: hundreds of class actions have been filed in the past three years, and most companies receive a demand letter before any complaint is filed.
Full Name
California Invasion of Privacy Act
Jurisdiction
California
Penalties
CIPA provides statutory damages of $5,000 per violation, civil penalties of up to $2,500 for each violation, injunctive relief, and attorneys' fees. The per-violation framing creates leverage for plaintiffs even in cases involving a small number of named plaintiffs.
What It Is
Overview of CIPA
CIPA Penal Code Section 631 prohibits intentionally wiretapping, reading, attempting to read, or using a wire, electronic, or radio communication without the consent of all parties. California is an all-party consent state for electronic communications. Courts have applied Section 631 to third-party tools that receive a copy of the user's keystrokes, form inputs, or conversation with a chat agent, reasoning that the session replay vendor or chat platform "reads" the communication in transit.
Who It Covers
Scope and private right of action
Any website operator that deploys a tool capable of capturing user input, session activity, or chat conversations and transmitting that data to a third party may be in scope. The plaintiff class in a CIPA case is typically all California residents who visited the site during the period the tool was active. Statutory damages are $5,000 per violation (not per class member), which courts have interpreted as $5,000 per unlawfully intercepted communication, making aggregate class exposure enormous.
Exposure Triggers
Which website tools create CIPA wiretap exposure
CIPA Section 631 claims require that a third party received a copy of a user's communication in real time, or that a tool captured and transmitted user input without all-party consent. Several common website technologies satisfy this test in California courts.
Session replay tools (Hotjar, FullStory, Microsoft Clarity, LogRocket)
Session replay tools record keystrokes, mouse movements, form inputs, and screen state and transmit that recording to a third-party server. Courts in California have found that this transmission constitutes wiretapping under CIPA because the vendor receives a real-time copy of the user's interactions on the website.
Live chat widgets (Intercom, Drift, Zendesk Chat)
Chat widgets that route conversations through a third-party platform may expose the website operator to CIPA claims because the platform receives the contents of the user's message simultaneously with or before the operator does. The "party exception" to CIPA has been applied inconsistently in these cases.
Form completion and input tracking scripts
Scripts that capture form field values, partial inputs, or abandoned form data and send them to analytics or marketing platforms create CIPA exposure when the user did not consent to having their inputs transmitted to a third party.
Demand Letter Response
What to do when a CIPA demand letter arrives
A CIPA demand letter will typically identify a specific tool (e.g. "Defendant deploys Hotjar session replay") and allege that it intercepted the plaintiff's communications without consent during a specified period. The letter may demand a settlement payment or threaten class-action filing. Before responding, preserve all records of your tag manager configuration, session replay vendor contracts, and consent banner configurations for the period identified. The technical question of whether the tool was active, what it captured, and whether any consent mechanism was in place is central to the defense. Lokker provides defense counsel with a documented scan of your current configuration, historical third-party script records, and consent-state behavior evidence. That technical foundation matters early, before litigation strategy is set.
Evidence Support
What the technical evidence in a CIPA case looks like
CIPA claims are built on evidence that a specific tool was active on the site, that it transmitted user input to a third-party server, and that the transmission occurred without explicit all-party consent. Defending these claims requires the same quality of technical evidence.
Session replay script detection and payload analysis
Lokker identifies session replay beacons, documents what data they transmit, and confirms whether any consent condition was applied at the network layer during the period in question.
Consent banner behavior documentation
Consent Validator documents whether the session replay or chat tool was blocked in the no-interaction and reject states, providing evidence relevant to the "consent" element of a CIPA defense.
Historical script configuration records
Privacy Edge retains scan data indefinitely. Lokker can document which session replay or chat tools were active during the period cited in the complaint and what their configuration was.
Frequently Asked Questions
Common questions about CIPA
Does deploying a privacy notice eliminate CIPA liability?
A privacy notice alone does not satisfy CIPA's all-party consent requirement. CIPA requires that all parties to a communication consent to interception. Courts have generally required that consent be clearly disclosed at or before the time of interception, not buried in a privacy policy. Whether a cookie consent banner or session replay disclosure is sufficient depends on the specific language, placement, and timing.
Is there a "party exception" that protects session replay vendors?
CIPA has a party exception that exempts the parties to a communication from liability for receiving that communication. Courts have split on whether a session replay vendor is a "party" to the user's website interaction or a third-party interceptor. The outcome depends on the vendor's relationship with the operator and how the vendor uses the data. This is an active area of litigation with inconsistent results.
Can turning off the session replay tool moot the case?
Removing the tool after a demand letter does not moot the existing claims, which are based on past conduct. It may affect injunctive relief arguments. Evidence preservation is the first priority when a demand letter arrives.
Defense Counsel Network
Received a CIPA demand letter or are under investigation?
Lokker works alongside defense counsel who handle CIPA-related website privacy cases. We provide the technical evidence documentation your attorneys need and can make the right introduction to law firms that specialize in this area. Contact us now.