The California Invasion of Privacy Act (CIPA) was enacted in 1967, long before websites, cookies, or chatbots existed. But over the past few years, it has become one of the most cited laws in lawsuits against businesses using modern tracking tools.
This blog explores what CIPA is, how it works, what it regulates today, and how it intersects with online user interactions and cookie consent, especially in light of the proposed Senate Bill 690 (SB 690).
What is the California Invasion of Privacy Act (CIPA)?
CIPA is a state law originally enacted to combat unauthorised wiretapping and eavesdropping using devices like telephones or telegraphs. While it predates the internet, CIPA has evolved to apply to modern communications, including electronic interactions that occur on platforms like Zoom.
It prohibits intercepting, recording, or eavesdropping on any confidential communication without the consent of all parties involved.
The law also anticipates the misuse of modern surveillance tools, including pen registers and trap and trace devices, which are technologies used to log outgoing or incoming phone numbers, but not the content of conversations.
CIPA and the devices it targeted in 1967
CIPA was enacted to curb the use of emerging eavesdropping tools that posed a threat to personal privacy. These included:
- Telephone wiretaps: devices that intercepted calls on landline phones.
- Electronic amplifiers: tools that boosted audio to eavesdrop from a distance.
- Tape recorders: portable devices used to capture conversations secretly.
- Parabolic microphones: directional microphones capable of picking up private conversations from afar.
California lawmakers introduced strong consent-based protections in response to the use of these technologies for secretly intercepting or recording private communications.
Who must comply with the California Invasion of Privacy Act (CIPA)?
The CIPA applies to:
- Individuals and businesses operating in California
- Any entity communicating with or collecting data from California residents
- Companies using monitoring tools such as call recording or chatbots in California
This may include websites, mobile apps, call centres, and any digital or physical service that handles user communications.
What are some key provisions under CIPA?
Key California Invasion of Privacy Act (CIPA) sections that businesses should be aware of include:
Section 631
This section makes it illegal to secretly tap into or access telephone or telegraph lines, including internal phone systems. It also prohibits reading, attempting to read, or using the contents of any message during transmission without the consent of all parties involved. The law applies to anyone who directly engages in such acts or assists others in doing so.
Section 632
It is illegal for anyone to intentionally use a recording or amplifying device to secretly listen to or record a confidential conversation without the consent of all parties involved. This applies whether the conversation happens in person or through devices like phones or telegraphs (but not radio).
The term “confidential” is broadly interpreted and includes communications where one party reasonably expects privacy.
Section 632.5
This section criminalises the act of intentionally and maliciously intercepting, receiving, or helping someone else intercept or receive a cell phone call, whether it’s between two cell phones or a cell phone and a landline, without the consent of all parties involved
Section 632.6
The section applies to the interception of cordless telephone communications, such as those between cordless phones and landlines or mobile phones, again requiring all parties’ consent.
This applies to calls:
- Between two cordless phones
- Between a cordless phone and a landline
- Between a cordless phone and a cell phone
Section 632.7
It specifically addresses the interception or recording of communications transmitted between cordless or mobile phones and landlines.
It is a crime to intercept and intentionally record a phone call, or help someone else do so, without the consent of everyone on the call. This applies to calls between:
- Two cell phones
- A cell phone and a landline
- Two cordless phones
- A cordless phone and a landline
- A cordless phone and a cell phone
What counts as a confidential communication?
Under Section 632, a communication is confidential when at least one party has a reasonable expectation that the conversation will remain private. Examples include:
- Private phone calls
- Emails
- In-person communications
Communications in public settings, courtrooms, or legislative sessions typically do not qualify as confidential communications.
What is consent under the California Invasion of Privacy Act (CIPA)?
The California Invasion of Privacy Act (CIPA) requires that all parties consent before anyone records or intercepts any confidential communication.
This means, every party involved in a conversation must knowingly agree to its recording or monitoring, unless a statutory exception applies.
Types of consent: Express vs implied
The two main types of consent are:
Express consent
Express consent is given explicitly, either verbally or in writing, and clearly indicates that the person agrees to the recording.
For example, a user clicking an “I agree to recording” checkbox before joining a video call, or stating “you may record this call,” constitutes express consent.
Implied consent
A person does not state implied consent directly, but their behaviour or the circumstances of the communication may suggest it.
For example, courts have held that when someone continues participating in a call after hearing a clear pre-recorded message that the call will be recorded, they may be giving implied consent.
However, implied consent is scrutinised more strictly and depends heavily on context.
What are the exceptions to CIPA?
The California Invasion of Privacy Act includes specific situations where the law does not apply:
- Law enforcement: Police officers and investigators can record or listen to conversations if their existing legal authority allows them to do so. This includes emergency responses like hostage situations.
- Public utilities: CIPA exempts telephone and communication companies if it’s necessary for building, fixing, or running their services.
- Correctional facilities: The law does not cover the communication systems used only inside jails or prisons.
- Hearing aids: People using hearing aids or similar devices to overcome hearing loss are not breaking the law when doing so.
- Crime victims: Victims of domestic violence, harassment, or certain serious crimes can record conversations without the other person’s consent if the recording is used as evidence.
- One-party consent for crimes: A person involved in a conversation can legally record it without telling the other party if they believe it captures a crime like bribery, extortion, or violence.
- Campus and airport police: University police and airport law enforcement can also record certain communications if permitted under the law.
CIPA vs CCPA: Role of the SB 690 amendment bill
CIPA and the CCPA approach privacy in very different ways, leading to legal confusion for businesses using tracking tools like cookies.
CIPA, with its roots in protecting confidential communications, requires prior consent from all parties before recording or intercepting communication. This has led courts to interpret session replay scripts, chat widgets, and other trackers as potential violations.
Although CIPA is not a data protection law like the GDPR, courts have interpreted it in ways that effectively require prior consent for tools such as session replay scripts, resulting in outcomes that resemble GDPR-like standards.
On the other hand, the California Consumer Privacy Act (CCPA) leans toward an opt-out model. It allows businesses to use cookies as long as they provide users with a way to opt out of the sale or sharing of personal data and give clear disclosures in their privacy policy.
This conflict meant that companies following CCPA guidelines could still be sued under CIPA, especially when tracking tools were activated before consent was obtained.
To address this issue, Senate Bill 690 (SB 690) was introduced. It proposes that:
- CIPA would not apply to tracking technologies like cookies, session replay, or pixels when used for commercial purposes
- Businesses must still be compliant with CCPA. This means, transparency and opt-out options remain essential
- The amendment would apply retroactively to lawsuits pending as of January 1, 2026
As of today, the bill is still under legislative consideration and has not yet been enacted into law. If passed, SB 690 will bring much-needed consistency to California’s privacy laws, protecting consumer rights while reducing unnecessary litigation for businesses that act in good faith.
CIPA and online tracking: What businesses should know
In recent years, CIPA has given rise to several class action suits regarding online tracking tools like
- Session replay tools that track mouse movements, keystrokes, and scrolling
- Chat widgets that store customer conversations
- Cookies and tracking pixels that collect behavioural data
Courts have ruled that some of these actions constitute unauthorised interception or recording under CIPA if they do not inform users in advance or obtain their consent.
However, in Valenzuela v. The Kroger, the court dismissed CIPA claims involving chatbot tracking, finding that liability under Section 631(a) requires proof that the business knew or intended to aid unlawful interception.
Similarly, in Torres v. Prudential Financial, the court held that CIPA liability does not apply unless a party actually reads or attempts to read the content of a communication while it is in transit. The court found that session replay tools used by a vendor did not violate CIPA because they did not ‘intercept’ content as defined by the statute.
These decisions highlight the growing judicial emphasis on harmonising older wiretap laws like CIPA with modern privacy frameworks such as the CPRA.
How to comply with the California Invasion of Privacy Act (CIPA)?
Here’s how to ensure CIPA compliance:
#1 Obtain valid consent
CIPA requires prior consent from all parties before recording or monitoring communications. Consent must be expressly given. Pre-recorded messages informing users that a call or interaction may be recorded are also accepted under certain conditions.
Though CIPA vs CCPA compliance is still a grey area, obtaining consent before using tracking tools is recommended for CIPA compliance.
#2 Ensure vendor compliance
If you use third-party services like chat, session replay, or analytics providers, review your contracts to ensure that these vendors are obligated to comply with CIPA.
You can be held liable if your vendors unlawfully intercept or record data with your knowledge.
#3 Provide clear disclosures
Inform users about any data collection through methods such as a privacy policy.
Generate a privacy policy for your website
CookieYes privacy policy generator makes you compliant with global privacy laws
14-day free trialCancel anytime
#4 Limit data access and use
Collected communication data should only be used for clearly stated business purposes. Avoid repurposing or sharing data without user consent.
#5 Seek legal advice
Consult a legal professional to learn more about CIPA compliance strategies tailored to your business.
The following YouTube video, published by Nixon Pearson a year ago, discusses CIPA and how it impacts businesses with a website.
Penalties under the California Invasion of Privacy Act (CIPA)
The California Attorney General enforces CIPA. Violations are taken seriously and can result in both criminal and civil consequences:
- Criminal fines: Up to $2,500 per violation; up to $10,000 for repeat violations
- Imprisonment: Up to one year in county jail or longer, depending on severity and specific section violated
- Civil damages: $5,000 per violation or three times the actual damages, whichever is greater
These penalties apply per incident, which means businesses could face significant liability if violations occur at scale without consent mechanisms in place.
FAQ on California Invasion of Privacy Act
The invasion of privacy law in California refers to the California Invasion of Privacy Act (CIPA). CIPA is designed to protect individuals from unauthorised surveillance and eavesdropping.
The law makes it illegal to record or intercept confidential communications without the consent of all parties involved. Enacted in 1967, the law applies to various forms of communication, including phone calls, electronic messages, and in some cases, online interactions.
Yes, you can sue for invasion of privacy in California under the California Invasion of Privacy Act (CIPA). If someone records, intercepts, or eavesdrops on a confidential communication without your consent, you may file a civil lawsuit. Victims can seek statutory damages of $5,000 per violation or three times the actual damages, whichever is greater, along with possible criminal penalties for the offender.
Yes. CIPA can apply to websites outside the state if they interact with California residents. If your website records or monitors communications from users located in California, you may be subject to CIPA, regardless of where your business is based.
The California Invasion of Privacy Act (CIPA) protects the confidentiality of communications and prohibits recording or intercepting conversations (like calls, chats, or session activity) without the consent of all parties.
The California Privacy Rights Act (CPRA), an amendment to the CCPA, focuses on personal data rights. It gives California residents the right to know, access, delete, correct, or opt out of the sale or sharing of their personal information collected by businesses.
Safna is the resident data privacy writer at CookieYes, where she breaks down privacy laws into actionable insights for businesses. The rest of her time is a mix of music, zest, and an ongoing soft spot for Christmas movies.
