California Invasion of Privacy Act Litigation Updates

How Recent CIPA Rulings Have Impacted Consumer Privacy Claims

Over the last several months, a handful of companies have defeated California Invasion of Privacy Act (“CIPA”) lawsuits. Cases like Heiting v. HP, Inc., Torres v. Prudential Financial, Inc., and Gutierrez v. Converse Inc., have even received significant attention online. These wins are encouraging, but businesses should realize these cases are specifically noteworthy because the outcome was uncommon.

What is CIPA?

CIPA is a California state privacy law that prohibits intentionally intercepting transmission of electronic communications without the consent of all parties. It forbids using or disclosing information obtained through interception or wiretapping. CIPA also prohibits aiding or conspiring with someone else to commit any such violation.

When the California Legislature enacted CIPA in 1967, the goal was to protect the privacy of communications for California residents, whether by telephone, telegraph, or other electronic means. Tape recorders and similar devices were considered radically advanced technology, and California lawmakers were especially concerned about how these devices could be used to conduct wiretapping. CIPA is actually a criminal law within the California Penal Code, but it contains a provision that allows a private citizen to sue and potentially recover $5,000 per violation.

Concerns about the privacy of electronic communications seem uncontroversial. In the last two years, however, there has been a tidal wave of CIPA lawsuits involving modern internet technologies, such as website cookies and chat features, trackers linked to social media platforms, and session replay software. These technologies are a far cry from the portable tape recorder that concerned California lawmakers in 1967, but courts have held that CIPA applies nonetheless. For businesses using these technologies, CIPA can be a trap for the unwary.

Recent Legal Challenges to CIPA

Several recent rulings are notable, seemingly giving businesses hope in the battle against CIPA claims—but these cases should be understood as exceptions, not the rule.

Heiting v. HP, Inc.

The court dismissed the plaintiff’s CIPA claims without leave to amend, holding that certain website technology did not fall under CIPA’s definition of a “trap and trace” device. Specifically, the court held that HP’s use of web session recording technology did not violate CIPA, largely because the technology didn’t “intercept” communications in the way CIPA envisioned.

Torres v. Prudential Financial, Inc.

This case focused on the defendant’s use of an online web form that visitors fill out to obtain a life insurance quote. Plaintiffs alleged a CIPA violation because the web form collected user information, which was then transmitted to a separate company. The court sided with Prudential, holding that the plaintiffs had failed to show that the separate company read or attempted to read the contents of the web form that it received. Unlike Heiting, Torres was decided at summary judgment, which is a later stage of the lawsuit.

Gutierrez v. Converse Inc.

In this case, the Ninth Circuit affirmed a win for Converse, finding no actionable CIPA violation when visitor information was collected by a vendor acting as an agent of the business through the website’s online customer service chat feature. Converse successfully argued that the type of information entered by a user into the chat was not the type of information contemplated by CIPA’s wiretapping provision. The case is notable because it reached the federal appellate court, whereas most CIPA cases settle long before the case is appealable.

Limits of Recent CIPA Rulings

It’s understandable that business owners and website proprietors could misread these cases as helpful for defeating a CIPA claim, especially when desperately scouring the internet for help after receiving a CIPA demand letter or notice of arbitration. But as noted above, none of these cases—nor any other CIPA cases decided to date—set binding precedent. In other words, judges in other cases are free to apply or completely disregard the holdings of Gutierrez, Heiting, and Torres. Courts also recognize that interpreting CIPA too narrowly guts its purpose. Indeed, many judges have penned strong language defending CIPA, or simply holding that CIPA allegations are sufficient for a case to proceed.

Successful CIPA Litigation

Both sides are learning. Plaintiffs can adjust their allegations in future lawsuits to ensure their claims survive after cases like Heiting. For every case like Torres or Gutierrez, many others settle long before summary judgment because of the cost of continued litigation. Ultimately, these cases show that businesses must understand how the technology used on their websites actually works. Not all digital recordings are harmless, and consent must be established prior to capturing certain consumer data. For businesses, updating consent mechanisms and ensuring transparency remain the best defenses. Using cookies and other trackers on a business’s website that capture sensitive information from visitors without first obtaining consent significantly increases the chance of a CIPA claim.

The Future of CIPA Litigation

What does the future look like for consumer privacy law in California?

The tech treadmill never stops. Today's chat feature might be tomorrow’s VR assistant or interactive AI web feature. Savvy plaintiffs and their attorneys are actively working to expand CIPA to new technologies—sometimes creatively.

Bottom line – CIPA claims are far from dead. While businesses have notched some wins, most claims survive motions to dismiss in California state and federal courts. Businesses should be proactive and acknowledge that online privacy is considered a cornerstone of operating business in California. The next big case could well restore balance, or even tip the scale back toward consumers.