CIPA · California Invasion of Privacy Act
Got a CIPA demand letter? Scan first.
Free instant scan for CIPA violations. See exactly which trackers fire before your visitors consent.
Need help fixing the issues?
Book a 20-min call with our compliance team to walk through your results.
About CIPA
CIPA (California Invasion of Privacy Act, Cal. Penal Code § 630 et seq.) prohibits intercepting or recording communications without all-party consent — and plaintiffs' firms now apply it to website tracking. Section 631 (wiretapping) targets pre-consent pixels and session replay; § 638.51 (pen register / trap-and-trace) targets tools that capture visitor identifiers like IP addresses; § 632.7 covers SMS and phone. The statute carries $5,000 per violation in statutory damages with no proof of harm required, which is why demand letters arrive in batches. The first major jury verdict, Frasco v. Flo Health (2025), confirmed that routine third-party SDK data sharing can create CIPA liability.
What the scanner checks
The scan loads your site the way a first-time California visitor would — before any consent is given — and records every tracker that fires. It flags advertising pixels (Meta, TikTok, Google Ads), analytics (GA4), session replay tools (Hotjar, FullStory, Microsoft Clarity), and chat widgets that transmit visitor data to third parties pre-consent. These are the same signals plaintiffs' firms collect with their own scanning tools before sending a demand letter, so the report shows you exactly what they would see.
What a failing result means
A failing result means at least one third-party tracker captured visitor data before consent. Under the trap-and-trace theory (§ 638.51), even collecting an IP address or device identifier pre-consent is alleged to require a court order or consent. It does not mean you have been sued — but it means a plaintiffs' firm scanning your site would find the same thing. Sites with pre-consent Meta Pixel or session replay on California traffic are the most common demand-letter targets.
What to do next
First, gate every non-essential tracker behind prior consent for California visitors — a consent management platform that blocks scripts until opt-in closes the core exposure. Second, audit chat widgets and session replay vendors, which create the most direct § 631 risk. Third, if you already received a demand letter, do not ignore it and do not pay reflexively: the underlying violation is usually fixable within days, and remediation strengthens your negotiating position. PieEye's Trap and Trace Shield automates consent gating for exactly this scenario.
CIPA scanner FAQ
- What is a CIPA demand letter?
- A CIPA demand letter is a pre-litigation notice from a plaintiffs' firm alleging that your website intercepted a visitor's communications or captured their identifiers without consent, in violation of the California Invasion of Privacy Act. It typically cites § 631 (wiretapping) or § 638.51 (pen register / trap and trace), claims statutory damages, and offers to settle before filing. Thousands of these letters are sent to eCommerce sites each year, usually based on an automated scan of your site's pre-consent tracking behavior.
- How much are CIPA settlements?
- CIPA provides statutory damages of $5,000 per violation ($2,500 under § 637.2 for some claims) with no requirement to prove actual harm. Individual pre-litigation settlements commonly run from several thousand to tens of thousands of dollars, while class actions and mass-arbitration campaigns can reach seven or eight figures. The 2025 Frasco v. Flo Health jury verdict against Meta demonstrated that these cases can survive all the way to trial.
- Which website trackers can violate CIPA?
- The most commonly cited are the Meta (Facebook) Pixel, TikTok Pixel, Google Analytics, session replay tools like Hotjar, FullStory, and Microsoft Clarity, third-party chat and chatbot widgets, and advertising tags that fire before consent. Under the trap-and-trace theory, any third-party script that captures a visitor's IP address or device identifiers pre-consent can be alleged to violate § 638.51.
- Does a cookie banner protect me from CIPA claims?
- Only if it actually blocks trackers until the visitor consents. Many banners are cosmetic — trackers fire on page load regardless of what the visitor clicks. CIPA claims focus on what happens before consent, so a banner that does not gate scripts provides little protection. The scan shows whether your trackers respect your banner.
- What does "trap and trace" mean for websites?
- Trap-and-trace devices historically captured the phone numbers of incoming calls. Plaintiffs' firms now argue that analytics and advertising scripts which capture visitor IP addresses and device identifiers are the digital equivalent, requiring consent or a court order under Cal. Penal Code § 638.51. Courts are split, but the theory has survived motions to dismiss often enough to fuel a wave of demand letters.
- Is this CIPA scan really free?
- Yes. The scan runs in about 60 seconds, requires no signup or credit card, and reports which trackers fire before consent on your site. It checks CIPA alongside GDPR, CCPA/CPRA, and Washington MHMD in a single pass.
Also check
The scan above evaluates all four regimes at once. Switch the framing for a different audience: