Why CIPA is changing the conversation around digital tracking

This article was co-written by Lucas Walshe, Senior Digital Analytics Consultant at fifty-five. 

Legal teams increasingly ask marketing teams to weigh in on the California Invasion of Privacy Act (CIPA), a little-known California privacy law from 1967 that’s resurfaced in disputes over digital tracking. Many companies struggle to understand what’s at stake or how to adapt.

While your legal team determines compliance, you play a key role by explaining how your data collection works, which tools you use, and the business impact of potential changes. Those conversations help ensure privacy-focused solutions meet legal obligations while limiting marketing impacts.

What is CIPA?

CIPA is a Cold War-era law enacted in 1967. The law aimed to punish “eavesdropping upon private communications” (California Penal Code §630). At the time, this primarily meant fighting wiretaps and similar privacy-violating techniques.

The law uses obscure and somewhat dated terms like “pen register” (“a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication […]”) and “track and trace device” (“a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information […]”). The wording reflects the era when the law was enacted, and many lawyers say it makes applying the law today more challenging.

Violators risk civil penalties of up to $5,000 per violation per day (or three times the plaintiff’s actual damages, whichever is greater). Anyone has a private right of action and can bring claims against companies that allegedly invaded their privacy. Class actions are also possible. 

Like the CCPA/CPRA, CIPA is a California state law, but its practical impact can extend beyond the state’s borders. Companies outside California may still fall under CIPA when their activities involve communications with California residents.

Why CIPA is becoming a hotspot for U.S. marketers

CIPA saw relatively little use when lawmakers enacted it. But it made a surprise comeback in the digital era. Some internet users are suing websites that collected data during their visits, claiming CIPA also applies to digital tracking. To oversimplify, common tracking mechanisms (tags, SDKs, pixels, fingerprinting, cookies, session replay, and more) amount to intercepting traffic and are therefore illegal under CIPA. Because anyone can bring a private action, many U.S. companies now face CIPA-related complaints.

Initially, most marketers and specialized lawyers rebuked the argument that CIPA covers digital tracking. The online advertising trade association, IAB, even released a Defense Toolkit detailing how advertisers can counter CIPA allegations.

But more companies began to settle after early rulings denied motions to dismiss and suggested these claims may have some merit. To our knowledge, no definitive ruling exists. Consequently, the situation remains unclear.

How marketers should adapt

More and more legal departments ask their marketing teams to implement new tools to improve compliance.

Your No. 1 priority should be to maintain constant, open communication with your legal department. They’re responsible for interpreting the law and determining compliance. But that doesn’t mean you should stay inactive. 

Your team should provide the technical and business information your legal department needs to make informed decisions, including what data is critical to your operations, how you collect it, which tools you use, and how you can customize their setup.

The most basic option, requested by many of our clients’ legal departments, is blocking tracking until users consent to cookies or tracking, ensuring consent is given before any alleged CIPA-type interception. However, this means losing a significant amount of data, as consent rates typically hover between 60% and 80% with accept-or-reject banners.

Other solutions are emerging to minimize data loss. One is server-side tracking, where data is sent through an intermediary server. Some early rulings, including Smith v. Rack Room Shoes Inc., suggest CIPA wouldn’t apply in this case. You should bring this option and others, like Google Tag Gateway, to your legal department to evaluate how they may help.

Still, keep in mind that complying with CIPA doesn’t eliminate the need to comply with the CCPA. Some requirements may also apply simultaneously. For example, cookie banners must meet all CCPA requirements, including symmetry.

The best strategy is investing in a broader data collection plan, paying particular attention to zero-party data (data customers provide voluntarily) and first-party data (data you own), because they offer the highest quality and are least vulnerable to challenges. 

Third-party data is among the most vulnerable to legal challenges and technical limitations. Rethinking how you collect and activate data will help minimize CIPA-related impacts and support sustainable, long-term performance.

Data governance must be a marketing priority

CIPA’s unexpected reemergence created uncertainty across the U.S. legal departments making compliance decisions, but marketers provide the business and technical context, from explaining technical tools to evaluating data collection strategies. 

A strong partnership between legal and marketing helps your company navigate legal uncertainty while keeping MOps running with as few restrictions as possible.

CIPA also reminds us that data governance is now a key part of marketing operations. Well-planned data governance improves data availability across the organization and supports long-term activation and growth. Conversely, poor data governance can create legal risk and erode customer trust after public incidents such as data breaches. 

Data governance belongs at the center of every long-term marketing strategy.

Note: We aren’t legal professionals. We’ll leave legal analysis to lawyers and attorneys, and nothing in this article constitutes legal advice.

Scroll to Top