Can a consent banner protect me from CIPA claims?

Not automatically. In Camplisson v. Adidas (Nov 2025), a federal court ruled that Adidas's consent mechanism wasn't sufficient because it wasn't prominent enough. A properly configured CMP with auto-blocking, clear disclosure, and documented consent is far more defensible.

CIPA Lawsuit: $5,000 Per Visitor, Per Violation

Summary

A 1967 California wiretapping law is being used to target cookies, pixels, and analytics on ordinary business websites. Thousands of website privacy lawsuits have been filed since 2022, and 2026 is shaping up to be the worst year yet.

$5,000

Per Visitor. Per Violation.
no proof of harm required · no safe harbor until 2027

Right now, plaintiff attorneys are scanning websites for weak consent. If your site uses Google Analytics, a Meta Pixel, a chatbot, or any third-party tracking tool, you could be their next target. Over 3,500 businesses have been sued for standard cookie use since 2022. _{(Stinson LLP, 2026)}

They don't need to prove you caused harm. They don't need to prove anyone was injured. Under California's Invasion of Privacy Act (CIPA), a 1967 wiretapping statute that was never written for the internet, statutory damages are $5,000 per violation, and every single visitor to your website can count as a separate violation. _{(Constangy, Feb 2026)}

Most business owners only discover CIPA when they receive a demand letter: a threatening notice that arrives out of nowhere, alleging your website's tracking tools are illegally wiretapping visitors. By then, the legal costs are already mounting.

Free Website Cookie Scan

Know your exposure. See every tracker on your site.

Plaintiffs scan for weak consent before they send a demand letter. Our free cookie checker finds every cookie, pixel, and third-party script on your website, including the ones most likely to trigger a CIPA claim.

Scan Your Website Free

Results in 2 minutes

No email required

Free forever

How a 1967 law became a weapon against websites

CIPA was written to stop Cold War-era phone tapping. For decades, that's all it did. Then plaintiffs' attorneys noticed the language didn't say "telephone." It said "communications." Every time a visitor lands on your website, your tracking pixels, analytics scripts, and session replay tools collect data about what they click, type, and view. That data gets shared with third parties like Meta and Google. Plaintiffs argue this counts as illegal wiretapping. _{(Varnum LLP, Feb 2026)}

No proof of harm required

The plaintiff doesn't need to show they were injured. They just need to show a tracking tool on your site shared data with a third party without consent. $5,000 per violation. Each visitor is a separate violation. (Jackson Walker LLP)

For a site with 10,000 monthly visitors, the math is terrifying. Most cases settle before trial, but even defending a frivolous claim costs $15,000 to $50,000. Plaintiffs' firms know this. They send demand letters in bulk, betting that most businesses would rather pay than fight. _{(Brownstein, Feb 2026)}

The numbers

3,500+

Unique defendants sued since 2022

$5,000

Statutory damages per violation

20+

States with active privacy laws

The CIPA litigation explosion started in 2022 after a Ninth Circuit ruling expanded the law's application to digital tracking tools. Since then, online tracking claims have been filed across 315 courts in 45 states against over 3,500 unique defendants. _{(Stinson LLP, 2026)}

In January 2026, courts issued twice as many CIPA wiretapping decisions as the previous month. Plaintiffs are now also filing under the federal wiretapping act (ECPA), which carries $10,000 per violation and can be brought in any state, not just California. _{(Troutman Pepper, Feb 2026)}

"There is hardly a week that goes by that we do not receive an inquiry from a business that has received a CIPA-complaint letter."

Jackson Walker LLP, Privacy Litigation Practice

Your Meta Pixel is a legal target

It's not just big brands. CIPA claims hit businesses of every size. The common thread isn't revenue or headcount. It's whether your website shares visitor data with a third party without informed consent. If you run any of these tools, plaintiffs already have what they need:

Website technologies that have triggered CIPA lawsuits:

Meta Pixel (Facebook tracking pixel), the most commonly cited
Google Analytics and Google Tag Manager
Session replay tools like Hotjar, FullStory, Microsoft Clarity
Live chat and chatbot software, including AI chatbots
Advertising SDKs and retargeting pixels
Website search bars connected to analytics platforms

Real case: even Adidas lost, despite having a consent banner

In Camplisson v. Adidas (Nov 2025), a federal court ruled that Adidas's use of TikTok Pixel and Microsoft Bing tracking pixels plausibly violated CIPA's pen register provisions. The court found that simply having a consent mechanism wasn't enough: Adidas's terms weren't sufficiently prominent for visitors to count as informed consent. (Baker Donelson, Jan 2026)

Not sure which US data privacy laws apply to your business? Cookiebot's free regulations finder identifies your obligations across all 20+ state privacy laws in under 2 minutes.

Why CIPA lawsuits are getting worse in 2026

SB 690 Reform Stalled

California's SB 690, which would have shielded businesses from routine cookie tracking claims, passed the Senate unanimously but stalled in the Assembly. It won't take effect until 2027 at the earliest, creating a window for plaintiffs to file before any safe harbor exists. (Ballard Spahr, Jan 2026)

Courts Are Deeply Divided

Federal and state courts are issuing contradictory rulings on CIPA's scope. The legal uncertainty means more cases proceed past early dismissal, driving up costs for defendants regardless of merit. (Holland & Knight, Feb 2026)

Federal Wiretap Claims Rising

Plaintiffs are pairing CIPA with federal ECPA violations ($10,000 per violation), filing in courts across the country. (Troutman Pepper)

AI Chatbots Are the Next Target

Chatbots, AI assistants, and generative AI tools that process user input are the newest targets. Plaintiffs argue these tools "intercept" private communications, and courts haven't settled the question. (Ogletree, Oct 2025)

"My business isn't in California. CIPA doesn't apply to me."

This is the most common assumption businesses make before receiving a demand letter. It's wrong on two counts. First, CIPA applies to any website accessible by California residents — not just businesses incorporated or operating there. If your site has no geo-blocking, any California visitor triggers potential liability. Second, and more consequentially: plaintiffs are now filing the same claims under the federal Electronic Communications Privacy Act (ECPA), which carries $10,000 per violation and can be brought in federal courts in any state. Your business doesn't need a California connection for a federal wiretap claim. It needs a website. (Troutman Pepper, Feb 2026)

Which laws apply to you?

You're already in the crosshairs of at least one US privacy law. Find out which ones — and what they require of your website.

CIPA isn't the only exposure. 20+ states have active data privacy laws with real enforcement behind them. See exactly which apply to your business — and what each requires — in under 2 minutes.

Check My Regulations

Free tool

No account needed

Updated for 2026

How to protect your website from CIPA claims

The law is messy and unsettled. But the practical steps to reduce your exposure are the same across every law firm advisory we reviewed:

1. Audit your website's tracking technologies

Most businesses don't have a complete inventory of the cookies, pixels, and scripts running on their site. Third-party tools often load additional trackers dynamically. You may have tracking technologies on your website you don't even know about. Start with a free cookie scan to see everything. _{(Brownstein LLP)}

The single most effective defense against a CIPA lawsuit is demonstrating that visitors gave informed consent before any tracking tools activated. This requires a properly configured consent management platform (CMP), not just a generic cookie notice or a privacy policy buried in your footer.

A consent banner alone isn't enough. The tracking technologies themselves need to be technically blocked from running until the visitor makes an active choice. This is called "auto-blocking." When auto-blocking is active, tracking scripts never execute — meaning no data is transmitted to a third party, and the "communication" that CIPA's pen register theory requires never technically occurs. That is the difference between a defensible website and one that's exposed to CIPA claims.

4. Document your compliance efforts

Automated cookie scanning and compliance documentation create a defensible record showing you identified tracking on your site, disclosed it to users, and obtained consent before processing. Multiple law firms advising on CIPA defense specifically recommend maintaining this documentation. _{(Shumaker LLP, Dec 2025)}

The bottom line

Over 3,500 businesses have been sued for standard cookie use. The ones that had proper consent mechanisms in place had a defense. The ones that didn't had a settlement. Automated scanning, consent management, and auto-blocking close the gap that plaintiffs are looking for.

This isn't going away. It's accelerating.

Even if California's SB 690 passes in 2026, it won't take effect until January 2027 at the earliest and it won't apply retroactively to existing claims. Legal experts expect a surge of CIPA filings as plaintiffs race to beat the deadline. _{(Coblentz, Sep 2025)}

And it's not just CIPA. Twenty states now have comprehensive data privacy laws. Regulators in California, Colorado, and Connecticut have launched coordinated enforcement sweeps. And Google Chrome is preparing to ship native Global Privacy Control (GPC) support ahead of the January 2027 browser mandate, which will fundamentally change how cookie consent works on the web.

Protect your website

Automated cookie scanning, consent management, and auto-blocking. Set up in 5 minutes.

Cookiebot CMP scans your website, identifies every tracker, blocks them before consent, and generates compliance documentation automatically.

Start free trial

Scan your site first

Free plan available

No credit card

5-minute setup

Frequently asked questions

What is a CIPA demand letter?

A CIPA demand letter is a legal notice alleging that your website's tracking tools violate the California Invasion of Privacy Act by intercepting visitor communications without consent. These letters typically demand a settlement to avoid a lawsuit. Statutory damages under CIPA are $5,000 per violation.

Does CIPA only apply to California businesses?

No. CIPA applies to any website accessible to California residents, regardless of where your business is located. Plaintiffs are also filing similar claims under federal wiretapping law in courts across the country.

What are the penalties for a CIPA violation?

CIPA allows statutory damages of $5,000 per violation, and each website visitor can count as a separate violation. No proof of actual harm is required. The federal wiretapping act carries $10,000 per violation. Legal defense costs typically range from $15,000 to $50,000 even for frivolous claims.

Will SB 690 protect my business?

Not yet. SB 690 passed the California Senate unanimously but stalled in the Assembly. Even if it passes in 2026, it won't take effect until January 2027 at the earliest and will not apply retroactively.

How does Cookiebot CMP help with CIPA?

Cookiebot detects all cookies and trackers on your site, blocks them from firing before the visitor gives consent, displays a compliant consent banner, and generates compliance documentation. Consent is one of the primary defenses against CIPA claims.

Keep Reading

Even Adidas Lost Its CIPA Case Despite Having a Consent Banner

Chrome Is About to Ship a Privacy Setting That Could Kill Your Analytics Overnight

The $7,500-Per-Violation Law That Applies to Almost Every US Website

20 States, 20 Rules, and Your Website Probably Breaks Most of Them