Illustration of California privacy law with a padlock magnifying glass judge gavel and California map

California CIPA Website Lawsuits: The Privacy Risk Most Businesses Haven’t Seen Coming

For years, the big website legal worry was accessibility. ADA and WCAG. Screen readers and alt text. That risk hasn’t gone anywhere — but a second one has shown up next to it, and it targets something completely different: how your website watches its visitors. These are CIPA lawsuits, and they’re going after tools almost every business uses without thinking twice — analytics, chat widgets, session replay, tracking scripts. Over the past year alone, more than 3,500 lawsuits and tens of thousands of demand letters have hit businesses over exactly this kind of routine website activity. If your site runs any of these tools (it almost certainly does), this is worth ten minutes of your attention.

What CIPA actually is

The California Invasion of Privacy Act was passed in 1967 — to stop people from secretly recording phone calls. Wiretapping. That was the whole point. Nearly sixty years later, plaintiffs’ attorneys are pointing that same law at websites. Most claims lean on Penal Code § 631, the section that bars unauthorized interception of a communication. The argument: when a site records what you type in a chat box, replays your session, or quietly shares your activity with a third party, that’s “intercepting a communication” without your consent — the digital version of tapping a phone line. It’s a stretch from the 1967 intent, and courts are still sorting out how far it goes. But the theory has stuck well enough to fuel a fast-growing wave of lawsuits aimed at:
  1. Session replay software
  2. Chat widgets and customer-support tools
  3. Website analytics platforms
  4. Visitor tracking and behavior-monitoring tools
  5. Embedded third-party scripts
In other words, the everyday tools you use for support, marketing, and performance are exactly the ones drawing fire.

Why these lawsuits are piling up

Three things are driving the surge. The legal theory keeps stretching. Plaintiffs argue that these tools let third parties see or record what visitors do without clear permission — and that businesses never properly disclosed what’s collected, how it’s recorded, who receives it, or that visitors are being tracked at all. Because courts haven’t drawn firm lines yet, there’s real uncertainty, and uncertainty invites filings. Websites got more sophisticated. Modern sites lean on analytics to understand visitors, session replay to watch how people navigate, chat widgets to handle support, and attribution tools to measure ad spend. All legitimate. All now common targets. The money is good. Under Penal Code § 637.2, a plaintiff can recover $5,000 per violation, or three times their actual damages — whichever is greater. In website cases, actual damages are usually near zero, so the $5,000 becomes the baseline, not the ceiling. Multiply that across visitors and the exposure gets large fast — large enough that many businesses settle rather than fight a long, expensive case. That settlement reflex is exactly what encourages the next round of filings.

SB 690: the law that might change the math

California lawmakers noticed the pile-up and introduced Senate Bill 690 to rein it in. The bill aims to limit certain CIPA claims when the technology in question is being used for a legitimate business purpose — things like analytics, cookies, session replay, support chat, and user-experience tools. The two sides line up about how you’d expect. Supporters say businesses shouldn’t face huge liability for running standard website features that consumers already expect. Critics say people still deserve to know when their activity is being recorded and shared. Where it stands now: SB 690 is advancing through the California Legislature and has been moving through Assembly committee review. Businesses that want to weigh in can submit a letter of support through California’s official position-letter portal. Because legislative timelines shift, the official bill page is the best place to check its current status and any scheduled hearings. Whether or not SB 690 passes, the fact that it exists tells you something: website privacy has become a real governance issue, not a footnote.

CIPA vs. ADA: same pressure, different problem

Most businesses meet website compliance through an accessibility lawsuit first. CIPA is a different kind of problem – here’s how they compare:
Comparison of ADA Website Lawsuits and CIPA Website Lawsuits
ADA CIPA Comparison ADA Website Lawsuits CIPA Website Lawsuits
Core issue Accessibility barriers Privacy and data collection
Standard at play WCAG conformance Consent and disclosure
What's targeted Screen-reader and keyboard support Analytics, recordings, tracking
The right at stake Equal access to the site Privacy of communications
The claim Disability discrimination Privacy violation

Different legal theories, but the same underlying message: businesses are being held accountable for how their websites operate — not just what they sell.

What this means for you

You can’t treat website compliance as just an accessibility checkbox anymore. The scrutiny now spans accessibility, data privacy, cookie consent, third-party integrations, visitor tracking, and how you monitor conversations. Ignore the privacy side and you’ve simply left a second door unlocked.

The smarter frame is to think of website compliance as three things working together:

  • Accessibility — can people with disabilities actually use your site?
  • Privacy — are you honest about what you collect and record?
  • Governance — is someone keeping an eye on all of it as the site changes?

Five practical steps you can take now

  1. Inventory your third-party tools. List every analytics platform, chat widget, marketing tool, session replay app, heatmap, and tracking script running on your site. Most businesses are genuinely surprised by how long the list is — you can’t manage risk you don’t know about.
  2. Read your own privacy policy. Then check whether it actually describes what your site does: the data you collect, the tracking you use, the third parties you share with, and the rights visitors have. Transparency is the heart of privacy compliance, and a stale policy is a liability.
  3. Check your consent setup. Look at your cookie banner and consent tool. Does it match how your site really behaves, and does it reflect current expectations — or is it the default banner you installed years ago and forgot?
  4. Watch the legal landscape. CIPA is moving fast. Keep an eye on new court decisions, legislative changes like SB 690, and regulatory guidance, because what counts as “compliant” is still shifting.
  5. Handle it all together. Accessibility and privacy shouldn’t live in separate silos. A single website-governance approach covers both — and keeps a fix in one area from quietly breaking another.

Where this is heading

A law written for telephone wiretaps in 1967 is now one of the biggest legal risks for businesses operating online. That’s a strange place to land, but it’s where we are — and SB 690 won’t fully settle it either way.

The takeaway is simple: you can no longer focus on accessibility and assume privacy will take care of itself. As your website’s tools get more sophisticated, you need to understand not just what they do, but how a court might interpret what they do.

Businesses that get ahead of both accessibility and privacy will spend less on legal exposure, earn more trust, and stop being easy targets.

See where your website stands

Website compliance now means accessibility, privacy, and the responsible use of the tools running behind the scenes. EcomBack helps you understand where your site is exposed and put practical fixes in place — across accessibility, privacy, and ongoing governance.

Get a free website compliance review

This article is general information, not legal advice. For your specific situation, consult a qualified attorney.

Sources

Share: