In 2025, a handful of well-resourced companies found themselves writing nine-figure checks to settle privacy violation claims they hadn’t seen coming. Google paid $425.7 million in a single jury verdict. Flo Health, Google, and Flurry paid a combined $59.5 million to settle related claims, and Meta refused to settle, went to trial, and was found in violation by a jury. Wells Fargo settled call-recording claims for $28 million. Aggregate disclosed exposure across these matters crossed $500 million.
What links these companies is not negligence. Each had a privacy program. Each had a CCPA compliance posture, often with experienced counsel and seasoned operators behind it. They were sued anyway, under a different California statute most privacy teams have spent the last five years building around without realizing it.
The California Invasion of Privacy Act, Cal. Penal Code § 631(a), was enacted in 1967 to govern telephone wiretapping. For decades it occupied a quiet corner of California criminal law. Beginning around 2022, plaintiffs’ counsel started arguing that the statute also applies to website trackers, search bars, chatbots, session replay tools, and AI meeting transcription products. For several years the theory was speculative. In 2025, it stopped being so, and it started producing the settlements and verdicts described above.
The legal landscape; however, is not static. In May 2026, a California court issued a landmark ruling secured by Mintz’s Privacy team, holding that CIPA applies only to telephone communications, not to software on a commercial website.
The court was direct:
“This statute applies to telephone communications, and not to software on a commercial website.”
That ruling has not closed the book on CIPA litigation risk, but it has materially changed the analysis that privacy programs should be running.
This post is the first of four. Each one addresses a different layer of the same problem: the legal architecture, the litigation landscape, the technical exposure inventory, and the operational defense. This one explains the CIPA framework, why so many companies that did the right CCPA work remained exposed, how the 2025 verdicts landed, and how the 2026 landscape requires a more nuanced, risk-based response than simply switching to opt-in consent for California users.
CCPA and CIPA are not substitutes
The most consequential thing a privacy team can understand about California is that CCPA and CIPA are independent statutes. They cover overlapping conduct. They are enforced by different parties under different consent standards with different remedies. Compliance with one does not produce compliance with the other.
CCPA, the California Consumer Privacy Act, governs how businesses collect, sell, and share personal information. The framework is notice and choice. Consumers have rights to access, correct, delete, opt out of sale and sharing, and limit sensitive personal information processing. Enforcement of the CCPA is shared between two authorities: the California Privacy Protection Agency (CalPrivacy) and the California Attorney General (AG), with distinct but complementary roles. Businesses receive notice from CalPrivacy or the AG, but have no guaranteed right to cure violations before penalties are imposed though CalPrivacy retains discretion to allow remediation. The amendments under CPRA eliminated the CCPA’s original 30-day cure period for regulatory enforcement, while a limited 30-day cure right survives only for private security breach actions. CIPA governs the interception of communications. The framework is consent specifically, all-party, prior, express consent. The statute requires affirmative authorization from all parties before a communication can be recorded or its contents read by a third party. Enforcement is both criminal, fines and imprisonment, and civil. Any person injured by a violation can bring a civil action under § 637.2, with statutory damages of $5,000 or three times actual damages, whichever is greater though whether that amount accrues per violation or per lawsuit remains contested in the courts.
The two laws operate on different theories. CCPA assumes data collection will happen and structures the rules of disclosure and choice around it. CIPA assumes interception is presumptively prohibited and requires affirmative authorization to make it lawful. A business can comply fully with CCPA’s notice-and-choice obligations and still violate CIPA’s prior-consent requirement, because the consent CCPA requires is opt-out and the consent CIPA requires is opt-in.
Courts have applied CIPA well beyond traditional telephony, to website chat features, session replay tools, pixel tracking, and online behavioral advertising, which is precisely why the exposure gap is so pronounced. Plaintiffs have understood this for several years. Many privacy teams have not. Note also that California SB 690, introduced in 2025, stalled and was designated a two-year bill by the Assembly Committee on Public Safety; it could resume consideration no earlier than the 2026 legislative session, with its aim of narrowing CIPA’s civil liability exposure for conduct involving data processed for commercial business purposes.
Understanding the wiretapping landscape
All US states except Vermont have laws restricting eavesdropping or recording private conversations. Eleven states require consent from all parties before recording a communication, California among them. The other 39 states plus the District of Columbia require consent from only one party. This makes California one of the strictest jurisdictions in the country on this question, and is this the reason CIPA has become the vehicle of choice for plaintiffs targeting digital tracking practices.
Wiretapping is the interception of electric communications (phone calls, digital messages, and emails) to secretly monitor and capture information without the knowledge of the parties involved. Wiretapping laws like CIPA, originally in 1967 to prevent eavesdropping on telephone calls, have been repurposed by plaintiffs’ counsel to bring lawsuits and arbitration actions claiming that the use of cookies and other tracking technologies violates individual privacy.
The argument that trackers collecting a user’s IP address and recording their interaction with a website create a “pen register”, recording “dialing, routing, addressing, or signaling information” transmitted from a device, in a way that triggers the statute.
These cases are causing businesses to rethink both their consent management strategy and their legal one. The scope of that rethink however, needs to be informed by the actual state of the law which, as of mid 2026, is more contested than the 2025 verdicts alone suggest.
Why the gap exists
Most modern privacy programs were built between 2018 and 2023, in the years following GDPR’s enforcement date and CCPA’s effective date. The professional architecture of the field organized itself around the notice-and-choice frameworks those laws established. Privacy teams built data maps, vendor inventories, DSAR workflows, training programs, breach response procedures, and audit cadences. The work was substantial and serious.
What was not built into most of those programs was a defense against a 1967 wiretapping statute that nobody had used against websites until plaintiffs’ counsel started running the theory in California state court. CIPA was not on the syllabus. It did not appear in CCPA implementation playbooks. The dominant enterprise privacy platforms that organized the field’s tooling did not center CIPA in their product roadmaps. Privacy teams reasonably trusted that the work they were doing on CCPA and GDPR, covered the California waterfront.It did not.
What 2025 made explicit
Three matters anchored the year.
In Rodriguez v. Google, a jury awarded $425.7 million on the theory that Google’s Firebase toolkit captured in-app browsing histories and search queries even after users had disabled the “Web & App Activity” privacy setting. The court found that fragmented disclosures had misled users about what would happen when they turned the setting off. The lesson is operational: a disabled privacy toggle cannot be reinterpreted later as consent. The gap between what the user experience represents and what the system actually does is precisely where CIPA liability lives.
In Frasco v. Flo Health, Google, Flurry, and Meta, the four defendants faced claims that Flo’s fertility app shared reproductive health data with analytics providers without meaningful consent. Google, Flo, and Flurry settled for a combined $59.5 million. Meta refused to settle, took the case to trial, and a jury found Meta in violation of CIPA. The verdict is on appeal. It is the first known CIPA jury verdict against a major social media company. Two ancillary points round out the year. A New Jersey court dismissed CIPA claims against Quest Diagnostics, finding that Facebook’s pixel caused the user’s browser to send data directly to Facebook, making Facebook a participant in the communication rather than an eavesdropper. The same year, a different court denied Mashable’s motion to dismiss, holding that third-party trackers embedded in Mashable’s site are pen registers under § 638.51 and that Mashable “installed and used” them. The two cases describe very similar technology. They went opposite directions because of how the data flowed. We will return to this distinction in Post 3; for now, it is enough to note that the technical architecture of a tracker can be outcome-determinative.
Aggregate disclosed CIPA exposure across these matters crossed $485 million in 2025. The plaintiffs’ bar has noticed. The defense bar has noticed. Many privacy programs have not yet noticed at the level required to act.
The evolving legal landscape in 2026
The litigation picture heading into 2026 is more contested than the 2025 verdicts alone suggest.
In May 2026, Mintz’s Privacy team secured what may prove to be the most significant CIPA ruling since the wave of tracker-related litigation began. A California court held that CIPA applies only to telephone communications, not to standard website technologies, and dismissed the claims with prejudice.
The court’s conclusion was direct:
“This statute applies to telephone communications and not to software on a commercial website.”
The decision adopted the position that CIPA provisions do not apply to the internet broadly and are limited to telephone communications at best. It directly undercuts plaintiffs’ arguments that routine website data practices require the heightened all-party consent the statute demands. The full ruling is available at mintz.com.
This ruling does not eliminate CIPA risk. It is one court’s decision, not settled California law, and conflicting decisions remain on the books. But it does change the analysis. A privacy team or outside counsel advising “go opt-in across California to manage CIPA risk” without accounting for this ruling is working from an incomplete picture.
SB 690, introduced in early 2025, would create a safe harbor for routine analytics and advertising activity already governed by CCPA, potentially reshaping the litigation landscape for future cases. An earlier retroactivity clause that would have applied to pending cases was removed during the legislative process. It cleared the California Senate 35–0 but stalled in the Assembly committee and carries an August 2026 session deadline. It has not become law.
The right posture is to build a defensible consent program that holds up either way: if SB 690 passes, you’ll be ahead of it; if it doesn’t, you won’t be exposed.
The damages math, and a contested theory
A privacy officer reading this should understand one thing clearly before discussing it with the board: the exposure is large enough that most defendants never litigate how large. .
Section 637.2 provides for statutory damages of $5,000 or three times actual damages, whichever is greater. Plaintiffs routinely argue that figure applies per violation, and that each third-party recipient of intercepted data constitutes a separate violation. Under that reading, a single user session that fires four marketing pixels before consent produces four violations of $5,000 each. Multiplied across California user sessions over a class period, the exposure climbs quickly.
The “per violation” reading is plaintiff theory,not settled law. Courts have not uniformly resolved it, and a credible argument exists that $5000 is a per-action cap rather than a per-violation multiplier. Your counsel should run the specific math against your fact pattern.
What the debate obscures is the practical reality: the per-action floor multiplied by class size is large enough that few defendants choose to litigate the multiplier question to final judgment. The cases settle. That’s the number your board needs to understand.
Regulators are running the same play from the other side
While plaintiffs’ counsel work the CIPA angle, CalPrivacy has escalated CCPA enforcement against the same architectural failures. In February 2026, the California Attorney General announced the largest CCPA settlement to date, $2.75 million in civil penalties against the Walt Disney Company, for failing to fully honor opt-out requests across devices and streaming services associated with consumers’ Disney accounts. On the same day, February 27, 2026, the California Privacy Protection Agency issued two additional enforcement actions: PlayOn Sports paid $1.1 million for using a consent banner that forced users to click “Agree” with no reject option, failing to honor opt-out signals, and maintaining a privacy policy that had not been updated since 2022; and Ford Motor Company paid $375,703 for requiring consumers to verify their identity and confirm their email address before their opt-out request would be processed, an unnecessary verification step that the CCPA expressly prohibits for opt-out requests.
These are CCPA enforcement actions, but the conduct they target is the same conduct that drives CIPA litigation. A company penalized by the CPPA for dark-pattern or forced-consent violations involving tracking technologies may well face parallel CIPA wiretap claims from private plaintiffs for the same underlying behavior though outcomes in that litigation have been inconsistent, with some claims proceeding and others dismissed. The two statutes operate in parallel, not sequentially. California regulators and California plaintiffs are squeezing the same architecture from two sides at once, though that pressure may ease if SB 690 is enacted, as it would exempt conduct taken for a commercial business purpose, including activity already subject to CCPA opt-out rights, from CIPA civil liability.
A risk-based approach to CIPA compliance
The Mintz ruling changes one element of the analysis but does not eliminate the need for a deliberate response to CIPA risk. What it changes is the starting point: privacy programs should be calibrating their response to the actual exposure, not the worst-case theoretical exposure, and not reflexively defaulting to the most restrictive configuration without examining whether that posture fits their situation.
Some legal associations and firms continue to recommend implementing explicit consent (opt-in) banner configurations to manage wiretap litigation risk. Opt-in is the most conservative technical response, and for some organizations with high-sensitivity data or heavy use of scrutinized trackers, it may be the right choice. But implementing opt-in for California has real business implications, particularly for marketing operations, and the right decision depends on a company’s specific fact pattern. The key is that businesses first need to assess the risk and business implications rather than just going opt-in for California. TrustArc recommends the following seven-step risk-based approach:
- Verify that your cookie banner is working properly. Even if you use a third-party consent management platform like TrustArc’s CCM, you need to verify it is operating as configured. A monthly verification check is a reasonable cadence for most organizations.
- Ensure that tags are being controlled. When testing your banner, verify that your tag manager is blocking non-essential trackers until appropriate permissions are obtained from the user. If you don’t have a tag manager in place, consider implementing one and reviewing TrustArc’s Tips for Configuring Trackers and Honoring Preferences to ensure necessary measures are in place.
- Determine whether highly scrutinized trackers are being used on your website. Trackers set by LinkedIn, Meta, and TikTok have come under greater regulatory scrutiny due to their extensive data collection practices, including collection of sensitive data without consent. Know which of these are present in your environment.
- Know what type of data is being collected through highly scrutinized trackers. Determine whether the data captured through these trackers is sensitive, or whether sensitive information can be inferred from the data being collected. The sensitivity of the underlying data is a key input to the risk analysis.
- Weigh the risk and reward of using highly scrutinized trackers. Work with your stakeholders to understand the benefit (to both your business and your users) of utilizing scrutinized trackers. The business benefit should not outweigh the risks to users, especially where your site’s content and the information collected or inferable is sensitive.
- Discuss legal and risk positions with internal stakeholders and potentially outside counsel. Moving to explicit consent (opt-in) for certain categories of advertising tracking is a significant business decision that needs to be made with relevant business stakeholders involved. The Mintz ruling and the current state of SB 690 should both factor into that conversation.
- Engage suitable outside counsel if a CIPA demand letter or litigation threat is received. Not all plaintiffs and parties sending CIPA demand letters are the same, and they take different approaches. Suitable counsel will know who the players are, how to respond, and whether settling is appropriate in your specific situation.
The Key Point: While there is tension between CIPA and CCPA requirements, businesses need to assess risk and business implications rather than reflexively going opt-in for California. The Mintz landmark ruling helps change that analysis. The starting point is understanding your actual exposure, not assuming the worst case.
The defense is technical, not legal
Regardless of which consent configuration a company ultimately adopts, CIPA defense is not a documentation exercise. A privacy policy describing how you handle data, however well written, does not satisfy the statute’s prior-consent requirement. A consent management platform deployed but improperly configured does not satisfy it either. The Federal Bar Association’s 2026 CLE on “Cookie Banner Wiretapping Litigation and Consent Management Platform Failures” makes this point in its title:the dominant defendant fact pattern is no longer the absence of a consent banner. It is a banner that does not actually defend.
What a CIPA-defensible consent program requires is operational: tag governance that blocks non-essential third-party scripts until consent is captured, geolocation-aware rules that apply California’s stricter standard to California user sessions, an audit trail that records each consent event with timestamp and identifier, and an honoring mechanism for Global Privacy Control and similar signals. The banner is the user-facing surface of all of this work. The actual defense lives in the integration between the banner, the tag manager, and the consent log.
Most existing implementations have gaps in at least one of these areas. A live review of an actual production site in incognito mode, with developer tools active, will surface most of them quickly.
What to do this quarter
If you are a privacy officer, general counsel, or senior compliance lead reading this, three things deserve calendar time in the next 60 days.
First, correct the doctrinal misconception inside your own organization. Make sure your operators, your marketing team, your engineering leads, and your outside counsel all understand that CCPA compliance is not a CIPA defense. The cost of internal confusion on this point is measured in months of unprotected exposure.
Second, conduct a tag inventory and a consent-gating audit on your live production environment. Not a desktop review of your tag management system, an actual observation of what fires when a user lands on the page from a California IP without interacting with the banner. The findings will tell you what your real exposure is.
Third, document the operational state of your consent program in a form that can be produced in litigation. Per-session consent logs, banner version history, geolocation rule configurations, and tag governance policies are not just compliance artifacts. They are settlement leverage when a demand letter arrives.
Closing
The CIPA exposure landscape did not appear in 2025. The legal theory has been live since 2022. The verdicts and settlements last year are not the beginning of the wave; they are the moment when the wave became too large to ignore. Privacy programs built around CCPA, GDPR, and international data transfer compliance were not designed with a 1967 California wiretapping statute in mind, and that is not a failure of those frameworks. It is a gap that requires its own layer of defense. The work of the next two quarters is to close that gap before the next round of suits names companies that thought they had already done the work.
The next post in this series walks through who is getting sued, what they had in place when the suit landed, and the patterns that emerge from the litigation record. The August post will give you a diagnostic framework you can run against your own site. The closing post in September will detail what a CIPA-defensible consent program actually looks like in production.
If you would like to see where your own consent posture stands right now, our Privacy Solutions Engineering team runs a complimentary Consent + Consumer Rights Review. A live walkthrough of your production site, with a written report following within five business days.
Schedule a Consent + Consumer Rights Review