California Labor &
Employment Law Blog
Navigating CIPA: Recent Court Decisions and Potential Legislative Reform
Apr 28, 2025

Navigating CIPA: Recent Court Decisions and Potential Legislative Reform

Topics: Court Decisions, Privacy

By: Dan M. Forman, Linda Wang

Companies doing business in California continue to face a surge in privacy-related complaints and lawsuits under the California Invasion of Privacy Act (CIPA), a 1960s-era law designed to prevent unlawful telephone wiretapping. Plaintiffs are increasingly applying CIPA to attack modern web tracking practices, including the use of cookies, pixels, and session replay tools that monitor user activity on websites. The CIPA plaintiffs are suing both web hosts and the companies that use them for communications and advertisements. California State Senator Caballero aims to correct the statute.

The U.S. District Court for the Northern District of California gave businesses welcome news on April 17, 2025. In a key summary judgment decision, the court significantly narrowed the scope of CIPA liability, holding that claims under the statute require evidence that a party—or third party—actually read or attempted to read the contents of a user’s communication while in transit.

CIPA is a broad statute with growing application in the digital context. Plaintiffs now commonly allege that companies or their vendors use tracking technologies to capture user behavior without proper consent. A central focus of these claims is the use of “session replay” software, which records user interactions—such as clicks and time spent on certain content—in a format resembling a real-time video playback.

Torres v. Prudential Financial, Inc., a class action, alleged that Prudential and its third-party vendor, ActiveProspect, violated the CIPA by collecting and replaying users’ interactions with Prudential’s website without their consent. Prudential’s site allowed users to request life insurance quotes, and ActiveProspect provided related software services that included session replay technology. Plaintiffs argued this amounted to unauthorized interception of communications.

The defendants moved for summary judgment, arguing that CIPA only applies when a party willfully and without consent reads or attempts to read the content of a communication while in transit. The court agreed, holding that because ActiveProspect did not read or try to read the contents of the communication while in transit, CIPA liability did not apply—even if data was collected during the session. In other words, it was not enough to show that a third party could or might read the communications while they were in transit.

This ruling marks a significant victory for businesses facing CIPA litigation, particularly those using common marketing and analytics tools. However, it also provides a roadmap for future litigants to attempt to get past summary judgment. And, as CIPA’s interpretation remains in flux, companies should take proactive steps to reduce legal risk. These include:

  • Providing clear and conspicuous user notices
  • Reviewing and updating privacy policies and terms of use
  • Considering the inclusion of class action waivers

The California Consumer Privacy Act was created to address modern consumer concerns over personal information. The CCPA also provides consumers with a private right of action. However, CCPA maintains much lower statutory penalties as compared to CIPA’s potential $5,000/incident penalty. 

The best cure to end CIPA litigation is a legislative solution. On February 24, 2025, California State Senator Caballero conducted recent business roundtables and authored Senate Bill 690, targeted at ending abusive lawsuits under CIPA based on the use of cookies and other online technologies. SB 690 is now scheduled to be heard by the Senate Public Safety Committee on April 29, 2025.  

CDF’s Privacy Practice Group will continue to monitor developments related to privacy issues, CIPA, CCPA, CPRA and the California Privacy Protection Agency’s enforcement actions. Please contact a member of CDF's Privacy Practice Group (Dan Forman, Linda Wang, or Dalia Khatib,) to discuss compliance with privacy laws, any investigation by the California Privacy Protection Agency or with any questions about CIPA, CCPA & CPRA. Our Privacy Practice Group is available to assist with policies, notices, general compliance for employers, and the defense of investigations and litigation.

About CDF

For more than 30 years, CDF has distinguished itself as one of the top employment, labor and immigration firms in California, representing employers in single-plaintiff and class action lawsuits and advising employers on related legal compliance and risk avoidance. We cover the state, with five locations from Sacramento to San Diego.

> visit primary site

About the Editor in Chief

San Diego Associate Attorney. Taylor has experience defending employers of all sizes in employment-related claims regarding wrongful termination, discrimination, harassment, retaliation, and employment-related tort and contract claims. Taylor also has experience defending management in wage and hour class actions and PAGA representative actions. Taylor is a member of the Lawyers Club of San Diego and received her Juris Doctor from the University of San Diego School of Law, where she was a member of the Student Bar Association, Employment and Labor Law Society, Business Law Society, and Women’s Law Caucus.
> Full Bio   > Email   Call 858.646.0077

CDF Labor Law LLP © 2025

Editorial Board About CDF What We Do Contact Us Attorney Advertising Disclaimer Privacy Policy Cookie Policy