CIPA Lawsuits 2026: Trends, Risks, and Filing Strategy

Executive Summary

California Invasion of Privacy Act (CIPA) litigation has emerged as one of the most active and financially significant fronts in privacy class action practice. Driven by the proliferation of third-party tracking technologies embedded across commercial websites, CIPA § 631 and § 632.7 claims have created a robust and expanding docket of cases targeting some of the largest enterprises in the United States.

Key takeaway for plaintiff attorneys: The Ninth Circuit's 2025 ruling in Mikulsky v. Bloomingdale's LLC revived session replay CIPA claims on an aiding-and-abetting theory, while Torres v. Prudential Financial, Inc. clarified the limits of the "in transit" requirement. Meanwhile, SB 690 — the bill that would have carved out "commercial business purpose" from CIPA liability — stalled in the California Assembly and is now a two-year bill with uncertain prospects. The window for filing remains open, but the legislative landscape bears close monitoring.

This analysis examines the current state of CIPA litigation, identifies the strongest filing strategies, evaluates motion-to-dismiss risks with reference to specific recent holdings, and provides a forward-looking assessment of where this practice area is heading.

Legal Background: CIPA § 631 and the Wiretap Framework

CIPA § 631 prohibits the intentional wiretapping or eavesdropping on confidential communications. Originally enacted in 1967 to address telephonic surveillance, the statute has been successfully adapted by plaintiff attorneys to challenge the deployment of third-party tracking technologies on websites — arguing that these tools intercept visitor communications in real time and transmit them to third parties without adequate consent.

The critical statutory element for plaintiff strategy is the third-party interception requirement. CIPA does not prohibit a website operator from collecting its own visitor data. Rather, it targets scenarios where a third party — such as Meta, Google, a session replay vendor, or an advertising network — receives the communication contemporaneously with its transmission. This distinction is what makes the presence of third-party JavaScript tags, pixels, and SDKs on defendant websites the factual foundation of nearly every CIPA digital privacy claim.

Section 632.7, which addresses the interception of cellular and cordless telephone communications, has also seen increased application in the context of voice assistant and chatbot interactions on mobile devices. Additionally, sections 638.50–638.51 — the pen register and trap-and-trace provisions — represent a newer litigation theory alleging that certain tracking tools capture routing or signaling information. Courts remain divided on this theory, but several complaints filed in late 2025 included pen register claims alongside traditional § 631 allegations.

Violations of CIPA carry statutory damages of $5,000 per violation under § 637.2, injunctive relief, and reasonable attorney's fees. In a class context, the per-violation calculation can generate aggregate exposure in the hundreds of millions of dollars — a damages framework that has made CIPA one of the most economically significant privacy statutes for plaintiff-side litigation.

Litigation Trends: The 2025–2026 Landscape

CIPA filings accelerated significantly through 2025 and into early 2026. Hundreds of cases have been filed over the past three years, and the pace shows no sign of slowing.

The Meta Pixel litigation wave established a viable and replicable claim template. Dozens of cases filed against healthcare providers, financial institutions, and e-commerce platforms alleged that the Meta Pixel transmitted sensitive browsing data — including page URLs indicating health conditions, financial activity, and purchase history — to Meta without user consent. Several of these cases produced eight-figure settlements, signaling to the plaintiff bar that CIPA claims carry meaningful economic value.

The session replay and keystroke logging theory has matured into a distinct sub-practice. The Ninth Circuit's July 2025 ruling in Mikulsky v. Bloomingdale's LLC was a watershed: the court reversed the district court's dismissal and held that the complaint stated sufficient facts to allege that Bloomingdale's aided and conspired with session replay code providers to intercept communications in violation of § 631(a). The court specifically found that the plaintiff alleged real-time capture of the contents of communications — not merely information about the characteristics of those communications. Companies deploying tools like FullStory, Hotjar, Microsoft Clarity, and Mouseflow now face heightened CIPA exposure.

However, the landscape is not uniformly favorable. In Torres v. Prudential Financial, Inc. (N.D. Cal., April 2025), the court granted summary judgment for defendants on a session replay claim, holding that the data captured by ActiveProspect's software did not become readable content until after storage and reassembly — failing the "in transit" requirement of § 631. And in Thomas v. Papa John's International Inc., the Ninth Circuit affirmed dismissal, ruling that Papa John's, as a party to the communications, could not be liable for eavesdropping on its own conversation — underscoring the importance of properly pleading the aiding-and-abetting theory rather than a direct liability claim.

Settlement economics remain favorable for plaintiffs. Defendants face statutory damages of $5,000 per violation under § 637.2, and the per-violation calculation in a class context has driven pre-certification settlements in the $5M–$50M range. The volume of pre-litigation demand letters — many of which resolve before filing — suggests the total economic impact of CIPA claims significantly exceeds what is visible on public dockets.

Motion-to-Dismiss Risks and Defense Strategies

Plaintiff firms should anticipate several recurring defense arguments at the motion-to-dismiss stage.

Standing remains contested in federal court. While the Ninth Circuit has moved toward recognizing CIPA violations as concrete injuries sufficient for Article III standing, defendants continue to argue that mere data collection without downstream harm is insufficient. The Supreme Court's evolving standing jurisprudence following TransUnion v. Ramirez continues to create uncertainty in the federal forum. State court filings avoid this issue entirely and remain the preferred venue for most CIPA claims.

The party exception is the most significant substantive defense. CIPA § 631(a) contains an exception for parties to the communication. Thomas v. Papa John's established clearly that a website operator, as a party to the communication, cannot be directly liable for eavesdropping. The winning plaintiff theory — confirmed by Mikulsky v. Bloomingdale's — is the aiding-and-abetting theory: the operator aided a distinct third party's independent interception. Complaints must be pleaded accordingly.

The "in transit" requirement presents a technical defense. Torres v. Prudential demonstrates that defendants can win on the argument that session replay data is not "read" in transit but only becomes readable after storage and reassembly. Plaintiff firms must develop evidence showing that the third-party tool reads or accesses communication contents during transmission, not merely after the fact.

Arbitration clauses in website terms of service present a practical risk. Defendants increasingly move to compel arbitration based on browsable terms or clickwrap agreements. A successful arbitration motion effectively defeats class treatment. Firms should evaluate the enforceability of the defendant's arbitration clause during case selection, and consider whether mass arbitration (see our analysis of mass arbitration versus class actions in privacy cases) may be an alternative strategy where class treatment is unavailable.

Evidence Considerations: What Matters Most

CIPA litigation is fundamentally a technical-evidence practice. The factual core of every case is the demonstration that a specific third-party technology intercepted a specific category of user data and transmitted it to a third-party server.

Network traffic captures showing HTTP requests from the defendant's website to third-party domains — with payload data visible — are the gold standard. These captures should be collected under controlled conditions, documented with timestamps and methodology, and replicated across multiple sessions to demonstrate consistency. After Torres v. Prudential, firms should specifically document evidence of real-time data reading during transmission, not merely post-transmission storage.

JavaScript source analysis of tracking scripts deployed on defendant websites can reveal the specific data fields collected, the triggering events, and the destinations of transmitted data. Many session replay vendors — FullStory, Hotjar, Microsoft Clarity, Mouseflow — have well-documented data collection practices that can be corroborated through their own technical documentation and marketing materials.

Cookie and local storage analysis supplements network traffic evidence by demonstrating the persistence of tracking across sessions and the identifiers used to link user activity to third-party profiles.

Critically, evidence should be collected before filing when possible. Defendants frequently modify their tracking implementations after litigation is initiated. Pre-filing forensic analysis is both a strategic advantage and a practical necessity for building the strongest possible evidentiary record.

Filing and Venue Strategy

California state courts remain the preferred venue for CIPA claims. State court filings avoid Article III standing challenges, benefit from California's generally plaintiff-favorable procedural rules, and access a judiciary familiar with the statutory framework.

Within California, Los Angeles and San Francisco superior courts have developed the most substantial CIPA dockets, and judicial familiarity with the tracking-as-wiretapping theory reduces the risk of adverse rulings based on unfamiliarity with the underlying technology.

Federal court filings may be appropriate where the plaintiff firm seeks to consolidate related claims or where diversity jurisdiction offers strategic advantages, but the standing risk should be carefully weighed. After Augustine v. Great Wolf Resorts, Inc. (S.D. Cal. 2024) — where the court held that keystrokes and mouse clicks do not constitute protected communications — firms filing in federal court should be prepared to distinguish their factual allegations from the Augustine holding.

Multi-defendant strategies — filing against both the website operator and the third-party tracking vendor — have gained traction and can create additional settlement leverage by dividing defense interests. The FullStory and ActiveProspect litigation demonstrates that naming the vendor as a co-defendant forces the vendor to defend its own product, often creating divergent defense strategies that benefit the plaintiff class.

Legislative Risk: SB 690 and CIPA Reform

The most significant non-litigation risk to CIPA privacy claims is legislative reform. SB 690, introduced in the California Senate in 2025, would have introduced a "commercial business purpose" carve-out that would substantially narrow CIPA's application to website tracking. The bill passed the California Senate unanimously but stalled in the Assembly and is now a two-year bill with potential review in 2026.

If enacted as drafted, SB 690 would exempt from CIPA liability personal information processed for common commercial purposes — potentially immunizing the exact tracking practices that current CIPA litigation targets. Plaintiff firms with active CIPA practices should monitor this bill closely, as its passage could materially affect both pending and future claims.

The stalling of SB 690 is itself a strategic data point: the bill's failure to advance suggests that the California legislature has not yet reached consensus on narrowing CIPA protections. For plaintiff firms, this extends the window of opportunity for filing under the current statutory framework.

Future Outlook: Where CIPA Litigation Is Heading

Several trends suggest that CIPA litigation will continue to expand and evolve through 2026 and beyond.

AI-powered chatbots and conversational interfaces are creating new interception surfaces. As companies deploy AI assistants on their websites — many powered by third-party LLM providers — the transmission of user inputs to third-party AI servers may give rise to a new generation of CIPA claims. The Ninth Circuit has already indicated receptiveness to applying CIPA to modern tracking technologies, and the chatbot theory extends that logic to conversational AI.

Cross-statute claims combining CIPA with the Video Privacy Protection Act (VPPA), the Computer Fraud and Abuse Act (CFAA), and state consumer protection statutes are becoming more common. For analysis of the VPPA landscape, see our coverage of VPPA claims against streaming platforms. Multi-count complaints increase settlement leverage and reduce the risk of complete dismissal on any single theory.

Regulatory enforcement by the California Attorney General's office, while separate from private litigation, creates additional pressure on defendants to modify their tracking practices — generating evidence of prior non-compliance that plaintiff firms can leverage in existing cases.

The pen register and trap-and-trace theory under CIPA §§ 638.50–638.51 remains an open frontier. While courts are divided, several 2025 complaints successfully included pen register claims alongside traditional § 631 allegations, and no appellate court has definitively foreclosed this theory.

Conclusion

CIPA litigation occupies a unique position in the privacy class action landscape: a mature statutory framework, favorable damages provisions, an expanding definition of protected communications, and a virtually unlimited supply of potential defendants deploying third-party tracking technologies. For plaintiff firms with the technical sophistication to prosecute these cases effectively, CIPA remains one of the most consistent and economically significant practice areas in contemporary class action work.

The firms that will capture the greatest value in this space are those that combine legal expertise with technological capability — identifying vulnerable tracking deployments at scale, building strong technical evidence before filing, properly pleading the aiding-and-abetting theory established by Mikulsky v. Bloomingdale's, and anticipating the defense strategies that Torres v. Prudential and Thomas v. Papa John's have made more predictable.