NU · neighbordoorsrecords over spin
Open in NU's Reading Room →

The CIPA "Wiretap" Shakedown: How a 1960s Phone Law Became a Meta-Pixel Lawsuit Machine Aimed at Small Business

A website cursor over a tracking pixel — the technology at the center of the CIPA lawsuit wave.

A California wiretapping law written for rotary phones is now being pointed at any website running a Meta Pixel or Google Analytics — and a handful of plaintiff's firms and "professional testers" are filing these by the dozen against small businesses that never spied on anyone. Here's how the racket works, what the courts have actually said, and the dead-simple way to be untouchable. Records over spin.

1. The law they're weaponizing

The California Invasion of Privacy Act (CIPA) — Penal Code §631 — was passed in 1967 to stop people from physically tapping telephone lines. It carries $5,000 in statutory damages per violation【1】. That per-head number is the whole engine: multiply it by every website visitor in a proposed class and the "exposure" gets scary fast, which is exactly the point.

Plaintiff's lawyers have repurposed it into a theory that goes like this: when your website loads a third-party tracking script — a Meta (Facebook) Pixel, Google Analytics, a TikTok pixel, Microsoft Clarity/Bing, or a session-replay tool — and that script sees a visitor's clicks while they're on your page, the third party is "wiretapping" the "communication" between the visitor and your site【2】【3】.

2. The volume game — this is the part that matters

This isn't a few careful cases. As of August 2025, roughly 1,500 CIPA lawsuits had been filed in 18 months【1】. The pattern is high-volume, copy-paste filings:

One attorney or one tester firing off 15, 17, 20+ cookie-cutter suits against local businesses in a single stretch is the documented shape of this thing — small shops that bought into "just add the Facebook Pixel for ads" and had no idea they'd painted a target.

3. What the courts have actually said (it's a mess — they admit it)

NU won't pretend the law is settled, because it isn't:

When the judges themselves are begging the legislature to fix the law, you know it's being stretched past what it was built for.

4. The fix that was supposed to end this — and stalled

California SB 690 would have excluded routine commercial website tracking from CIPA's reach — i.e., it would have shut the racket down. It failed to advance in 2025 and is now a "two-year bill," meaning the shakedowns continue in the meantime【1】. Worth watching, and worth passing.

5. How to actually be untouchable (the practical part)

You don't need a lawyer's retainer to take yourself out of the blast radius. In order of strength:

  1. Run no third-party trackers at all. No Meta Pixel, no GA, no TikTok/Bing/Clarity, no session replay. If the third party never sees the visitor, there's no "wiretap." This is the bulletproof option for a small site that isn't running paid ad campaigns.
  2. If you need analytics, use privacy-first first-party tools that don't ship visitor data to ad networks, and keep it first-party.
  3. If you must run a pixel, gate it behind a real consent banner — the tracker does not load until the visitor clicks "accept." Pre-consent firing is the exact thing the suits target.
  4. Post a plain privacy policy stating what you do and don't collect. "We do not use third-party advertising trackers and do not sell your data" is a strong, honest line when it's true.

NU's own house position, applied to every site we run: option 1. No pixels, nothing phoning home to an ad network. The cleanest defense against a wiretap claim is to genuinely not be tapping anyone's wire.

6. NU's bottom line

A 1967 anti-phone-tapping law is being aimed at corner businesses for running the same marketing tag the ad platforms told them to install. The courts are split and openly frustrated; the fix (SB 690) stalled; and in the gap, high-volume filers keep mailing five-figure settlement demands. The honest takeaway isn't panic — it's hygiene: know what loads on your site, kill the third-party trackers you don't truly need, gate the ones you do, and say so in writing. Do that and the shakedown has nothing to grab.

This is general information, not legal advice — if you've already gotten a demand letter, talk to a lawyer.

Sources

  1. Byte Back (Womble Bond Dickinson) — 2025 website-tracking litigation & enforcement update (volume, $5k/violation, SB 690 status) — bytebacklaw.com/2025/11/2025-update-website-tracking-litigation-and-enforcement/
  2. Fisher Phillips — court allows CIPA third-party pixel claim to proceed (Camplisson v. Adidas; the split) — fisherphillips.com/en/insights/insights/court-allows-cipa-claim-involving-third-party-pixels-to-proceed
  3. Duane Morris — district court rejects CIPA pixel lawsuit, sets higher standard — duanemorris.com/alerts/district_court_rejects_cipa_lawsuit_setting_higher_standard_privacy_plaintiffs_0825.html
  4. Traverse Legal — "Recycling Meta Pixel Plaintiffs": professional testers & high-volume CIPA shakedowns (Swigart, Tauler Smith) — traverselegal.com/blog/swigart-meta-pixel-cipa-shakedowns/
  5. Privacy World (Squire Patton Boggs) — California federal court calls the state wiretap act a "total mess," urges legislature to modernize — privacyworld.blog/2025/12/california-federal-court-urges-california-legislature-to-clean-up-total-mess-of-state-wiretap-act-dismisses-claim-for-website-tracking/

NU original — practical analysis of the public record and published court rulings. The law here is genuinely unsettled and the cases are split; this explains the pattern and the hygiene that removes your exposure. It is not legal advice.

NU original — sourced analysis of the public record. Read it in the interactive Reading Room, or browse more at neighbordoors.com.

Transparency: NU articles are AI-assisted and editor-reviewed, built from the cited primary sources. We label what's proven, alleged, and opinion.