The Surge of California Invasion of Privacy Act Class Actions Against Chatbots, Trackers, and Session-Replay Tools
Mason & Perry LLP | May 18, 2026
The next time you type a question into a customer-service chatbot, share your symptoms with a healthcare website, or simply move your cursor across a retailer’s product page, ask yourself: who else is in the room? Increasingly, the answer is a third-party software vendor whose only job is to record everything you do — your keystrokes, your clicks, your hesitations, sometimes even your typed-but-deleted messages. A growing wave of class actions argues that California law makes that quiet observation illegal. And courts have started to agree.
A 1967 Statute Meets the Modern Web
The California Invasion of Privacy Act, codified at Cal. Penal Code §§ 630–638.55 was enacted in 1967 to make California one of the strictest states in the nation on electronic eavesdropping. Two of its sections do most of the work in modern litigation. Section 631(a) prohibits any person from using a “machine, instrument, or contrivance” to read or learn the contents of a communication “in transit” without the consent of all parties; courts have repeatedly held that a third-party vendor embedded in a website may “read in transit” what a visitor types into the site. Section 632 separately prohibits the recording of “confidential” communications without all-party consent.
The penalties make CIPA a class-action magnet. Section 637.2 provides $5,000 per violation — or three times actual damages, whichever is greater — to anyone whose communications were intercepted. In a class case involving even modest traffic, the exposure can run into the hundreds of millions of dollars.
The “Pen Register” Theory — A New Angle for Plaintiffs
The most consequential development of the past two years has come from a different corner of CIPA: section 638.51, which forbids the installation or use of a “pen register” or “trap and trace device” without a court order. Pen registers historically recorded the numbers dialed from a telephone — the addressing information, not the content of a call. Plaintiffs now argue that web-tracking technologies like the Meta Pixel, the TikTok Pixel, Google Analytics, and the “fingerprinting” scripts sold by data brokers function as digital pen registers: they silently collect identifying information — IP address, device ID, URL parameters, and the user’s pattern of activity — and transmit it to third parties.
In Greenley v. Kochava, Inc., the Southern District of California allowed a § 638.51 pen-register claim to proceed against a mobile-app data broker. Federal courts in California have since divided on the theory — some have rejected it as a strained application of a phone-era statute, while others have allowed similar claims to proceed past the pleadings stage and into discovery. Either way, the theory has fueled hundreds of new filings.
Where the Litigation Stands
Three categories of CIPA suits have dominated dockets in 2025 and early 2026. The first are chatbot and live-chat wiretapping cases, in which plaintiffs allege that websites using third-party chat vendors (such as Salesforce, LivePerson, and Zendesk) silently transmit the contents of consumer chat conversations to those vendors in real time, in violation of § 631. The Ninth Circuit’s decision in Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), held that retroactive consent embedded in a terms-of-service banner is generally insufficient — the visitor must agree before the conversation begins.
The second category is session-replay class actions. “Session replay” tools record every cursor movement, scroll, and keystroke on a webpage and reconstruct the session as a video. Multiple courts have held that the contents of a form a user types — even if the user never hits “submit” — qualify as a “communication” under § 631.
The third category is pixel and tracker pen-register cases. Suits under § 638.51 target the deployment of Meta Pixel, TikTok Pixel, and similar trackers on websites that handle sensitive information — including healthcare portals, tax-preparation sites, and mental-health platforms — where the URL parameters and click data alone can reveal protected categories of information about the user.
What’s at Stake for Consumers — and for Companies
For consumers, CIPA represents one of the few statutes that does not require proof of identity theft, fraud, or financial harm before a case can move forward. The statutory $5,000 per-violation damages reflect a legislative judgment that interception itself is the harm. That is why a California resident who simply visited a website running an undisclosed tracker may be a member of a class without ever realizing anything went wrong.
For companies, the litigation has shifted from a niche concern to a board-level risk. Modern websites typically rely on dozens of third-party scripts — analytics, advertising, fraud prevention, customer support, accessibility, and A/B testing. Each script is a potential CIPA exposure. The defense most often offered — that visitors agreed to a privacy policy linked from a footer — is precisely the consent theory the Ninth Circuit rejected in Javier.
Federal courts outside California have begun to grapple with parallel theories under state laws in Pennsylvania, Massachusetts, Florida, and Illinois. The trend lines all point in one direction: the era of “set it and forget it” third-party scripts is ending.
What You Can Do to Protect Yourself
Look for tracking-script disclosures before you type. Reputable sites disclose their use of trackers in a clear banner before you start a chat or fill out a form. If the only disclosure is a hyperlink to a privacy policy buried in the footer, that may itself support a CIPA claim.
Use browser tools to see who is listening. Free browser extensions such as Ghostery, Privacy Badger, and uBlock Origin will show — and block — many of the third-party trackers running on a page. If you see Meta Pixel, TikTok Pixel, or a session-replay vendor on a healthcare, financial, or other sensitive site, that is meaningful information.
Know your California rights. If you are a California resident and you used a website that secretly transmitted your chat messages, form entries, or browsing details to a third party, you may have a claim under CIPA without ever needing to show financial harm.
Document what you saw. Save screenshots of the website, the chat transcript, and any cookie or tracker banners that did (or did not) appear. The central question in this litigation is what did the user actually see and agree to before the interception began.
Mason & Perry LLP represents individuals and groups in privacy and consumer-protection class action litigation. If you believe a website intercepted or transmitted your communications without proper consent, contact us to discuss your options.