The California Invasion of Privacy Act (CIPA) is an older privacy law that was passed to protect California residents from wiretapping and eavesdropping on landline phones. Modern courts have argued that the law could be interpreted to cover certain forms of third-party technology, such as internet session software and chat boxes, and there have been an increasing number of class action lawsuits targeting businesses that use this technology without consumer consent.
This article explains what the CIPA is, who it applies to, how to comply with its requirements, who enforces the law, and the penalties for noncompliance.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. What is the California Invasion of Privacy Act (CIPA)?
- 2. Who Does the California Invasion of Privacy Act (CIPA) Apply to?
- 3. Who is Exempt From the California Invasion of Privacy Act (CIPA)?
- 4. What Does the California Invasion of Privacy Act (CIPA) Require From Businesses?
- 4.1. Communicating Via Phone or Internet
- 4.2. Using Pen Register or Trap and Trace Devices or Processes
- 5. How Do You Comply With the California Invasion of Privacy Act (CIPA)?
- 5.1. Get Consent
- 5.2. Inform Users if You Share Communications With Third Parties
- 6. Who Enforces the California Invasion of Privacy Act (CIPA)?
- 7. What are the Penalties for Noncompliance With the California Invasion of Privacy Act (CIPA)?
- 8. Summary
What is the California Invasion of Privacy Act (CIPA)?
California Invasion of Privacy Act (CIPA) is a statute within California's Penal Code that was originally designed to protect California residents from third-party eavesdropping on landline phone calls. It made wiretapping (using a third party to monitor a conversation) and recording communications with California residents illegal.
As technology has evolved, CIPA has been used to ensure that businesses get consent from California residents before recording calls made via cell phone or online platforms (such as Zoom or Skype).
California Invasion of Privacy Act (CIPA) can apply to all sorts of communications, including phone calls and online interactions with California residents.
While CIPA was passed before the online tracking tools that many businesses use even existed, a slew of lawsuits have recently been filed under the law, claiming that the use of certain tracking technology - such as cookies and pixels - constitutes a violation of CIPA.
Section 630 of CIPA explains that the law was created to protect California residents from eavesdropping:
Who Does the California Invasion of Privacy Act (CIPA) Apply to?
California Invasion of Privacy Act (CIPA) applies to any business that communicates with residents of California, regardless of where the company is located.
CIPA originally applied to businesses that made phone calls to California residents' landlines, but now can apply to businesses that engage in any form of communication with California residents, including cell phone and online communications.
California Invasion of Privacy Act (CIPA) can even apply to tracking or recording software, including session-replay software, internet session analytics software, and chatbots, as the use of these tools via a third-party vendor without user consent could be considered a form of eavesdropping under the law.
That means that if you have a website that a resident of California can visit, you may potentially be subject to the law.
Section 632 of CIPA explains that any individual, business, or entity who eavesdrops or records a confidential communication with a California resident without their consent can face financial penalties and imprisonment:
Who is Exempt From the California Invasion of Privacy Act (CIPA)?
Entities that are exempt from the CIPA include public utilities and correctional facilities.
California Invasion of Privacy Act (CIPA) does not apply to:
- Public utilities (and their employees) that provide communications services or facilities for construction, maintenance, conduct, or operation purposes
- The use of instruments, equipment, facilities, or services in accordance with public utility tariffs
- Telephone communication systems that are used exclusively within a correctional facility
Section 632 (e) of CIPA explains that it does not apply to public utilities and their employees and telephone systems that are used within correctional facilities:
What Does the California Invasion of Privacy Act (CIPA) Require From Businesses?
California Invasion of Privacy Act (CIPA) requires businesses to get consent before engaging in communications (including via phone and internet) with California residents, and to refrain from using pen register or trap and trace devices without consent.
Communicating Via Phone or Internet
CIPA says that anyon who does the following can be punished under the law:
...willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above...(Section 631 (a) of the California Penal Code)
That means that any businesses that engage in any form of communication with California residents - including using tracking tools for advertising and analytics purposes or internet session software to enhance customer experience - should ensure that they get consent from customers.
You should get consent from California residents before communicating with them, whether that communication takes place via a phone call or through a website interaction.
Section 631 (a) of CIPA explains that businesses must get consent from California residents before recording or eavesdropping on their communications:
Using Pen Register or Trap and Trace Devices or Processes
Businesses subject to California Invasion of Privacy Act (CIPA) are not allowed to install or use a pen register or trap and trace device or process unless they get user consent or have a court order, except to:
- Operate or test a wire or electronic communications service
- Protect the provider's property or rights
- Protect users from abuse or illegal use of the service
- Record the initiation or completion of a wire or electronic communication being used to protect the provider or users of the service
Section 638.50 of CIPA defines a pen register as "a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication."
A trap and trace device is defined as "a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of the communication."
In simplified terms, a pen register records outputs, while a trap and trace device records incoming information.
Recent lawsuits have argued that cookies and other location tracking and analytics software count as a pen register under the law, as their function is to monitor interactions between users and websites.
In the Greenley v. Kochava, Inc lawsuit, the court ruled that "...software that identifies consumers, gathers data, and correlates that data through unique 'fingerprinting' " falls under CIPA's definition of a pen register.
Section 638.51 of CIPA explains that businesses cannot install or use pen registers or trap and trace devices without a court order unless they get the user's consent or are using the devices for approved purposes:
How Do You Comply With the California Invasion of Privacy Act (CIPA)?
To comply with California Invasion of Privacy Act (CIPA) you should:
- Get consent from users before accessing their personal information or engaging in communications, and
- Disclose whether you share their communications with any third parties
Let's take a deeper look at the steps you can take to comply with CIPA.
Get Consent
One effective way to get consent is to use a consent mechanism. A consent mechanism should be easily accessible, simple to use, and should enable users to indicate their consent choices before they use your website or services.
You should use consent mechanisms to get consumer consent wherever you collect their personal information, engage in communications, or use tools or software that could be interpreted as wiretapping, eavesdropping, or forms of communication under the CIPA.
It's a good idea to place consent mechanisms alongside links to your legal agreements such as a Privacy Policy or Terms and Conditions agreement. That way you are enabling users to learn more about how you intend to use their personal information or access or disclose their communications before they make a consent decision.
One of the most effective consent mechanisms is an "I Agree" checkbox - a statement that users agree to by clicking a checkbox to get consent to their legal agreements.
Common places to put consent mechanisms such as an "I Agree" checkbox include:
- Account creation or login pages
- Ecommerce checkout pages
- Within a Cookie Notice (a pop-up banner that explains how you use cookies and how users can opt out of cookies or adjust their cookie preferences)
- Within a chat box
Here are a few examples of where you might put consent mechanisms.
Farmers Only includes a clickwrap agreement on its account sign-up page so that users have to indicate that they are over the age of 18 and consent to its Terms of Service agreement before using its services:
Lowe's uses consent statements under the Contact Information form and Place Order button on its checkout page to explain that by taking the actions of entering their phone number and placing an order, users are signifying that they agree to its Terms agreements and Privacy Statement:
Ace Hardware's Cookie Notice pops up as soon as users visit its website, enabling them to make a consent choice and adjust their cookie preferences before navigating its website:
Inform Users if You Share Communications With Third Parties
To ensure compliance with CIPA, you should make sure you put a disclosure within your website's chat box, particularly if it is supplied by a third party.
You should disclose that a third-party vendor may have access to chat box communications so that consumers have the opportunity to consent to the sharing of their messages with third parties before they use your chat box.
Rocket Mortgage includes a disclosure in its chat box informing users that it uses a third party to monitor and record its chat box messages:
By clicking on the Privacy Policy link, users can learn about the circumstances in which Rocket Mortgage shares their personal information, including with third-party vendors:
Who Enforces the California Invasion of Privacy Act (CIPA)?
California Invasion of Privacy Act (CIPA) is enforced by the California Attorney General.
Section 638.55 (b) of CIPA explains that the Attorney General can require any government entity to comply with CIPA:
What are the Penalties for Noncompliance With the California Invasion of Privacy Act (CIPA)?
Anyone found in violation of California Invasion of Privacy Act (CIPA) can face penalties of up to $2,500 per violation and even jail time. Repeat offenders can be fined up to $10,000 per violation, plus up to one year in state prison.
Any third parties who intentionally disclose telegraphic or telephonic communications can face a fine of up to $5,000 and up to one year of jail time.
California residents also have the right to bring civil action against businesses that violate CIPA, for the greater amount of either $5,000 per violation, or three times the amount of actual damages.
A business can be found in violation of the law if any of the following are true:
- The business intentionally eavesdropped or recorded a communication via an electronic device
- The California resident was not informed that the communication was being recorded or eavesdropped on
- The business did not get consent to record the communication, or
- The California resident was harmed by the business that illegally eavesdropped or recorded the communication
Section 632 (a) of the CIPA explains that anyone who intentionally eavesdrops or records a communication with a California resident without getting consent can receive financial penalties as well as imprisonment:
Section 637 of CIPA explains that third parties who share California residents' telegraphic or telephonic communications without authorization are also subject to the CIPA, and can face fines of up to $5,000:
Furthermore, businesses subject to CIPA can face fines and jail time if they install or use a pen register or trap and trace device or process without a court order or user consent.
Section 638.51 of CIPA explains that businesses may not use a pen register or trap and trace device or process without obtaining a court order or getting user consent and that anyone found in violation of the law can face fines of up to $2,500 per violation and/or up to one year in jail:
Finally, California residents can bring civil action against businesses that violate CIPA for the greater amount of either:
- $5,000 per violation, or
- Three times the amount of actual damages
This means that any company that runs a website that is accessible to California residents needs to get consent before communicating with them or collecting or disclosing their personal information, or else run the risk of getting hit with costly lawsuits.
Section 637.2 of CIPA explains that California residents can bring action against violating businesses for either $5,000 per violation or three times the amount of actual damages:
Summary
California Invasion of Privacy Act (CIPA) is a privacy law that was originally designed to protect California residents from wiretapping and eavesdropping. As technology has evolved, the law has been interpreted to apply to internet server session software, session analytics software, and chatbots.
California Invasion of Privacy Act (CIPA) can apply to any business that communicates with California residents (either via phone or through the internet), regardless of where the company is based. It does not apply to public utilities and corrections facilities.
California Invasion of Privacy Act (CIPA) requires businesses to get consent from California residents before communicating with them and to disclose whether they share communications with third parties.
One of the best ways to comply with CIPA is to get consent from California residents by using consent mechanisms. An "I Agree" checkbox is an effective consent mechanism that requires users to signal their consent choices. Consent mechanisms can be used anywhere a website collects personal information such as on account creation or ecommerce checkout pages and within Cookie Notices.
You should also include a disclaimer within your chat box if you use a third-party vendor to monitor your chat box.
CIPA is enforced by the California Attorney General. Anyone found in violation of the CIPA can face penalties of up to $5,000 per violation and jail time. Repeat offenders can receive fines of up to $10,000 per violation and prison time.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.