duda
Platform
BUILD HIGH-PERFORMING SITES
Website builder
Create beautiful websites at scale
ALL ESSENTIALS INCLUDED
AI Assistant
Boost your efficiency with built-in AI tools
SEO
Build sites that rank higher
eCommerce
Sell products online and offline
Transactional sites
Sell services, subscriptions, and more
ACCELERATE YOUR GROWTH
White label platform
Fully own your customer experience
Client management
Manage all of your projects in one place
Team collaboration
Invite staff and clients to work together
Client billing
Manage client payments hassle-free
Automation
Unlock efficiency with smart automations
EXPAND YOUR BUSINESS
App store
Drive recurring revenue with apps
The Simple Editor (DIY)
Simple interface for non-technical users
MORE FROM DUDA
Templates
Made with Duda
Accessibility
Solutions
DUDA FOR
Agencies
See why Duda is the top website builder for agency growth
SaaS
Add a seamless-integrated website builder to your SaaS offering
 
Hosts
Provide high-end website solutions integrated with your services
INDUSTRY CASE STUDIES
Real estate
Travel & Hospitality
Transportation
View all success stories
Resources
BUILD
Templates
Get started with beautiful templates
Developer portal
API, extensions, and developer tools
Hire an expert
Get expert help for your next project
CONNECT
Webinars & events
Learn from experts, online or in-person
Community
Collaborate with other Duda users
LEARN
Blog
Get insights to fuel your business
Product Updates
Discover Duda's latest releases
Duda University
Take your skills to the next level
Success Stories
Get inspired by real wins
GET HELP
Support portal
System health check
Pricing Enterprise
Contact sales
Do websites count as wiretapping? California law firms think so
BY Shawn Davis August 19, 2024
0 minute read

The information provided within this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available within this article are for general informational purposes only. The information herein should not be used upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author, who is not a legal professional. 


When most people imagine “wiretapping,” typically a website isn’t the first thing that comes to mind. You might be picturing a team of federal agents, ear to a headset, with a big tape recorder running in the background. What about a chatbot, though, or even a tracking pixel? Is that a form of wiretapping?


What is wiretapping?


Let’s take a look at the legal definition of wiretapping, as defined by the California Invasion of Privacy Act (CIPA). “Wiretapping” is defined by California Penal Code §631, according to the law firm Neal, Gerber, and Eisenberg, as “using a machine or instrument to intentionally make a connection via a line or cable to read or attempt to read the contents of a communication.”


This law also prohibits the use of both a “pen register” as well as “trap and trace” devices without explicit consent or a court order. The statute defines a “pen register” in §638.50 as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” A “trap and trace” device is similar, it records incoming impulses, electronic or other, that identify the originating signal information and, by extension, the reasonable identity of the source of that information—again without collecting the contents of that transmission.


In short, a “pen register” records phone numbers or “routing” information that is outgoing from a device, while a “trap and trace” device records incoming routing information. The key here is that the statue defines these devices as capturing “routing information” and not necessarily phone numbers.


That all sounds pretty vague, huh? It certainly is, and that’s where the problem arises.


Website owners are being sued for wiretapping


Last year, a Southern District of California District Court denied a motion to dismiss in Greenley v. Kochava, according to experts at Husch Blackwell. In this case, the plaintiff argued that the developer of a software development kit (SDK) has violated CIPA by including code that forwarded the location information of the user, unwittingly, to the developer. They argued this was tantamount to a “pen registry” or “trap and trace” device, in that it revealed the source of a particular communication, even if it didn’t reveal the communication itself.


Keep in mind that this bill was written in 1967, so this interpretation is quite a stretch from the original interpretation. However, there are plenty of creative law firms out there. Plaintiffs have filed hundreds, if not thousands, of individual and class action lawsuits in California courts asserting new, creative applications of CIPA to new technologies, according to lawyers at Nixon Peabody.


These aren’t shots in the dark, either! Plaintiffs are seeing some level of success in their suits—though not all of them.


In Licea v. Hickory Farms, courts rejected the notion that collecting a visitor’s IP address constituted an illegal pen register. So while simple analytics is probably safe from a CIPA suit, it isn’t exactly clear what technologies do constitute an illegal wiretapping. However, there are a few common victims.


Plaintiffs' attorneys are primarily bringing claims against businesses for their use of chatbots, website session replay technologies, and pixel tracking technologies, according to Bloomberg Law.


  • Chatbots are being likened to what CIPA considers as a “secret” wiretap that allows third parties to listen in on a conversation without the users’ consent.
  • Website session replay technology, like Microsoft Clarity, may, according to plaintiffs, allow website owners to eavesdrop on private conversations for use in targeted advertisements.
  • Pixel tracking, a common target of many privacy laws—including the recently passed Colorado Privacy Act may allow businesses to surreptitiously collect information about user interactions and behaviors.


Frankly, the merits of these lawsuits aside, these are technologies you should be concerned about from a privacy perspective anyway. Dozens of states have enacted increasingly stringent regulations governing the use of these technologies that are far clearer than this archaic interpretation of a decades old California law.


Yet, what makes this law so enticing for plaintiffs is the payout. CIPA claims can impose statutory damages of up to $5,000 in fines per violation. Since each visitor counts as a violation, even a desolate website with only a couple hundred visitors per month could see a hefty bill totalling nearly a million dollars.


CIPA has a long reach


Despite the name, you don’t necessarily need to be based on California to be impacted by the California Invasion of Privacy Act. 


Experts at BakerHostetler recommend businesses situated outside of California being faced with, or concerned about, a CIPA suit ask themselves the following questions:


  • Is the company website California-specific (i.e., is the subject matter of the website specifically tailored to Californians)?
  • Does the company engage in activities to drive California residents to its website?
  • Does the company specifically profit from California website viewers (as opposed to viewers generally)?
  • Does the company profit from California-specific advertisements on its website?
  • What percentage of the website’s users are associated with a California address?
  • Where is the website hosted (i.e., within California or in a location specifically intended to increase the number of California users)?
  • Are the website’s terms and conditions and/or privacy policies aimed at Californians or users as a whole?
  • Does the website collect the same information on all users, or does it collect different information if the user is associated with a California address?


Businesses should also consider whether or not their servers are physically located in California. For modern distributed, cloud-based websites, that isn’t always clear. In fact, none of those questions are particularly straightforward to answer.


Stop these lawsuits in their tracks


All privacy laws, including CIPA, tend to have a uniting factor; user consent. A fantastic way to help your clients avoid these frivolous shakedown attempts is to request explicit permission to install cookies, record session information, or perform nearly any kind of behavior tracking.


Not only will this protect your client from scary, unnecessary demand letters, but it’ll also future-proof their website. This month alone new privacy laws went into effect in Florida, Oregon, and Texas, with Montana to quickly follow suit beginning October 1st. 


The United States federal government isn’t far behind, either. In April, a bipartisan, bicameral coalition unveiled a draft of the “American Privacy Rights Act,” following increasing public pressure to protect consumer privacy online.


Now is a great time for your clients to get their data houses in order, before it’s too late. Well written privacy policies, comprehensive terms of service, and effective cookie consent banners can work in tandem to protect your customers from aggressive privacy lawsuits like the CIPA ones we have seen appearing in courts across California.


Apps like Termly and Termageddon can dramatically simplify this process for your SMB customers, especially those without a dedicated legal team. Termageddon has written extensively about the threat of CIPA lawsuits, and is proud to offer a policy generator that explicitly protects against this specific threat.


While these lawsuits may be frivolous, an old saying still rings true, “better safe than sorry.”


Headshot of Shawn Davis

Shawn Davis

Content Writer, Duda

Denver-based writer with a passion for creating engaging, informative content. Loves running, cycling, coffee, and the New York Times' minigames.

Did you find this article interesting?


Thanks for the feedback!
A pink background with the words `` par lax '' and a purple bubble wrap package.

5 ways to add a parallax scrolling effect to your website

By Shawn Davis February 20, 2025
Drop shadows? Layering? Lame! Parallax effects are the most impressive way to add depth to your clients’ websites, and it’s even easier to do than you might’ve thought. Take a deep dive with us into everything parallax, including 5 ways you can implement it yourself today.
A screenshot of a website with a domain authority score on top

Mastering Domain Authority: How to choose the right Domain Authority Checker and use it to boost your clients' SEO

By Renana Dar February 20, 2025
In this article, we’ll explore how to select the most effective DA checker for your needs and use it as a tool to enhance client success.
A set of four cards with different percentages on them.

5 game-changing web design statistics for 2025: Actionable insights for agencies serving SMBs

By Renana Dar February 13, 2025
Discover 5 key web design stats from our SMB survey to help your agency better understand SMBs’ needs and refine your services, marketing, and sales strategies.
Show More

Latest Posts

Share by: