Skip to content

California Invasion of Privacy Act (CIPA): An overview

Author
Usercentrics
Read time
13 mins
Published
Jun 25, 2025
Resources / Blog / California Invasion of Privacy Act (CIPA): An overview
Summary

In the United States, California has led the way in regulating data privacy at the state level. The CCPA was the first comprehensive modern state-level privacy law in the US and has been influential on subsequent legislation drafted in other states. 

It would be logical to think that the California Invasion of Privacy Act (CIPA) is another recent regulation. A framework designed to help manage the ever-increasing prevalence of technology in our lives and in business, along with the vast amounts of data we create and that businesses want to access. But CIPA predates the digital era by decades.

The original goal of CIPA was to protect the privacy of California residents in connection with phone calls, and was enacted long before ecommerce or the existence of social media platforms.

We look at what CIPA covers and how it’s applicable today, what rights consumers have, what obligations it places on businesses, the scope of penalties for violations, and more.

What is the California Invasion of Privacy Act (CIPA)?

The California Invasion of Privacy Act (CIPA) was passed in 1967 and has been amended several times in the succeeding decades. It’s meant to protect the privacy of California residents’ confidential communications. 

Even before the internet era, people had growing concerns about technology use in communications and the increasing ease of wiretapping and electronic eavesdropping without their knowledge or consent.

CIPA regulates when and how conversations and communications can be recorded. This applies to both contacting consumers and recording confidential communications, and arguably covers not just wiretapping, but potentially digital marketing activities. 

Consent is a major requirement of CIPA, — even more than in the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

However, a lot has changed since 1967. Since CIPA is still on the books, it must still be relevant, right? In addition to protecting phone conversations, for example, there is ongoing litigation attempting to expand the scope of the regulation to communication via websites, apps, and tracking and recording technologies used on them. 

Key requirements and prohibitions of CIPA

Enacting CIPA was meant to set a standard of establishing strong privacy rights around communications for California residents. The key goals of the regulation were:

  • Detering unauthorized surveillance and recording/data collection
  • Establishing clear consent requirements
  • Creating accountability for violators
  • Protecting privacy rights
  • Adapting privacy protections (as technologies evolve)

Here are notable Sections in CIPA with regards to data privacy and individuals’ rights.

  • Section 631:Sometimes called the “anti-wiretapping” rule, it prohibits unauthorized interception or recording of any communication (wired or electronic, which can include video conferencing) unless all parties involved give consent (with exceptions.)
  • Section 632: Focuses on the recording of confidential conversations, defined as when participants have a reasonable expectation of privacy. Recording such conversations is prohibited unless all parties give consent (with exceptions.)
    • Section 632.5 was added in 1985 to include cellular phones and conversations
    • Section 632.6 was added in 1992 to include cordless phones and conversations
    • Section 632.01 was added in 2017, criminalizing recording and intentional disclosure or distribution of confidential communications involving healthcare providers without consent
  • Section 637.2: Allows individuals whose privacy rights have been violated to sue violators for damages up to USD 5,000 or three times an individual’s actual damages, whichever is more. 
  • Section 638.51: Prohibits the installation or use of a pen register or trap and trace device without consent or a court order. Dozens of recent lawsuits allege that this includes cookies and other tracking technologies used on websites.

CIPA definitions

Technology has advanced significantly since CIPA was passed. Definitions included in the regulation have been argued to encompass today’s devices, platforms, and types of communication.

Person: An individual, business association, partnership, limited partnership, corporation, limited liability company, or other legal entity.

Confidential communications: Communications made in circumstances that reasonably indicate the parties desire it to be confined to them, excluding communications made in circumstances where parties may reasonably expect that the communication may be overheard or recorded. 

Wire communication: Any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of a like connection in a switching station), furnished or operated by any person engaged in providing or operating these facilities for the transmission of communications.

Electronic communication: Any transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature in whole or in part by a wire, radio, electromagnetic, photoelectric, or photo-optical system. Does not include any of the following:

  1. Any wire communication
  2. Any communication made through a tone-only paging device
  3. Any communication from a tracking device
  4. Electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds

Pen register: A device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication. 

Trap and trace device: A device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication. This can include website tracking technologies.

Tracking device: means an electronic or mechanical device that permits the tracking of the movement of a person or object.

Who must comply with the CIPA?

CIPA can apply to companies and potentially covers a variety of customer or prospect interactions. However, it can apply to a broad range of entities if they intercept, intentionally overhear, or record private communications without all parties’ consent. 

This includes individuals, employers, businesses, technology providers, and government entities when intercepting, monitoring, recording, or manufacturing or operating relevant equipment.

When does CIPA or CCPA compliance apply?

It can be tricky to understand when CIPA or the CCPA/CPRA applies, especially with the speed of change and introduction of new technologies. Even though the CCPA/CPRA passed decades after CIPA, and according to the text of the California Civil Code (§ 1798.175), was intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information.

For example, under the CCPA/CPRA, collecting personal information on websites and processing it is legal in most cases without prior consent. Companies just have to give individuals the ability to opt out of the sharing or sale of their data, or its use for targeted advertising or profiling.

At the same time, under CIPA, individuals’ consent may need to be obtained before companies can communicate with them or record interactions, e.g. for marketing emails or customer support calls.

It can potentially be even more complicated with tracking on websites or apps. Technologies like cookies collect personal data, which is legal under CCPA without consent in most cases. 

But such technologies that track individuals on or across websites without prior consent could arguably violate CIPA.

With online chat, whether between a customer and a human representative or a chatbot or other virtual assistant, companies can collect personal data from individuals during such interactions, but if the interactions are recorded companies need to disclose this. 

Whether companies also need to notify customers about or obtain explicit consent to process the data from recorded interactions is a question currently being hashed out in the courts and the California state legislature. The outcomes of legislative action, lawsuits, and case law will continue to refine the answers to these questions. 

However, to simplify operations and privacy compliance, it’s strongly recommended for companies to consult with qualified legal counsel and to adopt privacy best practices, including Privacy-Led Marketing strategies. 

Disclosing monitoring and recording and requesting consent even when it’s not strictly necessary can show people that you respect their privacy and data. It also helps future-proof marketing activities and other operations over time, saving resources as technologies and regulations evolve.

Exceptions to the California Invasion of Privacy Act

While, as the law is currently written, most companies interacting with California residents for commercial purposes and engaging in various kinds of monitoring and recording will need to comply with CIPA, there are exceptions:

  • Public utilities, including phone companies that provide communications facilities and services in connection with certain daily operations
  • Telephone communication providers or systems used for communication exclusively within a state, county, city and county, or city correctional facility
  • Conversations not considered confidential, including those taking place in a public setting
  • Conversations or interactions where all parties involved have consented to recording
  • Law enforcement officers can intercept and record communications if they have obtained a warrant or other judicial approval
  • Emergency services can record conversations to obtain evidence of certain crimes
  • Hearing aids and similar devices used by people with hearing impairments

Proposed amendment affecting CIPA applicability

On March 25, 2025, SB-690 was proposed in the California Senate, and passed there unanimously on June 3, 2025. The bill is with the state Assembly for consideration.

This bill proposes to amend CIPA to close an existing loophole, specifically so that the regulation would not apply to uses, devices, and processes for “commercial purposes” or subject to a consumer’s opt-out rights. 

If passed, this bill would help clarify opt-in/opt-out standards and requirements for use of online marketing tools in California — and the US — and could potentially end a large wave of CIPA litigation in the country.

If passed in its initially proposed form, the bill would have applied retroactively to any case pending as of January 1, 2026. However, on May 30, 2025, in a significant amendment to the bill, the retroactivity provision was removed.

Since SB-690 was introduced there has been an acceleration of cases filed, and an additional increase in case filings is expected with the removal of the retroactivity provision, as the law would not affect ongoing litigation if passed.

What are consumers’ rights under the California Invasion of Privacy Act?

Under CIPA consumers have four major types of rights. Some of these will look familiar compared with other data privacy regulations and their requirements.

Right to notification

Businesses that record interactions with customers, e.g. phone calls, must provide individuals with clear notification at the start of the call and enable the individual to consent or end the call. 

The notification must be provided in clear, understandable language before any substantive communication occurs, with an obvious opportunity to opt out or disconnect from the call.

The consent of all parties involved in a private conversation is required before it can be legally recorded or monitored, aka “all-party consent.” Consent is defined as explicit — verbal or written agreement to be monitored or recorded — or implied — a clear indication or continued participation after notification. 

This notification must be provided to customers with every interaction, even if they have contacted the company before and heard it.

Right to privacy in conversations

Individuals have the right to privacy in their conversations and in electronic communications where confidentiality is a reasonable expectation. This includes places and communications like: 

  • Private homes
  • Offices or workplaces
  • Landline or mobile telephone conversations
  • Text messages, direct messages, and other private electronic communications
  • Other settings where there is a reasonable expectation of privacy

Individuals whose rights under CIPA have been violated have more options than under many other privacy laws:

  • Seek injunctive relief to stop ongoing violations
  • Seek damages by filing a civil lawsuit (private right of action)
  • Report violations for possible criminal prosecution of the violator

The penalties per violation can add up quickly. Also of note is that the CCPA, by contrast, only enables California residents to sue in the event of a data breach. 

There have been a number of cases where CIPA has been used to enable victims of privacy violations that were not data breaches to seek redress. For example, in cases of being recorded or having information from interactions used without their knowledge or consent.

Individuals suing for damages must establish that the communication that occurred was confidential and they had a reasonable expectation of privacy, as well as that the communication was intercepted or recorded without proper consent.

What are organizations required to do for CIPA compliance?

Best practices to comply with CIPA will look familiar to those who already work to achieve and maintain data privacy compliance in California. 

The good news is that if your company already complies with regulations like the CCPA or GDPR, you’re potentially already implementing these recommendations.

Determine which of your company’s operations require prior consent under CIPA. For example, do you need to inform customers at the beginning of customer support phone calls about recording and enable them to opt out? 

Where legal requirements are still being determined, adopting best practices can reduce legal risks. For example, if your website uses a chatbot, provide a clear notification when the function is initiated about potential recording or use of the data from the interaction, and enable opt-out.

In addition to helping protect your company from regulatory violations, providing this information along with clear choices helps build trust with your customers and website visitors.

Implement and maintain a clear privacy policy

Your company should already have a clear, comprehensive privacy policy, especially if you’re complying with regulations like the CCPA or GDPR. Ensure that you provide notification about monitoring or recording on your website or in other customer interactions. 

Be clear about what information may be recorded, how it may be used, and who may have access to it. Explain consent options and how to contact your company for additional information.

As the law and technologies businesses use evolve, ensure your privacy policy is kept up to date to reflect your operations and legal obligations. Automated consent management tools can help with this maintenance.

Include CIPA requirements in your security and data privacy training for staff. Customize the training for specific roles, e.g. the customer support team. Repeat the training on a regular basis to onboard new staff and to keep the knowledge fresh and ensure new operations or technologies are covered.

Ensure that staff know about the company’s monitoring and recording practices, via which technologies, and can provide information about how collected data is used and how to ensure opt-out requests are respected.

Depending on your operations, data collection, and relevant regulations, there are different tools to help you manage consent requirements. Customer relationship management (CRM) systems often have tools to manage consent for recorded communications.

Consent management platforms (CMP) like Usercentrics Web CMP provide notifications about data collection and processing on websites or apps and enable users to make consent choices, as well as signaling of those consent choices to other systems.

Use security best practices like access controls

As with other personal information collected during marketing, ecommerce, or other operations, restrict which staff has access to what data based on the necessities of their roles. Limit who can access call recordings or chat logs, e.g. for training or support escalation. This reduces the risk of unauthorized access or use.

Monitor and regularly review data, security, and privacy operations

Regularly audit and update your recording and data-gathering practices to help ensure continued compliance with CIPA, especially as technologies and privacy expectations evolve. 

Ensure that you’re providing clear notifications and are only collecting the data you need for specific purposes. Limit who has access to that data, and follow strict retention policies so you don’t store it longer than necessary or use it for purposes for which users have not been notified or given the option to opt out.

CIPA enforcement

Unlike many state-level data privacy laws, CIPA has a number of enforcement bodies and mechanisms. This is not surprising given penalties can be civil or criminal, and because unlawful monitoring or recording can take place across many companies and industries, or even among individuals.

Typically, both criminal and civil actions must be undertaken within one year of discovering a violation. Enforcement bodies include:

  • California Attorney General
  • State agencies with specific industry jurisdiction for regulatory oversight
  • County district attorneys
  • Other authorized agencies
  • Individual plaintiffs (and retained legal counsel)

CIPA criminal penalties

Penalties for violators of the CIPA law can be hefty, and can be combined. They include:

  • Fines up to USD 10,000 per violation
  • Up to three years in prison
  • Private right of action for statutory penalties 

Criminal prosecutors can charge offences as felonies or misdemeanors, depending on the specifics of each case. A misdemeanor could bring fines of up to USD 2,500 per violation and one year in prison. A felony could increase the prison sentence up to three years. 

CIPA civil penalties

As noted, individuals also have more civil recourse under CIPA than under some other privacy laws. These penalties include:

  • Statutory damages up to USD 5,000 per violation
  • Actual damages (statutory or triple actual damages, whichever is greater)
  • Punitive damages in additional compensation for especially egregious offenses 
  • Injunctive relief to stop the violating activities
  • Attorneys’ fees and related costs

There may also be overlaps in cases of invasion of privacy and right of publicity claims, so individuals could also be able to file a right of publicity lawsuit, claiming that the business attempted to profit from their conversations without consent.

Despite being nearly 60 years old, CIPA and other “wiretapping laws” are anything but irrelevant in the digital age. According to the Fisher Philips law firm, as of February 2025, 1,641 digital wiretapping lawsuits have been filed in 28 states since June 2022, with 1,361 filed in California alone – 83 percent of all claims.

CIPA is one of the regulations and laws alleged to have been violated by the companies named in six recent class action lawsuits, for unauthorized interception of electronic communications and unlawful use of a pen register.

It can be hard for companies to keep up with ever-changing regulations and technologies, especially smaller organizations. But the consequences of not doing so can be harsh and long-lasting. 

There are potential criminal and civil penalties, as well as loss of brand reputation, ongoing demands of compliance monitoring by authorities, and the risk of scaring off advertisers, investors, and other partners, damaging growth opportunities.

Using the right tools for consent management and notifications won’t enable your company to entirely ignore legal requirements around data privacy, but a robust consent management platform will help you achieve and maintain compliance as the law and technologies you use change. 

It will also show your customers that you respect their privacy and rights to control access to their data, which builds long-term trust.

Article
Jun 17, 2025
Read more
Article
Jun 9, 2025
Most GDPR enforcement actions don’t make headlines, but smaller fines and penalties are far more common than billion-Euro judgements. This lack of publicity can lead smaller organizations to think that GDPR compliance doesn’t need to be a priority. We look at why taking that risk isn’t worth it.
Read more
Article
May 27, 2025
The cookieless future is becoming the cookieless present. Digital marketing and advertising require new solutions, like access to first-party data, consent management, and integrated tools to meet updated requirements from Google and other platforms.
Read more