Jackie Cooney, partner and co-chair of AGG’s Privacy and Cybersecurity practice, and Erin Doyle, associate in the Privacy & Cybersecurity practice, published an article in Corporate Compliance Insights explaining why companies are being targeted by lawsuits based on a Cold War-era California law.
The California Invasion of Privacy Act (“CIPA”) was created to stop wiretapping of telephone calls, but is being repurposed to argue that cookies, pixels, session-replay tools, search bars, chatbots, and more intercept the online “conversations” between a visitor and a site. Courts, however, have reached inconsistent conclusions on whether the law applies to modern website technologies.
Jackie and Erin examined three recent proposed class actions alleging CIPA violations and what they mean moving forward, as well as a bill that was unanimously passed by the California Senate in June 2025. The bill would amend CIPA in a way that would likely curb the current slew of litigation, however it is still under consideration in the California Assembly and would only apply prospectively, not retroactively.
In the meantime, for businesses that continue to use website tools, the attorneys explained that transparent notice and express consent remain the most effective risk mitigation measures.
“Companies using third-party consent management tools on their websites should ensure they have adequate contractual terms in place to protect personal data and restrict the third party’s access to and use of the data,” Jackie and Erin wrote.
To read the full article, please click here.
Authors:
Jacqueline W. Cooney
Email: Jacqueline.cooney@agg.com;
Erin E. Doyle
Email: erin.doyle@agg.com