The Overlooked Regulation Quietly Undermining Privacy Compliance

Most organizations have become aware of the active data privacy enforcement environment in California, with recent increases in California Consumer Privacy Act and California Privacy Rights Act regulatory sweeps, litigation and penalties. However, a lesser-known legacy law from the 1960s, the California Invasion of Privacy Act, is currently driving significant litigation in the privacy space, and creating risk exposures for companies, even if they have implemented controls in full compliance with other state data privacy laws. Tens of thousands of demand letters and more than 4,000 lawsuits have been filed under the California Invasion of Privacy Act , many related to website practices that plaintiffs allege violate the law’s protections.

One key area of focus in many of the demand letters is the claim that interception occurs before consent. This creates notable conflict with broader U.S. privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act,  which operate under an opt-out model (i.e., where tracking or data collection is permitted unless the consumer affirmatively declines). Indeed, compliance with the California Invasion of Privacy Act would suggest a stricter opt-in model. In essence, websites serving California residents may be in violation of the law if they track any user data before explicit permission is provided as an option. 

While California’s modern data privacy laws are widely considered the default governing frameworks for data privacy requirements among businesses serving California residents, the California Invasion of Privacy Act implements additional requirements. These were initially developed for the purposes of protecting California residents against illegal wiretapping, however when applied against a company’s website practices, they can be leveraged for penalties of up to $5,000 per violation. There is currently a case in the California Court of Appeal arguing against the use of CIPA as a vehicle for data privacy enforcement on websites; the ruling, which is expected later this fall, stands to determine whether the regulation can be applied to website tracking technologies. 

This litigation activity presents significant challenges and potential blind spots for organizations that have to date relied on modern data privacy regulations as the basis for their compliance programs and controls. However, unless and until courts formally reject the use of the California Invasion of Privacy Act applied against website technologies, this is a risk area organizations need to address. 

The following list provides steps legal and privacy teams can take to limit the risk of falling afoul of the California Invasion of Privacy Act and reduce the risk of receiving a demand letter. 

1. Perform a website audit and risk analysis, identifying all scripts (e.g., analytics, session replay, chat, ads, pixels), including async, deferred, hard‑coded and tag‑managed scripts. The audit must include mapping of all first and third-party tracking technologies, the specific data collected (e.g., keystrokes, clicks, personal data elements) by third-party tools and any downstream use and sharing, and define the business use case for data collection. The results of these audits can inform a risk analysis and identify the measures that may be needed to reduce risk, such as minimizing data collection, removing excessive use of tools and masking sensitive data where necessary.
2. Implement California-specific consent mechanisms. Courts and plaintiffs have focused on whether third-party received user data (keystrokes, clicks, searches, chat or replay data) has been collected in real time before the user interacts with the cookie banner. Website owners should block third‑party scripts from loading or transmitting data of California users, including session replay, analytics and performance tools (i.e., not only advertising),before the user makes a banner selection to indicate their consent preferences. Consent options should be categorized with mechanisms available for analytics, session replay, chat and advertising. Companies should perform a risk–benefit analysis balancing potential litigation risk against expected marketing-driven gains when deciding whether to implement more stringent consent controls. 
3. Establish session replay and keystroke controls, so session replay is disabled by default. Courts treat unmasked keystrokes as “contents of a communication,” so if session replay is used, scope should be strictly limited and keystrokes, free-text fields, search inputs and forms should be masked.
4. Provide a neutral, informed consent user interface, avoiding dark patterns and symmetry of choice between consent choices. Consent notifications must occur before any interception and should avoid confusing layouts, double negatives or excessive steps that steer users toward less private choices.
5. Review vendor contracts, to be sure vendors act only as service providers and processors. Agreements should prohibit independent use of data, cross‑customer analytics, model training and audience building, otherwise courts may treat vendors as third‑party interceptors.
6. Log and maintain proof of consent, capturing timestamp, geolocation basis, categories enabled and banner version displayed. When an organization is unable to prove that consent happened before data interception, it is more likely to lose under the California Invasion of Privacy statutes.
7. Reinforce governance processes through periodic website audits and risk assessments, and off-cycle audits after material changes to the site. These can also be supported by conducting privacy impact assessments before any new tracking tool or website update goes live. Marketers, engineers and other stakeholders should receive training on the controls and compliance requirements.

Websites have become an increasingly complex area of privacy risk exposure in the current regulatory landscape, particularly as frameworks mature and legal systems solidify enforcement approaches. Significant steps are required to meet the requirements of the California Consumer Privacy Act, California Privacy Rights Act and other state-based laws. Yet, it is not enough to set a compliance baseline around these laws, as the plaintiffs’ bar continues to leverage obscure and legacy laws to pursue data privacy enforcement. Organizations must stay up to date on the changing landscape and maintain complete and fluid inventories of the tracking technologies used on their websites. Conducting thorough audits and updating consent and other controls will help reduce risk until more clarity is provided by federal, state or court authorities. 

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.