California Privacy Statutes
Statutes relevant to the third-party tracking technologies Cassandra detects. This is a reference document, not connected to any individual scan.
California Invasion of Privacy Act (CIPA)
§ 631 — Wiretapping
Prohibits the intentional wiretapping, reading, or attempting to learn the contents of any communication without the consent of all parties. In the website tracking context, plaintiffs argue that session replay tools and tracking pixels “wiretap” user communications by intercepting browsing data and transmitting it to third parties.
Statutory damages: $5,000 per violation
Treble damages: Up to three times actual damages, minimum $5,000
The key legal question is whether a website operator is a “party” to the communication (and thus exempt from wiretap liability) or whether the third-party tracker provider is an unauthorized eavesdropper. The Ninth Circuit’s 2025 ruling in Thomas v. Papa John’s held that website operators are parties to communications on their own sites, significantly narrowing this theory for first-party analytics.
§ 638.51 — Pen Register / Trap and Trace
Prohibits the installation or use of a pen register or trap-and-trace device without a court order. In the tracking context, plaintiffs argue that analytics pixels and ad trackers function as pen registers by recording the “addressing information” of web communications (URLs visited, timestamps, IP addresses) without capturing content.
Statutory damages: $2,500–$10,000 per violation
This theory is largely untested. Most courts have not squarely addressed whether a tracking pixel constitutes a “pen register” under California law. It is generally considered a weaker theory than § 631 wiretap claims.
Recent CIPA Cases
Thomas v. Papa John's Int'l(9th Cir., 2025)
Website operators are "parties" to communications on their own sites. Session replay vendor was not an eavesdropper because the operator installed the tool intentionally.
Javier v. Assurance IQ, LLC(N.D. Cal., 2022)
Denied motion to dismiss § 631 claim where session replay tool captured form inputs and transmitted them to a third party without consent.
Licea v. Cinmar, LLC(C.D. Cal., 2023)
Allowed § 631 wiretap claim to proceed against retailer using session replay technology to record browsing behavior.
Gutierrez v. Converse(9th Cir., 2025)
Dismissed wiretap claims against chat widget provider. User-initiated chat with visible interface is not secret interception.
Byars v. Hot Topic(C.D. Cal., 2024)
Denied motion to dismiss § 631 claim involving Meta Pixel transmission of browsing data to Facebook. Held that Meta was a third party, not a party to the communication.
Cody v. Boscov's(E.D. Pa., 2023)
Explored pen register theory for tracking pixels under Pennsylvania wiretap law analogous to CIPA § 638.51. Court found the theory insufficient to state a claim.
In re Meta Pixel Healthcare Litigation(N.D. Cal., 2023–present)
Consolidated MDL alleging hospitals' use of Meta Pixel on patient portals transmitted protected health information to Meta without consent. Multiple motions to dismiss denied.
Graham v. Noom(S.D.N.Y., 2024)
Dismissed wiretap claims against health app using session replay, finding that users consented through terms of service and privacy policy disclosures.
California Consumer Privacy Act (CCPA)
§ 1798.100–1798.199 — Relevant Provisions
The CCPA grants California consumers the right to know what personal information is collected about them and to opt out of the “sale” or “sharing” of that information. In the tracking context, the critical question is whether transmitting browsing data to third-party ad networks via tracking pixels constitutes a “sale” or “sharing” of personal information.
§ 1798.150 — Private right of action: $100–$750 per consumer per incident for data breaches resulting from failure to implement reasonable security
§ 1798.155 — CPPA enforcement: $2,500 per violation, $7,500 per intentional violation
The private right of action under § 1798.150 is narrow — it only applies to data breaches, not general CCPA violations. However, plaintiffs have argued that unauthorized disclosure of browsing data to third-party ad networks constitutes a breach of the duty to maintain reasonable security. The CPPA (California Privacy Protection Agency) has broader enforcement authority for all CCPA violations.
Recent Enforcement & Litigation
Shah v. Capital One(E.D. Va., 2023)
Survived motion to dismiss CCPA claim alleging Meta Pixel transmitted browsing data to Facebook, constituting unauthorized "sale" of personal information.
In re Facebook Privacy Litigation(N.D. Cal., 2023)
Consolidated action alleging Facebook's tracking pixel on third-party sites collected and shared user data without adequate consent. Partial denial of motion to dismiss.
CPPA v. Sephora(CPPA Enforcement, 2022)
First public CCPA enforcement action. $1.2M settlement for failing to disclose sale of personal information via tracking technologies and failing to honor opt-out requests.
CPPA v. DoorDash(CPPA Enforcement, 2024)
Enforcement action alleging DoorDash shared consumer data with third-party marketing cooperative without opt-out mechanisms. Pending resolution.
Zeto v. HomeAdvisor(S.D. Cal., 2024)
Dismissed CCPA claim alleging tracking pixel data sharing, holding that plaintiff failed to show data transmitted constituted a "sale" rather than service provider processing.
AG Inquiry: Connected Vehicle Data(CA Attorney General, 2023)
Attorney General sent inquiry letters to major automakers regarding collection and sharing of geolocation and driving data, signaling expanded enforcement beyond web tracking.
CPPA Draft Regulations: Automated Decision-Making(CPPA Rulemaking, 2024–2025)
Proposed regulations would require opt-out mechanisms for profiling based on tracking data. Would strengthen enforcement against ad tech tracking without consent.