Website tracking litigation shows no sign of cooling as plaintiffs continue to file hundreds of lawsuits and arbitration demands alleging that pixels, analytics, session replay, and chat features violate the California Invasion of Privacy Act (CIPA) and related statutes. Despite mixed results in court, the filing volume remains high, and businesses face mounting defense costs. The momentum is likely to persist as companies roll out new, opaque Artificial Intelligence capabilities across marketing and customer experience.
Recent complaints often bundle CIPA claims under sections 631(a) and 632.7 with “trap-and-trace” allegations under section 638.51, and at times add the federal Wiretap Act or the Video Privacy Protection Act. These hybrid pleadings aim to capture transmissions of user interaction data to third-party vendors through embedded tools. Courts are divided: some dismiss cases at the pleading stage, finding a website cannot intercept its own communications or that metadata like IP addresses and click paths are not “contents.” Others allow claims when technologies capture free-text inputs, chat messages, or search queries that plausibly reflect the substance of a user’s communication. The result is a fragmented body of decisions that complicates compliance planning.
As companies integrate Artificial Intelligence-powered chat and personalization, plaintiffs are testing whether these tools record or repurpose user inputs in ways that trigger CIPA consent requirements. Because many Artificial Intelligence models operate on vendor-hosted infrastructure and process prompts opaquely, they raise questions about third-party access to user communications. Early demand letters and complaints are beginning to frame generative Artificial Intelligence chatbots and recommendation engines as “listeners” that intercept or reuse communications without sufficient consent, echoing theories previously deployed against pixels and session replay.
The litigation is also spreading beyond California, with some suits targeting companies whose only nexus to the state is a website accessible to residents. While several courts have dismissed for lack of personal jurisdiction, others have allowed cases to proceed, adding uncertainty for national and global operators. Plaintiffs’ firms continue to iterate theories and amend complaints, keeping pressure on defendants even where courts have thrown out initial claims.
Legislative efforts to clarify CIPA have stalled. Senate Bill 690, which would have excluded routine commercial tracking from the statute’s scope, failed to advance in 2025, leaving the current patchwork of rulings intact. In response, organizations are conducting cross-functional reviews to map data flows, align disclosures with practice, refine consent and interface design, harden vendor contracts, and fold Artificial Intelligence features into existing governance programs. The overarching message is that transparency, documentation, and disciplined vendor management are now essential to reduce exposure while the law continues to evolve.
