The California Invasion of Privacy Act (CIPA) is driving a growing number of lawsuits involving everyday technology used by businesses. This includes call recording systems, website chat features, and analytics software. And it doesn’t just apply to businesses located in California.

What is CIPA?

CIPA is a California law enacted in 1967 to address unauthorized wiretapping and eavesdropping. Its purpose was to protect the privacy of communications amid growing technological advancements at the time.

Today, several provisions of the law are especially relevant for businesses:

• Recording calls without consent: California generally requires all parties to consent before either party can record private communication.
• Intercepting communications: Businesses cannot “read” or capture communications while they are being transmitted without proper consent.
• Private lawsuits: Individuals can sue and recover up to $5,000 per violation without showing actual damage.

 
Why Does this Matter for Small Businesses?

CIPA is increasingly being used in lawsuits against small businesses. Claims often involve:

• Recording customer service or sales calls
• Website chat tools and contact forms
• Online tools that track or record what customers do on your website, like clicks, typing, and scrolling
• Analytics or third-party website scripts

 
Because the law allows statutory damages for each violation, even small issues can quickly turn into expensive litigation.

It’s Not Just a California Problem

Even if your business is not located in California, you may still be at risk of a CIPA violation. Businesses outside the state of California can be sued if they interact with California customers, including phone interactions, or operate a website that collects or records data from users in California.

Recent court decisions have made clear that businesses can be brought into California courts based on online interactions with California residents, even if the business is located elsewhere.

Common CIPA Violations

1. Recording calls without proper notice: If your phone system records calls, CIPA requires that clear notice must be given at the start of the call before recording begins.
2. Website tools collect data before obtaining consent: Certain tools may capture what a user types, clicks, or enters into a form before they’ve been informed or consented to their data being collected.
3. Using third-party website vendors: Some lawsuits focus on whether outside vendors (like chat providers or analytics tools such as Google analytics) act as a “third party” listening in on communications.
4. Relying on hidden privacy policies: Courts are increasingly focused on when consent is obtained, not just whether it was obtained. If disclosure comes after the interaction, California courts may still find a CIPA violation.

 
Recent CIPA Litigation Trends

• Website technology: Lawsuits are focusing on common website features that track what visitors do. This includes tools that record how users click, type, or fill out forms, or online chat features that allow customers to communicate with your business.
• Timing of consent: Businesses are being challenged when consent is delayed or unclear.
• Out-of-state businesses: Businesses in other states that interact with California residents online are being pulled into California courts.

 
How to Reduce the Risk of CIPA Violations

Small business owners don’t need to stop using these tools, but they should understand CIPA implications:

1. Review your call-recording practices and make sure all parties are notified before recording begins.
2. Audit your website tools by identifying what information is being collected, when it’s collected, and where it’s sent.
3. Check your consent process and ensure notice and consent come before data is recorded or transmitted.
4. Evaluate your vendors so you understand whether third-party tools can access or use customer data.
5. Minimize unnecessary data collection and only collect what you actually need for your business.

 
Unfortunately, CIPA is no longer just viewed as a technical privacy law. It’s an active source of litigation affecting small businesses. Because of this, the NFIB Legal Center encourages small businesses to review their practices and ensure they stay on the right side of CIPA.

For more information about CIPA and how to protect your business, reach out to the NFIB Legal Center at info@nfib.org.

Last Updated June 30, 2026