1,500 Lawsuits Say Your Tracking Pixels Are Illegal Wiretaps—And the Courts Are Split

A 1960s Wiretapping Law Meets Modern Tracking

California's Invasion of Privacy Act was written in 1967 to stop people from tapping phone lines. Nearly six decades later, plaintiffs' attorneys are using it to argue that the tracking pixels embedded on nearly every website are functionally the same thing: unauthorized surveillance devices that intercept your communications without consent.

The strategy is working. More than 1,500 CIPA lawsuits have been filed in the last 18 months, targeting companies that use Meta Pixel, Google Analytics, TikTok Pixel, session replay tools, and chat widgets. Statutory damages run $5,000 per violation with no requirement to prove actual harm, and the numbers are accelerating.

What the Lawsuits Claim

Plaintiffs are advancing three legal theories under CIPA:

• Wiretapping (Section 631): Tracking code intercepts keystrokes, clicks, and browsing data, which constitutes unauthorized interception of communications
• Eavesdropping (Section 632.7): Provisions originally written for telephone surveillance apply to web interactions where third party scripts secretly monitor user behavior
• Pen register (Sections 638.50–638.51): Tracking pixels function as pen registers by capturing device identifiers, IP addresses, and connection metadata without a court order

The technologies in the crosshairs include tracking pixels from Meta, Google, TikTok, and Microsoft Bing, as well as session replay software, chat widgets, fingerprinting tools, and website analytics platforms. CIPA applies to any company with California users, regardless of where the company is based.

The Courts Are Split

Federal and state courts have reached opposite conclusions about whether tracking pixels qualify as wiretaps under CIPA, creating legal uncertainty that is itself fueling more litigation.

In November 2025, a federal court in Camplisson v. Adidas ruled that TikTok Pixel and Microsoft Bing tracking pixels collecting IP addresses and personal data do constitute pen registers under CIPA. The court rejected the defense's dismissal arguments, finding that a privacy policy buried in a website footer was not conspicuous enough to constitute consent, and that requiring users to click through terms without affirmative action was insufficient.

But earlier in 2025, multiple courts reached the opposite conclusion. In Price v. Headspace, Kishnani v. Royal Caribbean, and Mitchener v. Talkspace, judges dismissed CIPA pen register claims, finding that tracking pixels do not meet the statute's technical definitions.

This split gives plaintiffs' lawyers fresh ammunition. Every new favorable ruling invites a wave of copycat filings, while every dismissal gets distinguished in the next case.

Why Reform Stalled

California Senate Bill 690 was designed to modernize CIPA and clarify whether website tracking falls within its scope. The bill passed the state Senate unanimously with a 33–0 vote but stalled in the Assembly during the 2025 legislative session.

If reintroduced, SB 690 would not take effect until January 1, 2027 at the earliest. That creates a clear deadline that plaintiffs' attorneys are using to accelerate filings. Every tracking pixel lawsuit filed before reform takes effect preserves the claim under the current, ambiguous statute. Legal observers expect the next 12 months to produce the highest volume of CIPA tracking cases yet.

The Same Technology Lives in Your Inbox

The tracking pixels at the center of these lawsuits work on the same principle as the spy pixels embedded in marketing emails. When you open an email containing a tracking pixel, it silently reports your IP address, device type, approximate location, and the exact time you read the message back to the sender.

While CIPA lawsuits currently target website pixels, the legal reasoning applies equally to email tracking. If a court rules that a tracking pixel on a website constitutes an illegal wiretap because it captures data without meaningful consent, the same argument extends to pixels in your inbox. The only difference is that nobody has to visit a website to be tracked by email. The pixel arrives uninvited.

Tools like Gblock block these spy pixels in Gmail before they can fire, preventing senders from silently collecting your data.

What Happens Next

The volume of CIPA tracking pixel lawsuits is expected to surge through 2026. Plaintiffs' attorneys have a narrow window before potential legislative reform, conflicting court rulings to cite for almost any argument, and statutory damages that make even small cases financially viable.

For companies, the compliance burden is immediate: audit every tracking pixel, implement affirmative consent mechanisms, and ensure privacy disclosures are conspicuous rather than buried in footers. For everyone else, the takeaway is simpler. The tracking pixels that follow you across the web and into your inbox may finally be facing legal consequences, but until courts or legislators settle the question, blocking them yourself remains the only guaranteed protection.