Weakening CIPA Would Lead to Data Abuse, Privacy Pros Say
The California Invasion of Privacy Act (CIPA) has included a private right of action since it was established in 1967, and weakening this and other protections under the wiretapping statute would lead to abuse, said privacy experts Don Marti of the vendor Aloodo and Robert Tauler, an attorney, in an AdExchange op-ed Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Given that “privacy [is] under unprecedented attack by data brokers and social media,” now “is the wrong time to weaken these protections,” such as with California's proposed SB-690, Marti and Tauler wrote. SB-690 would eliminate wiretapping, pen register and trap-and-trace liabilities from online tracking technologies used for business (see 2505280028). The bill was postponed until 2026 due to privacy concerns (see 2507010057).
Especially since Frasco v. Flo Health, “where a jury found that Meta violated CIPA by receiving menstrual cycle information from a mobile app, the private right of action is seen even more as an essential part of modern privacy enforcement,” added Marti and Tauler, referring to a court decision from this year (see 2508040041).
They noted that there are many “myths” that persist about the statute. One is that “tracking pixel lawsuits rely on a dusty 1967 wiretapping law,” which is not true, since CIPA “was updated in 2016 to cover electronic communications.”
They cited “a 2024 legislative analysis” which “confirmed that CIPA was meant to evolve alongside technology,” noting that the statute “is far from obsolete.”
Another myth is that “pixel-tracking cases fail for lack of injury,” but Marti and Tauler said that “plaintiffs have adapted” since earlier cases were dismissed on this ground. Additionally, the claim that “tracking lawsuits are turning public opinion against privacy lawyers” is untrue because the reality is, “public sentiment is overwhelmingly against Big Tech’s data practices,” they said.
Though some argue “CIPA is obsolete now that California has passed” the California Consumer Protection Act and the California Privacy Rights Act, Marti and Tauler said, “[A]ll of these laws work together."
“Regulators should protect, not limit, private rights of action,” as “it’s the only tool that allows citizens and attorneys to hold Big Tech accountable when government enforcement falls short,” they added. “The private right of action is not a historical relic; it’s the lifeblood of privacy enforcement."
In an email to Privacy Daily, Marti predicted that “we [will] have [a] strong CIPA for at least another year, and the law will only get more popular as lawyers learn to connect surveillance practices … to downstream impact.”