Lawyer Urges Holistic Risk Management as CIPA Cases Surge
Litigation under the California Invasion of Privacy Act (CIPA) will likely continue, if not increase, in 2026, so companies operating there should be proactive and extensive in risk mitigation strategies, said Shumaker Loop lawyer Brian Focht in a blog post Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
As such, “companies should adopt a holistic approach to CIPA compliance” that covers “technology, legal, and vendor management,” Focht said.
He recommended businesses “inventory and test” all scripts, cookies and software development kits from third parties to ensure that no cookies or pixels fire before users can give or decline consent. Employing data minimization principles can help but is sometimes “imperfect.”
Having “strong consent flows with clear disclosures and opt-out mechanisms aligned with actual data practices” is key, he said. In addition, reviewing and updating privacy notices, Terms of Use and vendor contracts helps make policies and practices around data clearer, said the lawyer, adding that a “demand-letter response playbook” may also help.
The surge in CIPA website-tracking litigation results in cases that often advance one or more of several key theories, Focht said. There’s the claim that “embedded vendor code intercepts private user interactions;” eavesdropping claims; and the idea that tracking tools function as either a pen register or trap-and-trace device (see 2503030050).
A California bill (SB-690) to reform CIPA stalled this year (see 2507010057). Though it could pass in 2026, “there is no statutory safe harbor” right now, and the bill “wouldn’t provide immediate relief,” Focht said.