California
CIPA: California Invasion of Privacy Act Explained

The California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq., is California state law, not a federal statute. It requires the consent of every party to a confidential communication before recording, and it is now the country's most litigated wiretap-adjacent statute, reaching AI notetakers and website chat tools.
Information last verified on 2026-07-08. This article has not yet been reviewed by a licensed lawyer.
Jurisdiction scope: This article addresses California state law under the California Invasion of Privacy Act, Cal. Penal Code § 630 et seq. It is included in this federal-recording-laws cluster because CIPA is the most actively litigated state statute layered on top of the federal Wiretap Act baseline, not because it is itself federal law. For the federal floor CIPA sits on top of, see Federal Wiretap Act and ECPA: The Complete Guide. For other states' consent rules, see two-party (all-party) consent states.
CIPA is a state law, not a federal one
It is worth stating plainly: CIPA is not part of the ECPA, the Wiretap Act, or any other federal statute. The California Legislature enacted it in 1967, a year before the federal Wiretap Act existed, declaring its purpose was to protect the right of privacy of the people of California against new eavesdropping devices and techniques (Cal. Penal Code § 630). It belongs in a federal-recording-laws cluster for a practical reason, not a jurisdictional one: CIPA is, by a wide margin, the most heavily litigated wiretap-adjacent statute in the country, and any business operating nationally needs to understand how it layers on top of the federal one-party consent floor described in Federal recording laws: the complete hub. Federal law permits a participant in a conversation to record it without telling the others. CIPA does not.
The all-party consent rule: Sections 631 and 632
CIPA regulates two distinct kinds of conduct under two separate sections. Section 631, the wiretapping provision, prohibits tapping a telephone or telegraph line, making an unauthorized connection to a communication system, or reading or attempting to learn the contents of a message while it is in transit, without the consent of all parties. Section 632, the eavesdropping and recording provision, is the one that comes up most often in ordinary recording disputes:
"A person who, intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication ... shall be punished by a fine not exceeding two thousand five hundred dollars ($2,500), or imprisonment in the county jail not exceeding one year, or in the state prison, or by both that fine and imprisonment." Cal. Penal Code § 632
A "confidential communication" under Section 632(c) is one carried on in circumstances that reasonably indicate a party desires it to be confined to the parties to it, and the definition specifically excludes communications made at a public gathering or in any circumstance where the parties should reasonably expect the communication might be overheard or recorded. That carve-out is why CIPA does not reach every recording made in California; a conversation shouted across a crowded public event is not "confidential" in the statutory sense, while a private phone call or a one-on-one business conversation typically is.
Criminal and civil penalties
A first violation of Section 631 or 632 is punishable by a fine of up to $2,500, up to one year in county jail, or both; a subsequent violation raises the fine ceiling to $10,000. Beyond the criminal penalty, Section 637.2 gives any person injured by a CIPA violation a private civil right of action, and it does not require proof of actual damages to proceed. A prevailing plaintiff can recover $5,000 per violation, or three times actual damages, whichever is greater, plus injunctive relief. That statutory-damages floor, available without showing a dollar figure of actual harm, is the economic engine behind the wave of CIPA class actions described below: a company that records or transmits data from thousands of California visitors without proper consent faces exposure calculated per violation, not per lawsuit.
The pen register theory: how CIPA reached websites and apps
CIPA's pen register and trap-and-trace provisions, Cal. Penal Code §§ 638.50-638.51, were written to regulate physical telephone surveillance equipment: a pen register is a device or process that records dialing, routing, addressing, or signaling information without capturing content, and installing one without a court order is prohibited absent a specific exception. Around 2022, plaintiffs' firms began arguing that website tracking code, analytics scripts, and third-party SDKs are themselves a "device or process" that captures addressing information, namely IP addresses, and therefore requires a court order or consent. In Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), the court became the first federal court to squarely confront that theory, denying a motion to dismiss and holding that software identifying users and correlating data through device fingerprinting can qualify as a pen register, reasoning that "pen registers [now] take the form of software." Other California courts have gone the other way, reasoning that the pen register provision's legislative history targeted telephone-tracking technology, not internet communications. The result is a genuine split, with dozens of website-tracking CIPA suits filed against businesses using chat widgets, session-replay tools, and analytics pixels; more than 800 CIPA claims were filed in 2025 alone. California's Senate Bill 690 would narrow this exposure, most recently by limiting private lawsuits over Section 638.51 website claims to enforcement by the state Attorney General, but as of this writing it remains pending, having been amended and advanced by an Assembly committee on July 1, 2026, and it has not yet been enacted.
AI notetakers and the Otter.ai litigation
The newest front in this litigation wave targets AI meeting-notetaker tools rather than websites. Beginning August 15, 2025, plaintiff Justin Brewer filed a putative class action against Otter.ai, Inc. in the US District Court for the Northern District of California, alleging that Otter's "Otter Notetaker" and "OtterPilot" tools join meetings on platforms like Zoom, Google Meet, and Microsoft Teams, transmit the audio to Otter's servers in real time, and transcribe what every participant says, including participants who are not Otter users and who were never asked for consent. Three related complaints followed, and the court consolidated all four into In re Otter.AI Privacy Litigation, No. 5:25-cv-06911 (N.D. Cal.), on October 22, 2025, before Judge Eumi K. Lee. The consolidated complaint asserts claims under the federal Wiretap Act, under CIPA's Sections 631 and 632 for recording without every participant's consent, under the Illinois Biometric Information Privacy Act, under the Computer Fraud and Abuse Act, and under several common-law theories. Otter moved to dismiss; the court held a hearing on the motion on May 20, 2026, and took the matter under submission, so no ruling had issued as of this article's verification date. The case is worth tracking regardless of its outcome, because it is the clearest example yet of CIPA's all-party consent rule being applied to an AI tool that a meeting host invites, rather than to the host's own recording decision.
The prior-consent rule: Javier v. Assurance IQ
A separate line of CIPA cases addresses timing rather than technology: when must consent be obtained. In Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022), the Ninth Circuit considered a session-replay case in which a website visitor's interactions were recorded by third-party software before he reached a screen stating that clicking a button would constitute agreement to the site's privacy policy. The panel held that Section 631(a) requires the prior consent of all parties to a communication, so consent obtained only after the recording has already begun does not satisfy the statute; retroactive agreement through a privacy policy displayed later in the flow comes too late. The Ninth Circuit expressly did not decide the separate, and still unresolved, question of whether a third-party session-replay vendor counts as a party to the communication or as an outside eavesdropper for purposes of CIPA's party exception, leaving California federal courts split on that issue.
Practical compliance steps for businesses
The following are general compliance considerations, not legal advice, and following them does not guarantee compliance with CIPA in every circumstance. Businesses commonly reduce exposure by obtaining consent before a recording or tracking tool activates, rather than through a privacy policy displayed afterward, consistent with Javier's prior-consent holding. For phone calls, that typically means a clear notice, played or stated before recording begins, with a documented opportunity for the caller to decline. For websites serving California visitors, it typically means disclosing and obtaining consent before activating chat-recording, session-replay, or similar tracking tools, rather than relying on a general privacy policy alone. For AI notetakers joining meetings, it typically means notifying every participant, including participants outside the host's own organization, before the tool begins recording, and documenting that notice. Because the pen register theory and the AI-notetaker litigation wave are both still developing, with courts reaching different results, a business with meaningful California exposure should have counsel review its specific practices rather than rely on general guidance alone.
Frequently asked questions
Disclaimer
This article provides general legal information about the California Invasion of Privacy Act, Cal. Penal Code § 630 et seq., as verified on 2026-07-08. It does not constitute legal advice and does not create an attorney-client relationship. CIPA is California state law, and its application depends on specific facts, including where the parties and any recording device were located and the nature of the communication. Readers should consult a lawyer licensed in California before recording a conversation or deploying website tracking, chat, or AI-notetaker tools that reach California users.
Related articles
- Federal recording laws: the complete hub
- Federal Wiretap Act and ECPA: The Complete Guide (2026)
- Stored Communications Act Explained
- Two-party (all-party) consent states: full list and rules
Last updated: 2026-07-08. Statutes cited reflect their in-force version as of 2026-07-08.
Frequently Asked Questions
Is CIPA a federal law?
No. The California Invasion of Privacy Act, Cal. Penal Code 630 et seq., is a California state statute enacted in 1967. It applies alongside the federal Wiretap Act and can require more consent, all-party rather than one-party, for recordings made in California.
What counts as a confidential communication under CIPA?
Cal. Penal Code 632(c) defines it as a communication carried on in circumstances reasonably indicating a party wants it confined to the parties involved. It excludes communications made at a public gathering or in any setting where the parties should reasonably expect to be overheard or recorded.
How much can I sue for under CIPA?
Cal. Penal Code 637.2 allows a private plaintiff to recover $5,000 per violation or three times actual damages, whichever is greater, plus injunctive relief, without needing to prove a specific dollar amount of actual harm.
Does CIPA apply to phone calls made from outside California?
Courts have generally looked at where the recording device is located or where the recorded party is situated, and California courts have sometimes applied CIPA to recordings involving California residents even when the other party or the recording equipment was elsewhere. This is a developing and fact-specific area; consult a lawyer for a specific call pattern.
Can website chat tools or trackers violate CIPA?
Plaintiffs have argued yes, under CIPA's pen register and trap-and-trace provisions, Cal. Penal Code 638.50-638.51, treating tracking software as a device that captures addressing information. Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), allowed such a claim to proceed, though other courts have rejected the theory, and the law remains unsettled.
What is the Otter.ai CIPA lawsuit about?
In re Otter.AI Privacy Litigation, No. 5:25-cv-06911 (N.D. Cal.), consolidated October 22, 2025, alleges Otter's AI notetaker joins meetings and transcribes all participants' speech, including non-Otter users, without obtaining their consent, in violation of CIPA's all-party consent rule and the federal Wiretap Act. A motion to dismiss was argued May 20, 2026, and remained under submission as of this article's verification date.
Does CIPA apply to businesses located outside California?
It can. CIPA is not limited to California-based businesses; the relevant question is generally whether the recorded or tracked party was in California, not where the business itself is headquartered. This is a fact-specific jurisdictional question that a business with California customers or website visitors should review with counsel.
Sources and References
- Cal. Penal Code § 630: legislative declaration of purpose for the Invasion of Privacy Act(leginfo.legislature.ca.gov).gov
- Cal. Penal Code § 631: wiretapping prohibition(leginfo.legislature.ca.gov).gov
- Cal. Penal Code § 632: all-party consent for recording confidential communications; penalties(leginfo.legislature.ca.gov).gov
- Cal. Penal Code § 637.2: private civil action; $5,000 per violation or 3x actual damages(leginfo.legislature.ca.gov).gov
- Cal. Penal Code § 638.50: definitions of pen register and trap and trace device(leginfo.legislature.ca.gov).gov
- Cal. Penal Code § 638.51: prohibition on installing a pen register or trap and trace device without a court order(leginfo.legislature.ca.gov).gov
- Javier v. Assurance IQ, LLC, No. 21-16351 (9th Cir. May 31, 2022): official Ninth Circuit memorandum disposition on CIPA prior-consent requirement(cdn.ca9.uscourts.gov).gov
- Greenley v. Kochava, Inc., No. 3:22-cv-01327, 684 F. Supp. 3d 1024 (S.D. Cal. 2023): docket, pen register theory applied to tracking SDK(courtlistener.com)
- In re Otter.AI Privacy Litigation / Brewer v. Otter.ai, Inc., No. 5:25-cv-06911 (N.D. Cal.): docket(courtlistener.com)
- OneTrust, CIPA Litigation Is Accelerating: secondary commentary noting more than 800 CIPA claims filed in 2025(onetrust.com)
- California SB 690 (2025-2026 session): official bill text and status, Section 638.51 private-right-of-action amendment(leginfo.legislature.ca.gov).gov