Cal. Penal Code § 631 / Pen-Trap § 638.51 / VPPA

CIPA Pixel & Web-Privacy Cases

A California Invasion of Privacy Act claim against a website operator turns on what the site actually transmitted to third parties — before consent, during the session, verbatim. The theory survived the motion-to-dismiss gauntlet in Javier and the Meta Pixel healthcare litigation; the cases that fail are the ones that cannot prove contents, timing, or absence of consent. All three are network-capture questions.

Elements & controlling authority

Defendant operates an interactive consumer website collecting personal information from California users
Cal. Penal Code § 631(a); Javier v. Assurance IQ, 49 F.4th 1207, 1213 (9th Cir. 2022).
A third party intercepted the contents of communications with the website while in transit
Cal. Penal Code § 631(a) (clauses 2–3); In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 796 (N.D. Cal. 2022).
The intercepted data included "contents" — substance, purport, or meaning, not mere routing metadata
Brown v. Google LLC, 525 F. Supp. 3d 1049, 1066 (N.D. Cal. 2021); In re Facebook Internet Tracking Litig., 956 F.3d 589, 605–08 (9th Cir. 2020).
Plaintiff did not consent — California requires all-party consent
Smith v. LoanMe, Inc., 11 Cal.5th 183, 191 (2021); In re Meta Pixel, 647 F. Supp. 3d at 798 (non-disclosing privacy policy cannot supply consent).
Injury — statutory damages and/or concrete privacy harm
Cal. Penal Code § 637.2(a) ($5,000 per violation or actual damages); TransUnion v. Ramirez, 594 U.S. 413 (2021).

The evidence you need — and what we capture

Browser-level network capture of every third-party transmission, sealed on the capture date
The exact payloads showing form contents, page paths, and identifiers in transit
Privacy-policy gap analysis: what the policy discloses vs. what the wire shows
Consent-state documentation: what fired before any banner interaction

Every capture is sealed at collection: SHA-256 hash-chained artifacts with RFC 3161 trusted timestamps, a methodology block, and a documented scope of audit. If the defendant changes the site tomorrow, the record of today survives.

Damages framework

Cal. Penal Code § 637.2(a) sets a statutory floor of $5,000 per violation or treble actual damages, whichever is greater, plus injunctive relief — multiplied across a class of California visitors during the limitations period.

Frequently asked

What are the elements of a CIPA Section 631 pixel claim?

A website operator collecting data from California users; a third party intercepting the contents of communications in transit; the data being "contents" (not mere routing metadata); lack of all-party consent; and injury. Javier v. Assurance IQ (9th Cir. 2022) confirmed CIPA reaches website tracking.

Does a privacy policy defeat a CIPA claim?

Not automatically. In re Meta Pixel held that a privacy policy which fails to disclose the specific sharing cannot supply consent, and California requires all-party consent for confidential communications under Smith v. LoanMe.

What are CIPA statutory damages?

Cal. Penal Code § 637.2(a) provides $5,000 per violation or treble actual damages, whichever is greater, plus injunctive relief.

Pre-vetted defendants in this lane are live on the marketplace. Each listing clears arbitration-posture review, a prior-litigation screen against the federal docket, and a human editorial gate before it appears. First buyer takes the defendant exclusively.

Browse 29 live CIPA Pixel & Web-Privacy listings →