If you want to see a privacy lawyer who works in ad tech roll their eyes and heave a deep sigh, then speak aloud this acronym: “CIPA.”
The California Invasion of Privacy Act, or CIPA, is a Cold War-era law that was passed in 1967 in response to concerns about privacy violations related to wiretapping and electronic eavesdropping. Lawmakers at the time were worried about new surveillance tools being turned on ordinary people, and they wanted to give those people the power to fight back in court.
Nearly 60 years later, that same statute has somehow become one of ad tech’s biggest headaches.
CIPA has a private right of action, and it allows for steep statutory damages. Plaintiffs can recover $5,000 per violation or three times actual damages, plus attorney’s fees in some cases
Class-action catnip
That’s more than enough incentive for the plaintiffs’ bar to get creative.
Their argument is that technologies like cookies, pixels and SDKs amount to a form of wiretapping and should be treated as such under CIPA. Tenuous, but some judges have let these claims through the early stages, which has encouraged other plaintiffs to keep stretching CIPA to try and cover digital advertising.
“The whole system – everything – all data collection and sharing and profile building and audience building is being characterized as, essentially, a privacy-related claim,” said Nicola Menaldo, a partner at law firm Perkins Coie, during an IAB event on public policy and legal issues in Washington, DC, last month. (Your girl was there furiously scribbling notes.)
That didn’t happen all at once. CIPA‑style cases have evolved since roughly three years ago, when plaintiffs’ attorneys first started going after companies for alleged pixel‑related violations.
Since then, the focus has widened from pixels on publisher sites to the plumbing behind real‑time bidding, with SSPs, DSPs and other intermediaries now finding themselves named in similar types of claims.
In these complaints, real-time bidding requests are being recast as intercepted “communications” and “routing information” under CIPA.
“They characterize the whole RTB ecosystem as a sort of surveillance apparatus,” Menaldo said.
CIPA v. RTB
The people writing these complaints, however, don’t always have the strongest grasp of how the tech actually works.
“Plaintiffs think they understand the technology,” said Jacquelyn Fradette, a partner at Sidley Austin. “I’d argue that they don’t.”
But an accurate description of data flows isn’t really the point – and certainly doesn’t stop class-action lawyers from filing or dialing up the rhetoric.
“The word ‘Orwellian’ is always thrown around a whole bunch,” said Menaldo, who also voiced a theory that plaintiffs’ attorneys are likely using AI “quite liberally” to pump out these complaints. They’re all roughly the same length, they recycle a lot of the same surveillance-related terminology and they’re being filed by a lot of the same folks.
Against that backdrop, the specific technology under the microscope almost doesn’t matter. Pixels, cookies, RTB, software development kits, even Prebid.js are all grist for the mill.
“Plaintiffs just love a new buzzword,” Fradette said.
‘Litigation mitigation’
That reality is shaping how companies think about risk and about settlements in general.
Although not a CIPA case, Menaldo pointed to the recent Google RTB class-action settlement in the Northern District of California in which Google agreed to build a tool that stops any personal data from leaking into ad auctions. Basically, an RTB opt-out switch. There were no damages in that case.
The judge expressed some discomfort that it would be an opt-out rather than an opt-in mechanism, but signed off on the deal anyway. Technical changes and product tweaks are increasingly part of the price of resolving cases, even when no money changes hands.
With that in mind, Menaldo’s advice to clients is to “think creatively in terms of what you can offer” to diffuse a complaint before it even gets to court, including deleting data that isn’t advancing the business. That kind of housecleaning can lower the temperature with plaintiffs, and it’s also just good data hygiene.
Although tidying up your data practices doesn’t indemnify you against CIPA claims, which is often “a big surprise” to clients, Menaldo said.
Beyond privacy compliance, she tells clients to think in terms of “litigation mitigation” and to take concrete steps to shrink what’s in play if they’re sued, like stripping sensitive details out of URLs so this information never even hits their systems in the first place.
Burden or backstop?
All of that makes CIPA sound like nothing but a burden for companies that rely on advertising and use analytics – but not everyone sees it that way.
From another angle, CIPA is doing exactly what it’s meant to do. And now – when “privacy is under unprecedented attack,” as web ecosystem expert Don Marti and trial lawyer Robert Tauler put it last year in a joint op-ed for AdExchanger – is not the time to weaken protections.
“CIPA was meant to evolve alongside technology,” they argue, and a private right of action is one of the few ways people have to hold the largest platforms accountable when government action falls short.
Marti and Tauler penned their piece as a counterpoint to California’s SB 690, a proposal to narrow CIPA that has since stalled in the state legislature, meaning CIPA still stands.
And so, for the ad tech ecosystem, the law remains a risk that needs to be actively managed – and “there is no silver bullet,” said Fradette, who tries to level with her clients without being too alarmist.
“I’m not trying to give them nightmares when I tell them about all the litigation out there,” she said.
In 2026, that’s about as much reassurance as you’re gonna get.
🙏 Thanks for reading! And please enjoy this short film from British Pathé that shows cats being dropped off and pampered at a cozy pet hotel in Bedfordshire, England, in 1967, which is the same year that CIPA was enacted.
As always, feel free to drop me a line at allison@adexchanger.com with any comments or feedback.
