California's Wiretapping Law Is Coming for Shopify Stores: What CIPA Means and How to Protect Your Business

The California Invasion of Privacy Act (CIPA), originally a 1960s phone-tapping law, is now being used to sue e-commerce businesses over everyday tracking tools like Facebook Pixels, session replay scripts, and analytics.

Nearly 4,000 wiretap lawsuits have been filed in the US since 2022. Retail is the most targeted sector. If your Shopify store is accessible to California shoppers, CIPA applies to you, no matter where you are headquartered. The good news: proper consent management closes most of the risk.

This guide walks through exactly what that looks like.

Key Takeaways for Shopify Merchants

• CIPA applies even if you’re not in California
  If California users can access your store, you’re subject to CIPA.
• It requires opt-in, not opt-out
  No tracking can occur before the user gives clear consent — stricter than CCPA.
• Most tracking setups are non-compliant by default
  Pixels, analytics, and session replay tools often fire before consent.
• A cookie banner alone is not enough
  Without script-level enforcement, it’s cosmetic and does not protect you.
• The biggest risk is misconfiguration
  Unclassified scripts, forgotten tools, and outdated setups are the most common triggers.‍
• Consentmo helps reduce CIPA risk by covering the critical requirements
  From geo-targeted opt-in consent and script blocking to GPC handling and consent logs, it closes the gaps where most claims originate.

What Is CIPA and Why Does It Apply to Your Shopify Store?

The California Invasion of Privacy Act was signed into law in 1967. At the time, it targeted physical phone taps, bugs, and secret recordings. Decades before pixels, SDKs, or session replay tools existed.

Fast-forward to 2026, and plaintiffs' attorneys are successfully arguing that modern web tracking technologies are the digital equivalent of those wire taps. Courts are listening.

Here is what makes CIPA uniquely dangerous for online stores:

• Extraterritorial reach. CIPA applies to any business with a digital presence accessible to California residents, regardless of where the business is based. If a Californian can visit your Shopify store, CIPA applies to you.
• Private right of action. Unlike many privacy laws enforced only by regulators, CIPA allows individual users to sue. Statutory damages sit at $5,000 per violation, or three times actual damages, whichever is higher.
• Class action exposure. One claimant can quickly become thousands. A single unclassified tracking script firing before consent could expose your store to multi-million dollar liability when scaled across your California visitor count.

Out-of-state merchants are frequent targets precisely because they are less likely to have audited their sites through a California privacy lens.

The Two Legal Theories Being Used Against E-Commerce Sites

CIPA claims against online stores tend to follow one of two arguments.

Theory 1: Intercepting and Recording

This theory argues that tools like session replay software, keystroke loggers, and chat widgets "record" the private communications between a user and a website. Third-party vendors receiving that data become, under this framing, eavesdroppers.

For Shopify stores, common exposure points include:

• Session replay tools (Hotjar, Microsoft Clarity, FullStory, Pendo, Amplitude)
• Live chat widgets (Intercom, Tidio, Gorgias) on main site pages
• Form monitoring that sends input data to external platforms

Theory 2: Pen Registers and Trap-and-Trace Devices

This is the newer and more expansive theory. It argues that pixels, SDKs, cookies, and device-fingerprinting scripts function as modern "pen registers," capturing routing and signal information (like IP addresses) to identify the source of a communication.

Practically, this pulls in nearly every marketing pixel a typical Shopify store runs:

• Meta/Facebook Pixel
• Google Ads conversion tags
• TikTok Pixel
• Snapchat and Pinterest tracking scripts

Courts have gone back and forth on this theory, but the key case, Camplisson v. Adidas, kept the door open for class action filings. Until legislation catches up, the legal risk is real.

The consistent protection against both theories: opt-in consent before any data collection begins.

What a CIPA Claim Actually Looks Like

CIPA claims rarely look like what merchants expect. Most arrive before any court filing occurs.

A typical sequence:

1. The notice arrives by email (often to your privacy policy contact address) or by physical mail. It cites California Invasion of Privacy Act sections, specifically 631(a).
2. The allegation identifies a specific element on your site: a search bar routing queries to a third-party analytics vendor, a chat widget recording conversation content, or a social media pixel firing before consent.
3. The core claim is always that no valid prior consent was given. Cookie banners and privacy policies are argued to be insufficient on their own.
4. The demand is typically $5,000 per violation per third party, plus injunctive relief (stop doing it immediately).

Most of these claims never reach a courtroom. Merchants quietly settle because fighting costs more in legal fees than the settlement itself. This means the ~3,928 formally filed lawsuits (as of January 2026, per the Fisher Phillips Digital Wiretapping Litigation Map) represent only the visible fraction of total activity.

The most common trigger is not intentional . It is an old set upconfiguration that was never updated, a marketing tool added by a team member that was never re-audited, or an assumption that state privacy compliance covered everything.

The Real Scale of the Problem

Since 2022:

• 3,928 wiretap lawsuits have been filed in the US
• California accounts for 2,946 of them (75%)
• Retail is the most targeted sector, making up 33% of all cases
• Technology is second at 11%

These numbers exclude demand letters settled out of court, which privacy and legal professionals estimate are far more common than formal filings. Year-end surges are a documented pattern, driven by class action law firms and individual claimants, not regulators.

The bottom line for Shopify store owners: this is not a fringe issue. Retail e-commerce is ground zero.

Five Steps to Reduce Your CIPA Risk

Privacy experts who work directly with businesses on consent configuration have distilled CIPA risk reduction into five concrete steps. These apply regardless of which consent management platform you use.

Step 1: Implement Explicit Opt-In Consent

Opt-out is insufficient under CIPA's wiretapping framework. The fundamental question is: did any data start flowing before the user clearly said yes?

That means:

• No analytics scripts firing on page load
• No marketing pixels running before consent is granted
• No session replay tools active pre-consent
• Any unclassified script blocked by default

Pre-consent data collection is where the overwhelming majority of CIPA claims originate.

Fix: Explicit Opt-In Consent And Script Blocking With Consentmo

Consentmo lets you configure your cookie consent banner to require explicit opt-in before any tracking scripts fire. For California visitors specifically, you can serve a strict opt-in banner via geo-targeting by US state, while other regions see the banner format appropriate for their jurisdiction.

Consentmo integrates directly with Shopify's app ecosystem and can block tracking scripts until the appropriate consent category is accepted. Unclassified scripts do not fire. This removes the "forgotten tag" problem that sits at the root of most CIPA claims against online stores.

Step 2: Classify Every Tracker and Script

Unknown, ignored, or forgotten tracking technologies are one of the biggest sources of exposure seen during privacy audits. If a script is not classified, it will not be blocked correctly.

Common blind spots in Shopify stores:

• A/B testing tools (Optimizely, VWO, Google Optimize replacements)
• Form analytics and heatmap scripts added by marketing
• Embedded third-party widgets (reviews, loyalty programs, chat)

Every script on your store needs a category. Every category needs a consent gate.

Fix: Cookie Scanner & AI Categorization By Consentmo

With Consentmo, you can scan your entire store for active trackers via the built-in app scanner. You will receive a comprehensive list of all tracking scripts, cookies, and more - and an option to categorize them with AI with no guesswork on your side. We recommend running a scan regularly to find hidden new trackers, and provide an option to Schedule a scan.

Step 3: Honor Global Privacy Control (GPC) and Do Not Track Signals

In California, honoring GPC is now a CCPA requirement. Ignoring a GPC signal while continuing to collect data is increasingly hard to defend in any legal context.

Your consent setup needs to:

• Detect GPC signals automatically
• Visually confirm the signal was received (auditable evidence)
• Disable targeted advertising for that user automatically

Fix: GPC and Do Not Track Signal Compliance By Consentmo

When a visitor arrives with a GPC signal, Consentmo detects it, displays a visual indicator, and automatically disables targeted advertising for that session. That detection event is logged, giving you the auditable evidence you need to show you honored the signal, not just acknowledged it.

Step 4: Align Your Privacy Disclosures with Reality

Your privacy policy cannot describe an idealized version of your data practices. It must reflect what is actually happening on your site today.

At minimum, disclose:

• Categories of tracking technologies in use (cookies, pixels, session replay)
• Third-party vendors receiving data from your store
• How data is used and how long it is retained

If your cookie banner categories and your privacy policy tell different stories, that inconsistency is something plaintiffs notice and use.

Annual reviews are not optional. Your Shopify store likely added new apps, pixels, or integrations in the past year. Your privacy policy needs to reflect that.

Fix: Instant Copy Button For Your Entire Cookie List

Consentmo generates and maintains a cookie declaration that can be pasted directly on your store's privacy policy page. It lists every classified tracker by category and updates automatically as your cookie scan detects changes. Your privacy policy and your consent banner always tell the same story.

Step 5: Build a Documented Privacy Request Process

A clear, auditable subject rights management process does two things. First, it gives users a predictable way to object to data collection before they feel the need to escalate to legal action. Second, it creates the evidence trail you need if a claim does arrive.

Your process should:

• Offer at least two intake channels (email and web form)
• Have defined response timelines
• Produce records showing when requests were received and how they were handled

CIPA cases turn on two factual questions: did interception occur, and did the user give valid prior consent? An audit trail answers both.

Fix: Privacy Request Management By Consentmo

Consentmo includes a data subject request form that you can add to your store, giving customers a clear, documented intake channel for privacy requests. Every submission is logged with a timestamp and status, creating the audit trail that strengthens your defensibility if a claim arrives.

‍

Take Action Before a Letter Arrives

The merchants who face the most exposure are not running deliberately non-compliant stores. They are running stores configured for a privacy landscape that has since changed: GDPR-era setups, default opt-out banners, marketing pixels that fire on page load, analytics scripts that were never re-classified after a rebrand or redesign.

CIPA risk lives in the gap between what you think your store is doing and what it is actually doing for California visitors.

Consentmo closes that gap. From geo-targeted opt-in consent and automatic script blocking to GPC signal compliance, cookie declaration management, and privacy request tracking, every piece of the five-step CIPA risk reduction framework is available natively inside your Shopify store.

Start your free trial with Consentmo and get your California compliance posture right, before you need to prove it.