California Invasion of Privacy Act (CIPA) claims — often arriving with demand letters — can be difficult to make sense of, especially since the law was not written with websites in mind. This guide breaks down what is going on and walks through a way to configure Cookiebot CMP to help reduce your exposure. A dedicated CIPA template will be available in August 2026.
What is CIPA?
CIPA is a California state law passed in 1967, originally aimed at wiretapping and eavesdropping in phone calls. In recent years, plaintiffs' attorneys and activists have argued that website tools such as chat widgets, session replay software, and some analytics or advertising scripts fall under this law if they collect or share a visitor's information before that visitor has agreed to it. These claims are brought as private lawsuits, not by a regulator.
Who does this affect?
Any business with a website that California visitors can reach may be a target for a CIPA claim, regardless of where the business itself is based. Risk tends to concentrate around tools that capture what a visitor types, says, or does on a page before consent has been given.
How can prior consent (opt in) help?
One argument used in this litigation is that a visitor who has clearly agreed, in advance, to a tool running has authorized it, which weakens a claim that the tool intercepted anything without permission. Configuring your consent banner so that non-essential tools stay switched off until a visitor actively agrees to them is one way to support that argument.
Does having a CMP configured for other U.S. state privacy laws protect against CIPA?
In general, no, because U.S. state privacy laws like the CCPA/CPRA use an opt-out consent model. Under those laws, in most cases you can collect personal data from website visitors without requiring their consent. You only need to inform them about data use and their rights, and enable them to opt out of certain data processing. CMP setups for most current U.S. laws won’t request consent before non-essential tools fire.
CIPA risk reduction: What your CMP setup should provide
- Tools blocked until consent is given. Non-essential scripts, including chat and analytics, should not run until the visitor has made an active choice.
- A clear opt-in and opt-out choice. Visitors need an equally easy way to decline as to accept. (Dark patterns are prohibited under the CCPA/CPRA.)
- A visible, working “Do Not Sell or Share My Personal Information” link. If you also handle CCPA/CPRA obligations on the same site, this link should let visitors opt out of the sale or sharing of personal information, or reopen the banner to review their choices.
- A way for a user to change or withdraw consent at any time, from any page.
CIPA: A Cookiebot checklist
| This checklist is not intended as legal advice and does not guarantee protection from CIPA claims. Consult your own legal counsel, who can assess your specific tools, disclosures, and risk. If your business is facing an active claim or demand letter, please consult an attorney before making changes or responding. |
Step 1: Add your domain
- Log in to Cookiebot Admin and select Domains & Aliases from the left menu.
- Select + Add domain.
- Enter the domain name, without the "https://" part (for example, domain.com).
If this domain is already configured for another regulation as part of a multi-legislation setup, leave this field empty.
Step 2: Configure your banner type
Go to Design > Compliance and set the following:
- Method: Select Explicit Consent from the dropdown.
- Type: Select Multi Level or Inline Multi Level.
- Buttons: Select Reject all / Selection / All from the dropdown, so visitors can decline as easily as they can accept.
- Default mode for checkboxes: Leave Preferences, Statistics, and Marketing unchecked, so those categories stay off until a visitor turns them on.
Geo location settings (optional)
If you want to show this banner only to visitors from California, or from the U.S. more broadly, set this under Territory at the bottom of the Compliance panel.
Step 3: Set up your “Do Not Sell or Share” link
What is required?
If you are also handling CCPA/CPRA obligations on this site (if you have California visitors to your site, both CCPA/CPRA and CIPA apply), you must provide visitors with a way to opt out of the sale or sharing of their personal information, using the exact wording "Do not sell or share my personal information."
How do I implement it?
- 1. Set the data subject request (DSR) form: You will have to programmatically set this link to redirect to this form.
- 2. Show consent banner again: You will have to add the provided link (see screenshot below) to your website. This is usually placed in the footer.
-
3. Ensure the Privacy Trigger is turned off. Under the Privacy tab, ensure that the “Show privacy button” is toggled off.
Step 4: Confirm Global Privacy Control (GPC) signal handling
What is required?
Some visitors browse with the Global Privacy Control (GPC) signal turned on. This is a browser-level setting currently available in Firefox and Brave, and through extensions in other browsers. When present, it automatically communicates an opt-out preference before the visitor interacts with your banner at all.
Several states already require opt-out signals like GPC to be honored, and more are likely to come with new state laws being passed. California's Opt Me Out Act will also require major browsers themselves to build in a native GPC option starting January 1, 2027, which is likely to increase how often you see this signal.
How can I implement it?
Cookiebot CMP detects the GPC signal automatically and displays the required acknowledgement, so no separate toggle needs to be switched on. It is still worth confirming your banner behaves as expected:
- For any banner type configuration, a GPC signal is automatically handled, so visitors browsing with GPC enabled see a fully opted-out state by default.
- Cookiebot displays a message directly on the banner so visitors can see that a GPC signal was detected and already applied.
- Cookiebot does not honor the separate Do Not Track (DNT) signal, only GPC. If a visitor asks why DNT does not appear to do anything, that is why.
To check whether GPC is active in your own browser, enter navigator.globalPrivacyControl into your browser's developer console. It returns true if the signal is turned on.
Step 5: Write your banner and category text
Go to the Content tab and add plain-language text for:
- Your CMP banner heading and body text
- Each cookie category's title and introduction: Necessary, Statistics, Preferences, Marketing, and Unclassified
- Your button labels (for example, Decline, Accept, Allow all, Allow selection, More details, Customize)
Step 6: Get your scripts
- Go to Script Embeds in the left menu.
- Choose the blocking mode that fits your site (automatic or manual).
- Follow the standard installation instructions to add the script to your site.
Step 7: Check your scan report
Once your setup is live, check your monthly scan report to confirm that non-essential scripts are correctly categorized and are not firing before a visitor has given consent. If a tracker is loading before consent, that gap undermines the setup described above, so it is worth correcting promptly.
Comments
0 comments
Please sign in to leave a comment.