Plaintiffs’ firms are adapting the California Invasion of Privacy Act (CIPA), a 1960s-era wiretapping statute, to modern web technologies such as pixels, chatbots, and session replay tools. For laboratories, the practical problem is not only the legal uncertainty, but also that small website implementation details, including when tags fire, what free-text inputs are captured, and what vendors are allowed to do with the collected data, can drive massive exposure, including class actions and arbitrations.

CIPA prohibits the intentional eavesdropping on, or recording of, confidential communications without the consent of all parties. Although the law was drafted for telephone calls and physical recording devices, plaintiffs’ attorneys are using it to challenge modern digital engagement tooling on laboratory websites. In practice, complaints often try to characterize routine patient web interactions as “confidential communications,” then allege that third-party tools captured, or received, those communications without proper consent. The exposure can scale quickly because CIPA provides for statutory damages of up to $5,000 per violation and each alleged interception can be pleaded as a separate violation.

Major diagnostic laboratories have been targeted by class actions alleging that third-party tracking pixels “intercept” patient communications without consent. Plaintiffs are increasingly alleging that routine web tracking tools, including cookies and IP tracking beacons, function as illegal “pen registers” or “trap and trace” devices. The practical effect is that plaintiffs focus on routing data such as IP addresses and device IDs, not just substantive content.

However, courts are divided. Some courts have rejected the theory that routine analytics function as criminal pen registers, while others have allowed the plaintiffs to overcome a motion to dismiss. Even with some favorable decisions, there is still a split amongst jurisdictions that creates uncertainty.

Additionally, there is a big increase in claims focusing on on-site search bar functionality. The allegation is that a user’s test inquiry, for example “HIV test” or “cancer screening,” is a confidential communication and that trackers share it with third parties. Further, there is another trend in these CIPA allegations that, as laboratories adopt AI chats for service and navigation, plaintiffs are filing claims alleging that AI systems “listen” to or repurpose patient inputs without consent.

Although CIPA is a California statute, plaintiffs are filing against laboratories with limited California connections beyond having websites accessible to California residents. To combat these claims—and avoid them entirely—laboratories should consider adding robust consent banners with true pre-consent blocking of tracking technologies (especially for California-based IP addresses). Additionally, laboratories can update website privacy policy disclosures to clearly describe what is being tracked, why it is collected, and which third parties receive it. In these cases, plaintiffs often quote privacy language against defendants. Misalignment between disclosures and tag behavior creates unnecessary risk.

For now, we’ll continue to track plaintiffs’ investment in pen register and trap-and-trace theories, focus on search terms in URLs, and expanded scrutiny of AI chat deployments. We’ll also continue to watch whether legislative activity reemerges after the failure of California’s SB 690 in 2025, but it is unlikely that any relief will take effect until at least 2027.

In the meantime, laboratories can reduce CIPA exposure by treating web data flows as a compliance issue, not just a marketing or IT function. A practical 2026 playbook is to inventory every tag and vendor on patient-facing pages, minimize or disable collection of free-text inputs and search terms, confirm that chat tools are configured to avoid sharing or retaining sensitive content, and implement consent that actually controls when third-party technologies load. Aligning real-world site behavior with privacy disclosures, and documenting those controls through periodic technical testing, will put laboratories in the best position to prevent claims and, if you receive a complaint, to quickly demonstrate that no “confidential communications” were intercepted without consent as these theories continue to evolve.