We have started seeing this come up in client conversations, and it is worth understanding before a demand letter shows up in your inbox. Here is what is actually happening, why your cookie banner probably does not protect you, and what to do about it.
What these lawsuits actually are
The main statute behind all of this is the California Invasion of Privacy Act, usually shortened to CIPA. It was written in 1967 to stop people from secretly tapping telephone lines and recording calls without consent. It has nothing to do with the internet on its face, because the internet did not exist yet.
What changed is that plaintiffs' lawyers found a creative way to point this old law at modern websites. The theory goes like this. When your store loads a third-party tool that captures what a visitor does and sends that data to an outside company in real time, that transmission can be argued to be an interception of a private communication. The third party receiving the data without the visitor's prior consent is the alleged wiretap.
That is the whole move. A 1967 phone law, repurposed to cover the trackers and apps that run on nearly every store online.
Why your cookie banner does not save you
This is the part that surprises people most, so it is worth slowing down on.
Most merchants think they are covered because they have a cookie banner and a privacy policy. That setup exists to satisfy a different set of laws, the comprehensive privacy laws like California's CCPA and its equivalents in around twenty states now. Those laws are mostly opt-out. You disclose your trackers, you give people a way to opt out of having their data sold or shared, and you honor an automatic browser signal. A standard cookie banner handles that world.
Wiretapping law is a completely different framework. It does not care about disclosure after the fact. It cares about the moment of interception. And in the states where the danger lives, the rule is all-party consent, which means every party to the communication has to agree before the data can be captured. In practice that functions like opt-in. The visitor has to say yes before your third-party tool is allowed to fire.
So you can be fully compliant with CCPA, have a clean banner and a solid privacy policy, and still be exposed under CIPA. The two laws regulate different moments. One governs what you do with data after you collect it. The other governs whether you were allowed to collect it in the first place. A banner that discloses and lets people opt out does the first job. It does nothing for the second if your scripts already fired before anyone clicked anything.
What on your store is actually at risk
The reason this is a Shopify problem and not just a big-tech problem is the way modern stores are built. A typical store is a web of third-party services all talking to each other through APIs. That is what makes Shopify so powerful and so fast to build on. It is also what creates the exposure.
Think about everything on your store that sends customer data out to an outside company:
Your on-site search. If your search runs through a third-party app, every query a customer types gets sent to that app's servers to return results. Search terms are the single strongest target for these lawsuits, and we will explain why in a minute.
Your email and SMS tool. Something like Klaviyo is constantly capturing behavior and identifiers and sending them out to power flows and segmentation.
Your loyalty program. Same pattern. It watches what customers do and reports back to a third party.
Your analytics and ad pixels. Google Analytics, the Meta pixel, TikTok, Pinterest, all firing and transmitting.
Your chat widget, your reviews app, your session replay tool, your upsell app. Every one of these is a third party receiving data about your visitors.
The more apps you add to your store, the larger your exposure gets. That is the uncomfortable truth at the center of all this. The integrations that make your store better are the same ones that can get you sued.
Why search bars are the cleanest target
Out of everything on that list, on-site search is the example that fits the wiretapping theory most exactly, and it is the one we pay closest attention to.
Here is the logic the courts have been receptive to. When a customer types a unique search query, that query is treated as the contents of a communication, not just metadata. A court can find that the customer has a reasonable expectation of privacy in what they typed. And because the search term gets copied and sent off to a third-party search vendor at the moment it is entered, that counts as interception in transit.
Compare that to a tracking pixel that only grabs an IP address or a device ID. Those are addressing and routing details, and courts are much more split on whether grabbing them counts as a wiretap. Free-text inputs like search queries, form fields, and chat messages are different. They are the substance of what the person said, and that is what wiretapping law was built to protect.
We ran into a version of this with a client whose store search was wired through a third-party app. Every query fired off to the vendor the instant it was typed, before the shopper had agreed to anything. That is the exact pattern these complaints describe. The fix was not complicated, but it had to be done deliberately. More on that below.
The money, and how a claim actually shows up
The reason this has become a business model for plaintiffs' firms rather than an occasional regulatory matter is the combination of a private right of action and per-violation statutory damages.
Under CIPA, damages run to $5,000 per violation. Under Florida's equivalent statute the floor is at least $1,000 per violation. Under the federal wiretapping law the figure is $10,000. Now multiply any of those by the number of visitors who hit your store from the relevant state, and you can see how even moderate traffic turns into a number with a lot of zeros once a class gets certified.
Most of these claims never reach a courtroom. They arrive as a demand letter, often before any lawsuit is filed at all. The letter lands by email, usually to whatever contact address is on your privacy policy, or by physical mail. It cites the specific statute section. It names a specific element on your site, your search bar, your chat widget, a particular pixel. And it claims no valid prior consent was given. The demand is typically the per-violation figure times the alleged violations, plus a request that you stop immediately.
Then the math gets bleak. Fighting one of these costs more in legal fees than the settlement does, so a lot of merchants quietly pay to make it go away. That is the engine. It is built to make settling the rational choice even when the underlying claim is thin.
It is also not just large brands. Small businesses are getting hit. There are documented cases of two-person operations, an HVAC company, a solar installer, getting served over the trackers on a website they have run for twenty years without incident.
It is not only California
If you take one thing from this, take this. California is the epicenter, not the whole map.
California produces the large majority of these filings and gets the most attention because CIPA is the sharpest tool. But Florida is now a close second. Its Security of Communications Act uses nearly identical language to CIPA and trails only California in lawsuit volume. Beyond those two, Massachusetts, Pennsylvania, Maryland, and Illinois all have the kind of all-party consent wiretap statutes that plaintiffs are using this way. Roughly thirteen states have multi-party consent regimes on the books.
Two things make this genuinely national rather than a state-by-state patchwork you can geo-fence your way around.
The first is the federal angle. Plaintiffs are increasingly leaning on the federal Electronic Communications Privacy Act, which can be filed in courts anywhere in the country and carries that $10,000 figure. Federal filings under this theory climbed sharply through 2025 and are on pace to keep climbing in 2026.
The second is the jurisdiction stretch. Plaintiffs are going after companies headquartered outside these states entirely, arguing that simply having a website accessible to residents of the state is enough to establish jurisdiction. One firm reported three of its clients getting demand letters despite none of them having any operations in the states involved. Courts are split on whether that argument holds, but split means some of them are letting it through.
So the instinct to treat this as a California-only problem is exactly the instinct that gets a store caught.
Where the law actually stands in 2026
We want to be honest about this rather than scare you, because the legal picture is genuinely unsettled and it cuts both ways.
There have been real wins for businesses this year. Several courts have rejected the broader pen-register theory, which is the version that targets ordinary pixels grabbing IP addresses. The reasoning is that these statutes were about telephones, and a tracker on a commercial website is not a phone tap. In one notable June 2026 case, a California court threw out a pen-register claim with prejudice, meaning the plaintiff could not even refile. There is also a growing argument that the comprehensive privacy laws already govern this kind of tracking, so the old wiretapping statute should not be stretched to cover it too.
But the opposite has also happened. Other courts, especially state courts in California, have let these claims survive, including cases that name search queries and free-text inputs. State court has generally proven friendlier to plaintiffs than federal court. And the search-bar wiretapping theory specifically, the strongest version, keeps surviving.
There was hope that a California bill called SB 690 would carve routine commercial tracking out of CIPA and calm all of this down. It stalled. Even in the most optimistic scenario it would not provide relief before 2027, and it may be amended in ways that change its effect. For now there is no safe harbor.
So the state of play is this. The broad pixel theory is getting harder for plaintiffs to win. The narrow theory aimed at search and other free-text inputs is holding up. The federal version reaches everyone. And the volume of demand letters keeps climbing regardless of how individual cases come out, because the letters work whether or not the law is settled.
The Shopify-specific trap
Here is the technical detail that trips up the most stores, and it is specific to how Shopify works.
Shopify's native cookie banner only controls Shopify's own first-party cookies and Shopify's own pixels. It does not block your third-party scripts. Klaviyo, the Meta pixel, Google Analytics, your search app, your loyalty tool, all of those load and fire independently of the native banner unless you do something extra.
This means a store can have Shopify's banner switched on, show the customer a tidy consent prompt, and still be transmitting search queries and behavioral data to third parties before the customer clicks anything. The banner is doing its narrow job. It is just not doing the job most owners assume it is doing. Shopify's own support has confirmed that managing third-party cookies requires a separate tool.
Shopify does give you the plumbing to fix this. The Customer Privacy API lets consent choices propagate to tools that are built to listen for them. Custom pixels you add through Settings can be written to check for consent before they fire. But none of that is automatic. A standard tracking snippet pasted into your theme will fire regardless. App pixels are not blocked by default. If you have not specifically configured for this, the default state of most stores is that scripts run first and ask permission never.
That default is exactly the configuration these lawsuits are built around.
Open your store in a fresh browser session with developer tools open and watch the Network tab. Type a search query without touching your cookie banner. If you see requests going out to Klaviyo, your search app, Meta, Google, or any other third party before you have clicked anything on the banner, you are running the configuration these lawsuits are built around.
How to actually protect your store
The good news is that the fix is well understood, even if the law around it is messy. The posture that the plaintiffs' bar has the hardest time attacking is consent before firing. Here is what that looks like in practice.
Start with an inventory. You cannot protect what you have not mapped. Open your store with a fresh session and developer tools running, and watch what fires before you touch the banner. You will almost certainly find scripts loading that you forgot were there. Forgotten and unclassified scripts are the single most common source of these claims, because if a tool is not on your list, nothing is blocking it.
Then prioritize correctly, because not every third party carries the same risk. Third-party apps on Shopify work by loading scripts that send data out to the vendor, so when we talk about blocking, we mean stopping those scripts from firing until the visitor chooses. The clear priority is anything that captures the contents of what a customer types. Your search app, chat widget, session replay tool, and form-capture tools all transmit the substance of a communication to a third party, and that is exactly what the surviving wiretapping claims are built on. If any of those run through a third party, they belong behind consent, full stop. This is the part of the fix we would not compromise on.
Your plain analytics and ad pixels are a grayer area, and worth being honest about. The theory that a basic pixel grabbing an IP address or a device ID counts as a wiretap is the one courts are increasingly knocking down, since those are addressing details rather than the contents of what someone said. Blocking those tools before consent too is still the safer posture, but treat it as risk management rather than a settled legal mandate. There is no California statute that says block all third-party scripts before consent, and a vendor who tells you otherwise is selling you the most aggressive reading as if it were the law.
Use real script blocking, not a cosmetic banner. The goal is that the prioritized tools do not fire until the visitor makes a choice, which means a banner that actually holds scripts back at the point they would otherwise execute rather than one that merely displays. A consent platform that integrates with Shopify's Customer Privacy API and blocks at the script level is what does this. The native banner alone does not.
For California and Florida traffic specifically, lean toward opt-in. You can geo-target so that visitors from the high-risk states get a stricter banner that requires an affirmative yes before the contents-touching tools run, while visitors elsewhere get the format appropriate to their location. This is the single most protective move for the wiretapping risk, because it directly addresses the all-party consent standard at the moment that standard actually cares about.
Keep your banner honest. Asymmetric accept and reject buttons, where accept is big and obvious and reject is buried, are their own separate violation that regulators have fined heavily. Same size, same prominence, same screen. And make sure your privacy policy lists what your banner actually blocks, so the two tell the same story.
Keep consent logs. These cases turn on two questions. Did interception happen, and did the user consent first. A timestamped record of consent is the evidence that answers the second one if a claim ever arrives.
Honor the Global Privacy Control signal. The stricter states treat this browser-level opt-out as binding, and ignoring it is its own exposure under the comprehensive privacy laws.
The performance tradeoff worth knowing about
One thing the compliance vendors tend to skip over, because it matters and it is the kind of thing we deal with constantly.
These consent platforms are not free in performance terms. Many of them ship a lot of JavaScript, and we have seen them knock real points off mobile pagespeed, sometimes thirty points or more. So you are making a genuine tradeoff. You are adding weight to the page in order to reduce legal risk. That can be the right call, especially for a store with meaningful California or Florida traffic. But it is a decision to make with eyes open, and it is worth choosing a lightweight platform and configuring it carefully rather than installing the heaviest option and eating the speed hit. Compliance and performance are both real, and you do not have to sacrifice one entirely to get the other.
The bottom line
Modern stores run on third parties. That is not going away, and it should not. But the paradigm that makes a Shopify store quick to build and easy to extend is now the same paradigm that creates legal exposure, because old surveillance laws are being pointed at the data flowing between all those services.
Our honest read on where this goes is that consent before browsing becomes normal in more and more of the country, the way it already is across the EU. Visitors will increasingly have to make a choice before a store fully works for them. That is a worse experience in some ways, and it will dent your analytics, but it is the direction the legal pressure is pushing.
The stores that handle this well will be the ones that map their tools, block the non-essential ones until consent, and treat search and other free-text inputs with extra care. The ones that get caught will be the ones still assuming their cookie banner has them covered.
One last point, and an important one. This is general information, not legal advice, and the case law here is shifting month to month. For anything your store actually puts weight on, talk to a privacy attorney about your specific setup. What we can tell you is that the technical fix is worth doing now, regardless of how the courts land, because it is the same fix either way and it is the part you control.