Most nonprofit websites are carrying more tracking risk than anyone on staff realizes. That's not a criticism — it's just what happens when tags get added over years of campaigns, platforms, and staff transitions without a governing process to match. By the time someone looks closely, there's usually a tangle of third-party tools firing on every page, and no clear record of what data they're collecting, where it's going, or whether any of it is covered by what your privacy notice actually says.

CIPA is why that gap is now worth taking seriously.

What Is CIPA?

The California Invasion of Privacy Act is a 1967 wiretapping statute that plaintiffs' attorneys have spent the last several years applying to standard website tracking tools — ad pixels, analytics scripts, session replay software. The legal theory is that when a website shares visitor data with third parties without clear consent, that may constitute illegal interception under wiretapping law.

This is not fringe litigation. CIPA filings jumped from 54 in 2022 to more than 2,800 in 2025, and many cases settle privately, meaning the true scale is higher than the public record shows. In April 2026, a federal judge allowed a class action against CNN to move forward, finding that tracking code on CNN.com allegedly fed visitor data to Microsoft and adtech vendors for advertising modeling purposes without users' knowledge or consent.

Why Nonprofits Aren't Protected

Nonprofits are exempt from the California Consumer Privacy Act. CIPA offers no such exemption — it is a criminal wiretapping statute, and the carve-outs written into state consumer privacy laws don't touch it.

CIPA also has a private right of action, meaning suits can be brought by individuals without waiting for an attorney general to act. Fines start at $5,000 per violation. Courts are actively divided on whether CIPA applies to website tracking, but cases are moving forward, and the legal landscape is still expanding. CIPA applies based on where your visitors are located, not where your organization is based.

What Makes Nonprofits Particularly Exposed

When I audit a nonprofit's website tracking setup, I almost always find the same things: tags added for a campaign three years ago that never got removed. A consent banner configured to default to granted because someone didn't want to hurt conversion rates. Vendor contracts that don't reflect what the tools are actually collecting. A privacy notice that was written before half the current tech stack existed.

None of this happened because anyone was careless. It happened because there was no governing process — no one whose job it was to ask whether the tracking infrastructure matched the organization's stated data practices. That gap is exactly what CIPA litigation targets.

The other thing I consistently see: when organizations find out the full picture, they're surprised at the volume of issues. Getting started can be made less overwhelming with a proper gap analysis.

Two Areas Worth Examining Now

1. Server-Side Tracking Is Not a Complete Answer

Many organizations are moving to server-side tracking to recover conversion visibility lost to browser privacy changes and ad blockers. Routing data through your own server first gives you genuine control over which fields travel to third parties — you can filter or redact data before it leaves your environment. That's a real operational benefit, and often a worthwhile investment.

What server-side tracking doesn't resolve is consent-based legal risk. If a user hasn't consented to their data being forwarded to a third party, the routing path matters less than whether consent governed the transfer at all. Server-side tracking and consent management tooling need to work together — treating one as a substitute for the other is where organizations get into trouble.

2. Visibility Into Your Data Flows Is the Foundational Question

Whether or not you're using server-side tracking, you need to be able to answer: which data fields are being sent to which vendors, and does an opt-out actually stop those flows in real time? In my experience, there is almost always a gap between what an organization thinks it's sharing and what its technology is actually sharing — usually because a lot has gone ungoverned for many years.

Closing that gap isn't a one-day project. But it is a manageable one when you work through it systematically.

Where to Start

Bring these questions to your web or analytics team:

→ What third-party tools are currently firing on our website?

→ What data fields are being collected and forwarded to each vendor?

→ Is our consent banner configured to require an active yes before advertising data is collected?

→ Does an opt-out actually stop data flows in real time, or just suppress future collection?

→ When did we last audit whether our privacy notice reflects what our website actually does?

If the honest answer to most of these is "I'm not sure," that's where to start.

How Agility Lab Can Help

This is exactly the kind of work Agility Lab does with nonprofit clients. We start with a technical audit of what's actually on your site — what's firing, what's being collected, what's going where — and then work through the issues one by one: consent configuration, vendor contracts, privacy notice alignment, tag governance. It's not a one-size-fits-all checklist. It's a process calibrated to what your organization actually needs to resolve.

If you want to understand where your organization stands, that's a good place to begin the conversation. Book a discovery call.

-----

Frequently Asked Questions about CIPA

What is CIPA and how does it apply to nonprofits?

CIPA — the California Invasion of Privacy Act — is a 1967 wiretapping statute that plaintiffs' attorneys have spent the last several years applying to standard website tracking tools. Nonprofits are exempt from California's consumer privacy law, the CCPA, but that exemption doesn't extend to CIPA. It's a criminal statute, and the carve-outs written into state consumer privacy laws don't touch it. If your website has California visitors and shares their data with third parties without proper consent, your organization is potentially in scope regardless of your nonprofit status.

What website tools are typically at issue in CIPA cases?

The cases filed to date have targeted tools that most nonprofits use without a second thought: ad pixels, analytics platforms, session replay software, chatbots, and programmatic advertising networks. The common thread isn't the tool itself; it's whether visitor data is being forwarded to third parties without clear user consent. That's a question worth asking about every tool currently firing on your site.

Does server-side tracking eliminate CIPA exposure?

No, and this is a common misconception worth correcting. Server-side tracking gives you more control over which data fields are forwarded to third parties, and that's a genuine operational benefit. But it doesn't resolve the underlying consent question. If a user hasn't consented to their data being shared with a third party, routing it through your own server first doesn't change the legal analysis. Server-side tracking and consent management need to work together — one isn't a substitute for the other.

Can individuals sue under CIPA, or does enforcement require government action?

CIPA includes a private right of action, which is one of the key reasons the litigation volume has grown so quickly. Individuals can file suit without waiting for an attorney general to act. That's a meaningful distinction from most state consumer privacy laws, which rely on government enforcement and typically include a right to cure before penalties apply. Under CIPA, there's no equivalent buffer.

What are the financial stakes for CIPA?

Fines start at $5,000 per violation or three times actual damages, whichever is greater. In class action cases involving large numbers of website visitors, potential liability scales quickly. CIPA filings jumped from 54 in 2022 to more than 2,800 in 2025, and many cases settle privately, meaning the public record understates the actual financial exposure across organizations.

What do you typically find when you audit a nonprofit's tracking setup?

Almost always the same things: tags added for a campaign years ago that were never removed, a consent banner defaulting to granted because someone didn't want to hurt conversion rates, vendor contracts that don't reflect what the tools are actually collecting, and a privacy notice written before the current tech stack existed. None of it happened because anyone was careless — it likely happened because there was no governing process. The audit surfaces the full picture, and then we work through it systematically.

Where should an organization start if it's concerned about CIPA exposure?

Start with a clear-eyed inventory of what's actually on your site: which tools are firing, what data they're collecting, which vendors are receiving it, and whether your consent configuration actually controls those flows. Most organizations don't have a complete answer to all of those questions — and that's the gap worth closing. If you want support working through it, that's exactly what Agility Lab does.