If you installed Microsoft Clarity on your WooCommerce store for the free heatmaps, you’re in good company. Over 5 million websites use it. But courts are now applying California’s wiretapping law—CIPA—to session replay tools, and the math is severe: $5,000 per violation per consumer, with no cap on class size (California Penal Code § 630, Traverse Legal, 2026). A store with 10,000 California visitors could face $50 million in statutory damages. This is not hypothetical. Plaintiffs’ firms are actively targeting websites with session replay tools in 2026.
Free tools feel safe. Courts disagree.
What Microsoft Clarity Actually Does on Your WooCommerce Store
Clarity markets itself as a heatmap and session recording tool. That description is accurate—and it’s exactly what makes it a CIPA problem.
When a visitor lands on your WooCommerce store, Clarity’s JavaScript runs in their browser and records:
- Keystrokes — every character typed into any input field
- Mouse movements and clicks — a complete replay of their session
- Form inputs — including names, emails, and shipping addresses
- Scroll depth and rage clicks — engagement signals across every page
This data streams to Microsoft’s servers in real time. Not batched. Not anonymised. Raw session data, transmitted to a third party while your visitor has no idea it’s happening.
That real-time interception of user communications to a third party is exactly what CIPA was written to prohibit.
Why Courts Are Applying a Wiretapping Law to Your Heatmap Tool
The California Invasion of Privacy Act (CIPA) was originally written to prohibit wiretapping phone calls. Plaintiffs’ attorneys have spent the last three years arguing that intercepting website communications in real time is the same thing—and courts are starting to agree.
The November 18, 2025 ruling in Camplisson v. Adidas was the clearest signal yet. The court found that TikTok Pixel and Microsoft Bing trackers may constitute wiretapping under CIPA—explicitly naming Microsoft tracking tools as potentially within scope (Traverse Legal, 2025). This isn’t a fringe theory. It’s creating a circuit split that legal analysts expect to fuel a new wave of class actions through 2026.
The same wiretapping theory applied to Facebook Pixel is now being applied to session replay. Clarity records more than a pixel ever did. A pixel fires on page load. Clarity records every keystroke until your visitor leaves.
Legal uncertainty is at maximum levels according to Ogletree’s 2025 litigation tracker—CIPA filing volume has not slowed despite mixed judicial outcomes, because the statutory damages structure makes even uncertain cases worth filing (Ogletree, 2025).
You may be interested in: GDPR Consent Mode V2 Is Breaking WooCommerce Tracking — Here is the Math
Why a Cookie Banner Won’t Save You
Here’s the thing—most privacy consultants tell store owners to add Clarity to their cookie consent popup and move on. That advice misses the problem entirely.
CIPA is a wiretapping statute, not a cookie consent law. Courts have consistently rejected the argument that standard GDPR-style consent banners satisfy CIPA’s requirements. CIPA requires the person being intercepted to consent to the specific third party receiving their communications in real time—a standard that a “we use analytics cookies” checkbox does not meet.
There’s no legislative fix on the horizon either. SB 690—California’s attempt to reform CIPA’s application to website tracking—stalled in the 2025 Assembly. The earliest possible relief is 2027 (Shumaker, 2025). The law as written applies to your store right now.
Plaintiffs are expanding the theory too. Byte Back Law’s 2025 enforcement update notes that active CIPA litigation is extending to AI chatbots and generative AI tools—any tool that intercepts and transmits user communications to a third party in real time is a potential target (Byte Back Law, 2025).
Nearly 20 US states now have comprehensive consumer data privacy laws, with 3 more taking effect in January 2026 (Jackson Walker LLP, 2025). This is not a California-only problem. It’s a national trend with California setting the enforcement pace.
You may be interested in: Cookie Consent 2026: When Your Own Analytics Are Exempt
What You Actually Need Instead of Session Replay
The real question isn’t how to make session replay compliant. The question is whether you need session replay at all.
Most WooCommerce store owners installed Clarity to understand user behaviour: where people click, where they drop off, which products get attention. That’s legitimate marketing intelligence. But you don’t need to record every keystroke to get it.
What you actually need is clean event data: page views, product impressions, add-to-cart events, checkout steps, purchases, and abandonment signals. That event data tells you everything Clarity’s heatmaps tell you—without recording a single keystroke.
Server-side event tracking captures the marketing data you need without recording raw user sessions. No keystroke interception. No form input capture. No real-time stream to a third party. Just structured events routed from your own server to GA4, BigQuery, and your ad platforms—with 100% accuracy and none of the legal exposure.
How Transmute Engine Gives You the Data Without the Risk
Server-side tracking doesn’t just reduce your CIPA exposure—it gives you better data than Clarity was providing. A properly configured server-side setup captures every purchase event, cart interaction, and user flow signal with full accuracy, not sampled or filtered by consent banners. That event data flows to BigQuery where you can build the funnel analysis and drop-off reports Clarity was approximating with session recordings.
Transmute Engine™ is a first-party Node.js server that runs on your own subdomain (e.g., data.yourstore.com). The inPIPE WordPress plugin captures WooCommerce events and sends them via API to your Transmute Engine server, which routes them simultaneously to GA4, Facebook CAPI, BigQuery, and more—all from your own domain, with no third-party session recording involved.
Key Takeaways
- CIPA damages are $5,000 per violation per consumer with no cap on class size — a store with California visitors has real, measurable exposure
- Camplisson v. Adidas (November 2025) explicitly named Microsoft tracking tools as potentially within CIPA wiretapping scope
- Cookie consent banners don’t fix CIPA claims — the statute requires specific consent to third-party real-time interception, which standard frameworks don’t provide
- SB 690 stalled in California — no legislative relief until 2027 at the earliest; the current law applies now
- Server-side event tracking replaces Clarity’s marketing insights without recording raw sessions, form inputs, or keystrokes
Courts have not issued a definitive ruling specifically on Microsoft Clarity, but the November 2025 Camplisson v. Adidas decision explicitly named Microsoft tracking tools (Bing trackers) as potentially within CIPA’s wiretapping provisions. Session replay tools like Clarity record keystrokes, form inputs, and full user sessions in real time, transmitting that data to Microsoft’s servers—the same interception pattern courts have applied CIPA theory to in other cases. The legal risk is active in 2026.
No. CIPA is a wiretapping statute, not a cookie consent law. Courts have rejected the argument that standard GDPR-style consent banners satisfy CIPA’s requirements. CIPA requires the person being intercepted to consent to the specific third party receiving their communications in real time—a standard that typical cookie consent frameworks do not meet.
The safest approach for WooCommerce stores with California traffic is to stop using real-time session replay tools entirely. Server-side event tracking provides the same marketing intelligence—funnel analysis, drop-off data, product engagement—without recording raw user sessions or intercepting keystrokes. Tools that process data server-side on your own infrastructure, rather than transmitting sessions to a third party in real time, have fundamentally different legal exposure under CIPA’s wiretapping theory.
Yes. Plaintiffs’ firms are actively targeting websites with session replay tools in 2026, following the expansion of CIPA litigation theory in the November 2025 Camplisson v. Adidas ruling. CIPA allows $5,000 in statutory damages per violation per consumer with no cap on class size—making even small stores with California visitors a viable litigation target. CIPA filing volume has not slowed despite mixed judicial outcomes (Ogletree, 2025).
The risk Microsoft Clarity creates isn’t complex to solve—you just have to know it exists. Audit what your WordPress site is sending to third parties and replace session recording with clean server-side event data that improves your attribution without the legal exposure.
