The letter arrived without warning. A California plaintiff’s attorney, citing the California Invasion of Privacy Act. The WooCommerce store had installed Google Analytics and Meta Pixel the normal way — through a plugin, in ten minutes — and had never considered that those pixels might constitute wiretapping under California law. CIPA litigation against websites using third-party analytics and session recording tools has expanded sharply since 2024, and most WooCommerce store owners have no idea it’s happening. 19 US states now have comprehensive consumer privacy laws active or coming into effect by end of 2026. The assumption that US privacy law is someone else’s problem ends when a demand letter arrives.

The Two US Laws Creating WooCommerce Exposure#

Most WooCommerce compliance content is written about GDPR. That’s the European regulation with the big fines. But for stores with US visitors — which is most WooCommerce stores — two separate US legal frameworks create independent liability:

CCPA (California Consumer Privacy Act) applies to for-profit businesses that do business in California and meet any one of three thresholds: annual gross revenues over $25 million, buying or selling the personal data of 100,000 or more consumers annually, or deriving 50% or more of annual revenue from selling personal data. If you meet any one threshold, CCPA applies — regardless of where your business is registered.

Under CCPA, sharing visitor data with Google or Meta through tracking pixels can constitute “sale” or “sharing” of personal information, which requires either opt-out mechanisms or explicit consent depending on data type. Most standard pixel implementations don’t include this.

CIPA (California Invasion of Privacy Act) is older, broader, and more dangerous for small stores. It was designed for telephone wiretapping but courts have increasingly applied it to third-party analytics tools — specifically tools that intercept communications in real time. Session recording software, live chat tools, and certain analytics pixels have all been named in CIPA class actions. 75% of websites fail basic GDPR consent banner requirements and CCPA cookie consent standards. Many of the same installations create CIPA exposure through tools they don’t even recognise as legally significant.

You may be interested in: PECR: The UK Cookie Law Your WooCommerce Store Probably Still Violates

What Actually Triggers CIPA Liability#

The CIPA lawsuits that have succeeded against websites share a common pattern: a third-party tool is embedded in the website that intercepts visitor communications or behaviour data in real time, sending it to a third party’s servers before the website operator has a chance to receive it.

The legal argument is that the third-party vendor (Google, Meta, session recording software companies) becomes a “third party eavesdropper” because they receive the data simultaneously with — or before — the website owner. That framing has been applied to:

• Session recording tools like FullStory, Hotjar, and Microsoft Clarity — which capture keystrokes, mouse movements, and form inputs in real time
• Live chat widgets that send conversation data to external servers
• Analytics pixels that fire during page load, before any consent interaction
• Advertising pixels that send conversion data to platform servers alongside the visitor’s action

Not every lawsuit succeeds. Courts are still sorting out which tools and circumstances satisfy the “intercept in real time” requirement. But the litigation volume is high enough that demand letters are reaching ordinary WooCommerce stores — not just enterprise brands — and the cost of defending even a frivolous claim makes the risk real.

CCPA Thresholds: Do They Apply to Your Store?#

The CCPA revenue threshold ($25M annual gross revenue) means most small WooCommerce stores are not covered by the revenue test. But the data volume test can catch smaller stores. CCPA applies to businesses buying or selling the personal data of 100,000 or more consumers annually — and if your store has significant traffic, the number of visitors whose data you transmit to Google and Meta through pixel tracking can cross that threshold without you realising it.

The third threshold — 50% of revenue from data sales — applies to data brokers, not typical WooCommerce stores. But the first two create exposure for mid-size and growing stores that aren’t thinking about CCPA at all.

For CIPA, there is no threshold. It applies to any website with California visitors where a qualifying intercept occurs — and California has 39 million residents who are regularly online. If you have US traffic, you have California visitors.

You may be interested in: EU Digital Omnibus Will Rewrite GDPR Cookie Rules

What Server-Side Architecture Changes#

The CIPA “real-time intercept by a third party” theory depends on data going directly from the visitor’s browser to a third-party server. That’s the client-side pixel model: the pixel fires in the visitor’s browser, and the visitor’s data travels directly to Google’s or Meta’s servers. The website owner is not in that data path.

Server-side tracking changes the architecture. When conversion events flow from WooCommerce to your own server first, and then your server sends the event to Google or Meta, the third party is no longer receiving data directly from the visitor’s browser. Your server is the intermediary. The data passes through your infrastructure before reaching any platform.

That structural change doesn’t eliminate CCPA obligations — if you meet the thresholds, you still need compliant data practices — but it directly addresses the CIPA “third party intercepting in real time” argument. The interception can’t happen at the browser if the browser isn’t the source of the transmission to the third party.

Transmute Engine™ runs on your subdomain and receives events from WooCommerce server-side before routing to GA4, Meta, Google Ads, and other destinations. The visitor’s browser sends data to your domain. Your Transmute Engine instance processes and forwards it. Third-party platforms receive it from your server. That’s a fundamentally different liability picture than a pixel firing directly in the browser.

The Practical Steps That Reduce Exposure Now#

US privacy law compliance for WooCommerce stores doesn’t require removing all tracking. It requires understanding what you’re running and making deliberate choices about it:

• Audit which third-party tools you have installed. Session recording tools are the highest CIPA risk. If you’re running Hotjar, FullStory, or a live chat tool that logs conversation content, those carry more exposure than standard analytics.
• Add a “Do Not Sell or Share My Personal Information” link if you meet CCPA thresholds. This is a legal requirement, not optional, for covered businesses.
• Check your consent banner configuration. CCPA requires opt-out rights for data sharing; some US state laws require opt-in consent for sensitive data categories. GDPR-focused plugins may not handle the US state law landscape correctly.
• Consider server-side architecture for your high-risk pixels. Moving the Meta Pixel and GA4 tags server-side reduces the CIPA exposure surface while maintaining full conversion tracking.

US privacy law is not a future concern for WooCommerce stores. The CIPA litigation wave is active now, demand letters are landing on ordinary store owners, and 19 states have enforcement frameworks in place or coming. The time to review your tracking architecture is before a letter arrives, not after.