California’s Privacy Law Reaches South Carolina

A 1967 California wiretapping statute is creating unexpected legal exposure for businesses far outside the Golden State, including right here in South Carolina. In an article published in South Carolina Lawyer, Kim, Lahey & Killough attorney Emily Bohan and University of South Carolina School of Law student Max Young explain how the California Invasion of Privacy Act (CIPA) has been repurposed to target common website tools like tracking pixels, session replay software, chatbots, and analytics platforms.

CIPA’s core requirement,  that all parties to a communication must consent before it is recorded, is stricter than federal law and most state statutes. Plaintiffs are now arguing that third-party scripts embedded on websites function as illegal wiretaps, and courts have been receptive. Critically, recent decisions make clear that consent mechanisms must be triggered before any tracking begins, meaning the standard practice of loading scripts on page arrival, before a user can click “accept,” may already constitute a violation.

The reach of CIPA has expanded beyond California’s borders. In Briskin v. Shopify, the Ninth Circuit found that collecting and monetizing data from California residents was enough to establish personal jurisdiction, even for a Canadian company with no California office. The “capability test” emerging from Ambriz v. Google adds another layer of risk: vendors that merely retain the ability to use client data for their own purposes (such as training AI models) may not qualify for the “party exemption” defense that would otherwise shield them from liability.

Steps Businesses Should Take Now

• Affirmative consent mechanisms should fire before any tracking scripts load.
• Sensitive data fields should be masked at the client side so raw inputs never leave the user’s browser.
• Vendor contracts must explicitly prohibit data monetization and secondary use and should include robust indemnification clauses covering privacy and wiretapping claims.
• Regular technical audits are essential to catch unauthorized third-party trackers before plaintiffs do.

Excerpt:
Wiretapping in the Digital Age: How an Old Law in California is Reaching into South Carolina
The National Expanse of California Privacy Law

For many attorneys in South Carolina, the notion that a California state law enacted in 1967 regulating industrial espionage and wiretapping could impose significant liability on a manufacturing firm in Greenville or a hospitality group in Charleston may seem farfetched. Yet, the California Invasion of Privacy Act (CIPA) has been repurposed to target modern tracking technologies. What began as a statute designed for technology running on copper wires may now apply to website pixels, chatbots, and session replay soft-ware, creating a minefield of potential liability for companies nationwide.

This expansion presents a unique threat to entities outside of California, including those here in the Palmetto State. Due to the borderless nature of the internet and aggressive jurisdictional theories, South Carolina businesses and other non-California entities are increasingly finding themselves appearing in California courts. The core of this liability lies in CIPA’s strict “all-party consent” requirement. Unlike federal law and other state statutes that permit recording with the consent of one party involved in a communication, CIPA requires the consent of all parties to a communication before recording is permitted. Consequently, the undisclosed use of third-party tracking scripts may lead to both criminal and civil penalties with significant statutory damages, and this law has already caught many businesses off guard.

The full article, including a detailed review of the relevant case law and practical compliance steps, is available in the Spring issue (page 27) of South Carolina Lawyer.

Emily Bohan is an attorney at Kim, Lahey & Killough’s Greenville, SC office, focusing her legal practice on business formation, corporate law,franchise law and mediations. She is licensed to practice in both South Carolina and Virginia. Max Young is a J.D. candidate, Class of 2026, at University of South Carolina.