Free account
CIPA § 631 Risk

Is Browsee legal in California?

Session Replay & Heatmaps · Updated 2026

Browsee records visitor session replays and builds heatmaps and funnels from clicks, scrolls, and form activity. Using it is perfectly legal — but running Browsee before a visitor consents is what creates exposure under California's wiretapping law.

Is this tracker on your site? Find out free in 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Why Browsee can trigger CIPA claims

California's Invasion of Privacy Act (CIPA), Penal Code § 631, prohibits intercepting communications without all-party consent. Since 2022, a wave of plaintiff-firm litigation has applied this decades-old wiretapping statute to website session-replay, chat, and pixel tools — arguing that capturing a visitor's clicks, keystrokes, and form input without consent is an unlawful interception. Browsee loads third-party tracking that can capture visitor behavior. Running it before the visitor consents is what triggers CIPA § 631 exposure.

Statutory damages run up to $5,000 per violation, and plaintiffs argue each affected visitor session is a separate count — which is why even small sites receive demand letters.

Real-world enforcement

In a landmark action, the California Attorney General reached a $1.2M CCPA settlement with Sephora over undisclosed sale of personal information and its failure to honor opt-out (Global Privacy Control) signals — a CCPA enforcement action, not a session-replay/CIPA case. Separately, private CIPA suits over session-replay and chat tools have named retailers, healthcare providers, and SaaS companies alike. The common thread across both: trackers firing before the visitor had any chance to opt out.

How to make Browsee compliant

  1. Identify where Browsee is installed (raw <script>, GTM, or an npm package).
  2. Gate it behind a Consent Management Platform so it cannot load or fire until the visitor opts in.
  3. If it runs through GTM, set the tag's Consent settings to require the relevant consent type.
  4. If it is a raw snippet, wrap its initialization in your CMP's consent callback.
  5. Re-scan with the "Verify fix" button to confirm Browsee no longer fires before consent.

Consent-gating snippet

<!-- Place BEFORE the GTM/gtag snippet. Defaults all storage to "denied"
     so no tags fire until your CMP updates consent after the user opts in. -->
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    ad_storage: 'denied',
    analytics_storage: 'denied',
    functionality_storage: 'denied',
    personalization_storage: 'denied',
    security_storage: 'granted',
    wait_for_update: 500
  });
</script>

Your CMP (Cookiebot, OneTrust, Termly, etc.) calls gtag('consent','update',{...:'granted'}) only after the visitor accepts. Until then, tags stay blocked.

Check your own site

RegSentry runs a real browser against your site, watches exactly when Browsee (and every other tracker) first contacts a third-party server, and captures the evidence — including whether it intercepts keystrokes typed into your forms.

Is this tracker on your site? Find out free in 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

← See all tracker compliance guides