Demand letters and copycat lawsuits are piling up on the desks of in-house counsel and business owners around the country, all making the same claim: that an ordinary website is secretly running an illegal wiretap. We’ve watched California Invasion of Privacy Act (CIPA) claims climb sharply over the past several months. The playbook is easy to spot. A small group of repeat claimants combs through business websites, records what data each site hands off to outside vendors, and then sends a formal-looking package threatening suit in California. Any website a California visitor can open is a potential target. Size, industry, and where you’re headquartered don’t matter much. If a letter hasn’t shown up yet, don’t assume it won’t. We’re following this closely and defending clients against it right now, and we’d rather you be ready than caught flat.
What Is CIPA, and Why Is It Showing Up on Your Website?
CIPA goes back to 1967, when the worry was wiretapped phones and surveillance. Plaintiffs have repurposed it for the web, and lately for AI-driven tools, arguing that pulling a visitor’s IP address and browsing data off a site without consent is the modern equivalent of that same unlawful interception. The features they go after are the ones almost every site uses: third-party pixels, software development kits (SDKs), analytics, chat windows, and search boxes.
The money is what keeps the letters coming. CIPA gives plaintiffs a private right of action, statutory damages of up to $5,000 per violation or treble the actual damages (whichever is larger), and a shot at an injunction on top. That has made it the statute of choice for website-tracking claims, and plaintiffs are pushing it hard while the courts are still deciding whether it fits the technology at all.
Right now the law is unresolved, and the courthouse often matters more than the facts. Federal judges in California have been readier than their state counterparts to let these claims survive a motion to dismiss, though a plaintiff in federal court still has to clear a standing hurdle the state courts don’t bother with. The Legislature hasn’t stepped in, so the answers are coming one case at a time. Two companies running identical tracking can land before two judges and walk out with opposite results.
Most claims run on one of two theories. The first is wiretapping under Section 631(a): intercepting the contents of a visitor’s communication in transit, without consent. Those “contents” are usually search queries carrying personal information or the give-and-take of a chat, which is why chat tools, session-replay software, and embedded third-party scripts draw most of the fire. But data moving from A to B doesn’t automatically make an interception. A court might decide that reaching stored or copied data isn’t “interception” at all, or that no one ever showed the vendor actually read what it got.
The second theory leans on CIPA’s pen-register and trap-and-trace provisions, Sections 638.50 and 638.51. The complaint there isn’t about the contents of the visit but the record of it: timestamps, add-to-cart events, clicks, scrolling, cursor movement. The problem is that the line between “contents” and a “record” is blurry, and courts have drawn the line in opposite places.
On the pen-register theory the divide runs even deeper, all the way down to whether the statute touches the internet at all. California’s state courts largely say it doesn’t, reading these provisions as being about telephones. Federal courts have gone the other way.
Standing is the other pressure point. A federal plaintiff has to plead a concrete, particularized injury, not just a technical statutory violation. Collect sensitive information without consent — say health conditions, financial details, or personal identifiers — and the injury usually clears that bar. Collect nothing but routine technical data and the claim is far more likely to be dismissed. The same sensitivity requirement usually sinks the tag-along common-law claims for invasion of privacy and intrusion upon seclusion, which need a “highly offensive” intrusion involving sensitive or confidential information.
CIPA rarely travels alone. Plaintiffs often tack on a claim under the California Comprehensive Computer Data Access and Fraud Act (CDAFA), Cal. Penal Code § 502, which makes it illegal to knowingly access, use, or interfere with computers, networks, or data without permission and carries statutory damages and attorneys’ fees. Knowledge is usually where these claims live or die. From there, plaintiffs will often repackage the alleged CDAFA violation as an “unlawful” business practice under California’s Unfair Competition Law (UCL), reaching for an injunction on top of the damages.
What These Demands Look Like
The letters are hitting companies of every size and industry, most with no real tie to California beyond a website a resident there can open. A handful of repeat claimants are behind most of them, and they tend to look alike:
- They do their homework first. By the time a letter arrives, the sender has usually already been through your site and logged what it hands off to third-party vendors.
- It’s dressed up as a lawsuit. Expect a formal package: a cover letter, a draft complaint, and screenshots that supposedly capture the data transfer.
- The numbers add up fast. At $5,000 per violation (or three times actual damages), a demand can reach the tens of thousands without anyone proving actual harm.
- It’s not only about money. Senders frequently want the challenged technology pulled off the site, too.
Why This Should Be on Your Radar
- A form letter is still a real threat. Most of these are churned out from a template, but templated doesn’t mean toothless. Ignoring one is a mistake and so is paying just to make it disappear without legal advice.
- There’s a class action hiding behind the single demand. The theory reaches every visitor who loaded the site from California, so one letter can be the opening move in a much bigger class claim.
- The facts drive everything. An out-of-state business may have a real argument that a California court can’t hear the case in the first place.
- Don’t touch the site before you preserve it. Rushing to change things the moment a letter lands, before you’ve documented how the site was set up, can look like you destroyed evidence even when that was the last thing on your mind.
If a Demand Letter Arrives, Here Is What to Do
Two things not to do: Don’t answer the sender yourself, and don’t change the website until its current state is locked down. Beyond that:
- Get it to counsel. Send it over right away and calendar every deadline the letter mentions.
- Preserve the site. Capture it exactly as it stands now, including source code, tag manager and analytics settings, consent-tool configuration, privacy policy, and vendor agreements before anyone starts making changes.
- Size up the exposure. Have counsel test what the letter claims against how the site actually works before you decide how to answer.
- Then fix the root cause. Once the immediate demand is handled, sit down with counsel and your website or marketing team to review the tracking setup and clean it up where needed, so no one can run the same theory at you again.









