All Blog Posts

CIPA Demand Letter: What It Means for Your Website and What to Do About It

Close
Read time
12 mins
Published
Jun 19, 2026
Share

  • A CIPA demand letter is a pre-litigation document, not a finding of wrongdoing. These letters are template-driven and volume-produced. Claims may not reflect the specific facts of your website. Engage legal counsel promptly.
  • Actual exposure depends on which tracking technologies your site deploys, whether they fire before consent is obtained, and whether your opt-out mechanisms work as intended.
  • CIPA and CCPA are separate statutes. CCPA compliance does not protect against CIPA claims. Both are regularly cited together in demand letters targeting websites with standard tracking tools.
  • Gating cookie and script firing on prior consent is the most direct operational step available to address the conditions that attract CIPA liability.
  • GPC signal recognition and a functional "Do Not Sell or Share" mechanism are active enforcement priorities. Gaps here represent independent regulatory risk.
  • The 2026 enforcement environment is more coordinated and consequential than at any prior point. Addressing consent infrastructure now reduces exposure to both private litigation and regulatory action.

Demand letters citing CIPA are reaching businesses across the U.S. at an unprecedented rate in 2026. They often target websites running standard cookies and tracking tools. This guide explains what plaintiffs are actually claiming, what your real risk looks like, why CCPA compliance doesn’t cover these situations, and how implementing cookie consent management can address conditions that make websites a target.

Got a demand letter citing the California Invasion of Privacy Act (CIPA)? You're far from alone. In 2026, these letters are reaching businesses across the U.S. at an unprecedented rate. Most of them are running entirely standard cookie and analytics tools that millions of other sites deploy without a second thought.

What changed is the litigation strategy, not the technology. A small number of plaintiffs' firms have built industrialized, template-driven dockets that target any website transmitting user data to a third-party vendor. The letter your business received is likely one of thousands sent to companies just like yours.

This guide explains what these letters typically claim, how the litigation economics work, what your real risk may be, and the steps your business can take in response. Including how cookie consent management directly addresses the conditions that attract CIPA claims in the first place.

CIPA Demand Letter: What Is It and Who Sent It?

A demand letter is a pre-litigation notice sent by or on behalf of an individual. This is typically a plaintiff represented by a specialist privacy litigation firm, alleging that your website has violated one or more provisions of California privacy law. 

The letter will cite specific statutes, describe the alleged conduct in general terms, and set out what the sender is demanding, usually a financial settlement and remediation.

Most letters arriving in 2026 are not bespoke documents. They are produced at scale by a handful of plaintiffs' firms that have built template-driven intake processes: 

  1. Network traffic is captured on consumer-facing sites
  2. A tracking pixel or script is identified
  3. A near-identical demand letter is dispatched

CIPA is the statutory framework most commonly cited in these letters. In some cases CCPA violations are also referenced. Understanding what each actually requires, and how they differ, is essential to assessing what the letter is really claiming.

CIPA: The California Invasion of Privacy Act

The California Invasion of Privacy Act (CIPA) was enacted in 1967 as a criminal anti-wiretapping statute, originally designed to protect telephone conversations from unauthorized interception during the height of the Cold War. 

Over the past several years, plaintiffs' attorneys have extended its provisions to modern tracking technologies: cookies, advertising pixels, session replay tools, chat widgets, and analytics scripts deployed on websites.

The two CIPA sections most commonly cited in demand letters are Section 631, which prohibits the unauthorized interception of electronic communications, and Section 638.51, which prohibits the installation or use of a pen register or trap and trace device without consent. 

Pen register: Defined by the statute to mean any device or process that records outgoing signaling information from a communication, such as phone numbers dialed or IP addresses contacted, but not the content of the communication itself. 

Trap and trace device: A device or process that captures incoming signaling information, such as the originating number or address of an incoming communication, again without capturing content.

Both are governed by the same federal statute: 18 U.S.C. §§ 3121–3127, which is the Pen Register Act, part of the Electronic Communications Privacy Act of 1986.


Whether common website analytics and advertising tools constitute pen registers under Section 638.51 remains contested. A May 2026 ruling by the Los Angeles Superior Court found that the provision applies only to telephone communications and not to software on commercial websites. This is a significant development for defendants facing these claims. 

However, the decision is not binding precedent, and SB 690, the California bill that would have created a commercial business purpose exemption, stalled in the Assembly during the 2025 session and has not yet been enacted, though a hearing is scheduled for July 1, 2026. As a two-year bill, it remains eligible for reconsideration in 2026, but enactment is far from certain.

Until it is enacted, the current litigation landscape is unchanged, making robust consent infrastructure the most reliable operational response available.

What makes CIPA particularly attractive to plaintiffs' firms — and CIPA itself appears in the Penal Code, typically reserved for governmental enforcement only — is its private right of action. 

Any California resident can bring a civil claim directly without involving a regulator. Statutory damages are USD 5,000 per violation, with no requirement to prove actual harm. On a website with meaningful California traffic, those figures aggregate quickly.

CCPA: The California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), govern how businesses collect, use, share, and sell the personal information of California residents. 

Unlike CIPA, the CCPA is primarily an opt-out framework. Businesses do not generally need prior consent to collect personal information, but they must notify visitors about data use, provide the ability to opt out of the sale or sharing of their data, and honor universally recognized opt-out signals, including the Global Privacy Control (GPC).

Having a CCPA-compliant program doesn’t shelter you from CIPA exposure. The laws address different questions entirely. 

  • CCPA concerns itself with what data is collected and what rights consumers hold over it
  • CIPA addresses the manner in which communications are intercepted, imposing a prior consent requirement that operates independently of any CCPA obligations a business may have met

A website can have a comprehensive privacy policy and a functioning opt-out mechanism in place and still attract CIPA liability, if third-party tracking tools are deployed without first obtaining consent.

Why Are Businesses Receiving These Letters in Greater Numbers Now?

Privacy class action litigation under CIPA, the CCPA, the Video Privacy Protection Act (VPPA), and related statutes has become, in the assessment of some specialist privacy litigators, an industrialized revenue stream for the plaintiffs' bar. The economics are straightforwardly asymmetric.

The cost to plaintiffs of sending a demand letter is low, typically in the low four figures. Filing a templated complaint adds a little more. The cost to a defendant of defending through a motion to dismiss with a conventional law firm team can reach USD 400,000–USD 800,000

Against that backdrop, settling for far less than the cost of defense becomes the rational short-term calculation, which is precisely what these firms are counting on. The statutory exposure figures create the leverage. 

The table below summarizes the per-violation ranges from recent litigation.

StatutePer-Violation ExposureTypical Putative Class
CIPA § 631 (wiretap)USD 5,000 per violationAll California visitors over the limitations period
CIPA § 638.51 (pen register)USD 5,000 per violationAll California visitors with device data captured
CCPA (statutory damages)USD 100–750 per incident / actual damagesCalifornia consumers affected by qualifying breach
VPPA § 2710USD 2,500 per violation + attorneys' feesAll subscribers exposed to unauthorized pixel disclosure

A website with substantial California traffic running a non-compliant advertising technology tool could, in theory, face statutory exposure in the billions. 

That outcome is unlikely to materialize, but the gap between theoretical exposure and realistic settlement is the mechanism plaintiffs' firms use to generate pressure. Addressing your consent infrastructure directly reduces that gap.

What Receiving a Demand Letter Actually Means

A demand letter is not a finding of wrongdoing. It means that a plaintiff (or more commonly a plaintiff's firm) has identified your website as a potential target and is testing your response. Most letters are part of a mass mailing strategy and are not tailored to the specific facts of your business.

That said, ignoring a demand letter carries real risk. It can be treated as disinterest in resolution, accelerating escalation to formal litigation. The appropriate first step is always to forward the letter to qualified legal counsel without delay. CIPA demand letters typically include relatively short response deadlines, commonly 20–30 days.

While counsel reviews the specific claims, there are several operational questions your business should be prepared to answer.

Most CIPA claims rest on the presence of specific tracking tools that transmit data to external servers, including:

  • Advertising pixels
  • Session replay software
  • Third-party chat functions
  • Analytics scripts

A web compliance scan to inventory what technologies your site deploys, and under what consent conditions they fire, is an essential early step.

Does Your Site Recognize the Global Privacy Control Signal?

GPC compliance is an active enforcement priority across multiple states. As of January 1, 2026, businesses subject to the CCPA must confirm to consumers that their opt-out preference signal has been processed. A visible acknowledgment is required, not just silent backend processing. 

If your site does not currently detect and honor the GPC signal, that is an independent compliance gap to address regardless of how the demand letter resolves.

Under CIPA, the question of whether a tracking technology requires prior consent continues to be worked out in California courts, and recent rulings have introduced meaningful but not yet settled guidance on the scope of the pen register provisions.

In the absence of statutory clarity, implementing a consent management platform (CMP) that obtains prior user consent before firing tracking scripts positions your business more defensibly than relying on opt-out signals alone.

Under the CCPA, the relevant questions are whether your opt-out mechanisms are functional, whether your privacy policy accurately reflects your data practices, and whether you have a documented process for honoring consumer rights requests within the required 45-day window.

You Received a CIPA Demand Letter: What to Do Now

The following steps are not legal advice; however, they do reflect the practical actions businesses typically take in parallel with engaging legal counsel.

Demand letters are typically prepared by attorneys who litigate these cases at high volume. The response should be handled by counsel with specific experience in CIPA, CCPA, and related privacy litigation.

Do not respond directly to the sender without counsel. Any written response you make to the plaintiff's firm without counsel involved could become part of the record if litigation follows.

Preserve Relevant Documentation

Do not delete website logs, consent records, privacy policy versions, or vendor contracts. Preservation obligations may attach at the moment you receive the letter. 

Audit Your Website's Tracking Technologies

Identify every third-party script, pixel, and analytics tool currently deployed. Determine under what conditions each fires: before consent, after consent, always on, or blocked until consent is given.

Review Your Privacy Policy for Accuracy

Your policy must accurately describe the categories of personal information you collect, the purposes for which it is used, and the third parties with whom it is shared. A material discrepancy between stated practices and actual data flows is an independent compliance risk.

Check Your Opt-Out Mechanisms

Confirm that your "Do Not Sell or Share My Personal Information" link is visible and functional (and, if relevant, a “Limit the Use of My Sensitive Personal Information” link). Confirm that opt-out via GPC is detected and honored, and that a visible acknowledgment is displayed when the signal is processed.

A CMP cannot eliminate litigation risk — no technology can — but it directly addresses the consent infrastructure failures that underlie most CIPA claims.

How Cookiebot by Usercentrics Can Support Your Response

Cookiebot by Usercentrics is a consent management platform used by websites worldwide to manage global consent requirements, including cookie consent, honoring opt-out signals, and enabling them to maintain auditable consent records. For businesses that have received a CIPA demand letter, the most directly relevant capabilities are the following.

Cookiebot™ enables you to configure whether third-party tracking technologies, such as advertising pixels, analytics scripts, and session replay tools, fire before or after a visitor provides consent. 

For technologies that your legal counsel determines require prior consent, the CMP can block those technologies from loading until consent is given. This directly addresses the "unauthorized interception" theory underlying most CIPA Section 631 and 638.51 claims.

Global Privacy Control Recognition

Cookiebot™ by Usercentrics supports GPC signal detection, enabling your website to automatically recognize and honor opt-out preferences communicated through the browser. 

In the event of litigation or a regulatory inquiry, timestamped, granular consent records that document what each visitor was shown, what choices were available, and what the visitor selected, carry significant evidential weight. Cookiebot™ stores consent data in a format designed to support these audit requirements.

Do Not Sell / Share Opt-Out Infrastructure

Cookiebot™ supports the opt-out mechanisms required under the CCPA, including the "Do Not Sell or Share My Personal Information" link, the "Limit the Use of My Sensitive Personal Information" mechanism, and the downstream signaling of consumer preferences to connected third-party services.

Why CIPA and CCPA Are Frequently Used as Litigation Tools

Understanding why plaintiffs' firms favor these statutes over others clarifies what the demand letter is really about, and what the realistic path to reducing risk looks like.

The Private Right of Action Under CIPA Is Broad

To date only California’s privacy law allows for private right of action, and only in data breach scenarios. CIPA is quite different. Any individual can bring a civil claim for any alleged unauthorized interception or recording — not just in breach scenarios — if the individual or business is based in California. 

That breadth, combined with USD 5,000 per-violation statutory damages and no requirement to prove actual harm, makes CIPA the preferred vehicle for digital tracking claims.

This is distinct from the CCPA's private right of action, which is limited to data breaches and subject to a 30-day cure period before litigation can proceed. For CIPA claims brought by private plaintiffs, no such cure period applies.

The Problem with Aggregation

The per-visit or per-user nature of the claimed violations is what creates the enormous theoretical exposure figures. A website with significant California traffic where a tracking technology fires on every page load without prior consent creates a separate arguable violation per visit. 

Plaintiffs do not need to win at those headline numbers; they need to survive a motion to dismiss long enough to generate settlement pressure.

The Asymmetry of Defense Costs

Plaintiffs' firms calibrate their demands against the expected cost of defense, not the probability of winning at trial. Conventional defense through a motion to dismiss can cost USD 400,000–USD 800,000 with a large law firm. 

A technically fluent defense that understands exactly how the tracking technology at issue works — and can argue that effectively at the pleading stage — can compress that cost significantly while improving the prospect of a dispositive outcome. Your legal counsel is best placed to advise on this.

The Enforcement Landscape in 2026

The demand letter arrives in a context of substantially escalating enforcement activity at both the regulatory and private litigation levels.

On the regulatory side, CalPrivacy's enforcement program has grown significantly. The USD 12.75 million General Motors settlement in May 2026, which is the largest CCPA penalty to date, resolved allegations that the company shared location and driving behavior data with data brokers without consumer awareness or consent. 

Earlier enforcement actions against Tractor Supply Company (USD 1.35 million, September 2025) and American Honda Motor Co. (USD 632,500, March 2025) addressed the same recurring themes: non-functional opt-out mechanisms, failure to honor GPC signals, and inadequate data minimization.

The Consortium of Privacy Regulators, a bipartisan coalition established in April 2025 comprising CalPrivacy and the attorneys general of California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, has formalized cross-state enforcement coordination. 

Businesses operating across multiple states should treat CCPA compliance as a baseline, not a California-specific consideration.

On the private litigation side, the volume of digital wiretapping claims shows no sign of declining while SB 690 remains unenacted. Businesses that address their cookie consent infrastructure proactively are materially better positioned than those waiting for legislative relief that may not arrive on any predictable schedule.

Usercentrics does not provide legal advice. The content of this article is for educational purposes only. Businesses that have received a demand letter should engage qualified legal counsel promptly.

Frequently asked questions

A CIPA demand letter is a pre-litigation notice alleging that your website has violated the California Invasion of Privacy Act. Most commonly by deploying tracking technologies such as cookies, pixels, or session replay tools that intercept electronic communications or operate as pen registers without prior user consent. 

The letter typically includes a damages calculation and a settlement demand with a short deadline. You should take it seriously and engage legal counsel promptly, but receiving a letter does not mean you have been found to have violated the law.

There is no statutory requirement to respond to a pre-litigation demand letter, but ignoring it carries significant risk. Failure to respond may be treated as disinterest in resolution, accelerating escalation to formal litigation. Forward the letter to qualified legal counsel immediately. If you respond at all, do so only through or in consultation with counsel.

CIPA is a wiretapping statute that prohibits the unauthorized interception of communications and the use of pen register devices without consent. It provides a private right of action for any California resident, with USD 5,000 per-violation statutory damages and no requirement to prove actual harm. 

The CCPA is a data transparency and opt-out law that gives consumers rights over how their personal information is used and requires businesses to honor opt-out requests and GPC signals. The CCPA's private right of action is limited to data breach scenarios. 

Both statutes are frequently cited together in demand letters targeting websites with tracking technologies, and compliance with one does not satisfy the requirements of the other.

Common targets include advertising pixels (including Meta Pixel and Google tags), session replay tools, third-party chat widgets and chatbots, and analytics scripts that transmit data to external servers. 

The central legal question is whether these technologies intercept communications in real time — the basis of Section 631 claims — or function as pen registers by recording routing and identifying information without consent — the basis of Section 638.51 claims.

Courts have reached inconsistent conclusions on this question. A May 2026 ruling by the Los Angeles Superior Court found that § 638.51 does not apply to software on commercial websites, giving defendants persuasive authority to contest pen register claims, but the decision is not binding on other courts and the legal landscape remains unsettled.

SB 690, which would create a commercial business purpose exemption for companies processing personal information within the scope of the CCPA, stalled in the California Assembly during the 2025 session and was designated a two-year bill. 

It is eligible for reconsideration in the 2026 legislative session, which must conclude by August 31, 2026. Even if enacted, the bill could not take effect before 2027, and as currently drafted would not apply retroactively. 

The retroactivity provisions that would have applied to pending cases were removed before the Senate vote. Until the bill is enacted, the current litigation landscape is unchanged, and businesses should not build their compliance strategy around the assumption of legislative relief.