Guide to CIPA Demand Letters: What they are, Why you got one, and What to do next

In this guide:

• What is CIPA?
• Why your website triggered a claim
• What a demand letter actually contains
• What to do in the next 72 hours
• How to CIPA-proof your website
• Where CIPA litigation is headed
• Frequently asked questions

You just got a CIPA demand letter. Here's what's actually happening.

It probably arrived as a PDF. Formal letterhead, dense legal language, a California statute you've never heard of, and a number at the bottom that made your stomach drop — $5,000 per violation, multiplied by what could be millions of interactions on your website.

Your first instinct was probably to forward it to your legal team and hope it goes away. Your second instinct — if you're reading this — was to figure out what the hell a "CIPA demand letter" actually is before you do anything else.

Good instinct.

Here's the first thing you need to know: you are not being singled out. The California Invasion of Privacy Act — CIPA, pronounced "see-pah" — has become the legal industry's most active shakedown vehicle of the last two years. Thousands of businesses have received letters almost identical to yours. The plaintiffs' attorneys sending them have turned it into an assembly line. Your company showed up in their targeting because your website runs tracking technology — almost certainly something as routine as Google Analytics, a Meta Pixel, a live chat widget, or a session replay tool.

That does not mean the letter is frivolous. It is not. The legal theory behind it is real, the courts have allowed these claims to proceed, and the financial exposure can be significant if you don't respond correctly.

What it does mean is that you have options — and the companies that navigate this best are the ones who understand what they're actually dealing with before they make a move.

This guide will get you there.

By the end, you'll know exactly what CIPA is, why your website triggered it, what your real exposure looks like, and the precise steps to take in the next 72 hours.

What is CIPA? A 1967 wiretapping law meets the modern web

To understand why you're holding this letter, you need to understand a law that was written before the internet existed — and why courts have decided it applies to your website anyway.

The California Invasion of Privacy Act was signed into law in 1967. Its original target was straightforward: telephone wiretapping. California legislators were worried about eavesdroppers listening in on private phone calls, so they made it illegal for any third party to intercept a communication without the consent of everyone involved. Not one party. Everyone. This is what lawyers call an "all-party consent" rule, and it's significantly stricter than the federal standard, which only requires one party to consent.

For three decades, CIPA was essentially a phone law. Then the internet happened.

The two decisions that changed everything

In 2006 and again in 2020, California courts made rulings that dramatically expanded CIPA's reach. First, they established that CIPA applies to businesses located outside California — if your website serves California residents, you are subject to California law regardless of where your company is headquartered. A brand based in New York, Texas, or London with customers in Los Angeles is inside CIPA's jurisdiction. Second, courts determined that modern website tracking technologies could constitute "interception" of communications under the statute. A 1967 wiretapping law now had teeth in the digital world.

These two decisions turned CIPA into a plaintiff's attorney's dream.

The three sections you'll see cited in your letter

Most CIPA demand letters invoke one or more of three specific provisions. Understanding what each one actually says matters, because the technology named in your letter will correspond to a specific section — and the defenses available to you depend on which one is being invoked.

Section 631(a) is the core wiretapping provision. It prohibits intentionally intercepting or reading the contents of any communication while it's in transit, without the consent of all parties. This is the section most commonly cited in claims involving session replay tools and chatbots — technologies that capture what a user is typing or clicking in real time.

Section 632 addresses confidential communications specifically. It prohibits recording or eavesdropping on a conversation that a reasonable person would consider private, again without all-party consent. This section appears less frequently in website tracking claims but shows up in cases involving recorded customer service interactions or voice-enabled features.

Section 638.51(a) covers pen registers and trap-and-trace devices — tools that record metadata about communications rather than content itself. Pixel-based tracking claims often rely on this section, since a tracking pixel captures information about where a user came from and what they did without necessarily capturing the substance of what they communicated.

The number that makes this dangerous

Each of these provisions carries a private right of action with statutory damages of $5,000 per violation — or three times actual damages, whichever is greater. Crucially, a plaintiff does not need to prove they were actually harmed. The violation itself is enough to trigger the penalty.

This is what separates CIPA from most modern privacy laws. The California Consumer Privacy Act — the CCPA — governs how businesses must disclose and manage personal data. It is primarily a disclosure and opt-out framework, and its private right of action is narrow. CIPA doesn't care about disclosure. CIPA makes the interception itself the offense, and it puts a dollar figure on every single instance.

If your website had 50,000 California visitors last year and a tracking tool was running without proper consent, the theoretical exposure is $250 million. Courts rarely award maximum statutory damages, and most cases settle for far less — but that number is what the letter is designed to make you think about.

Now you understand why the plaintiffs' bar discovered CIPA. And why your letter looks the way it does.

Why your website triggered a CIPA claim

Here is the uncomfortable truth about your website: it almost certainly contains code you didn't personally install, don't fully understand, and have never audited for legal risk. Almost every business website does. That code is why you got this letter.

To understand the specific claim being made against you, you need to understand both the technology involved and the legal theory that turns routine marketing tools into potential wiretapping violations. They're inseparable.

The legal theory: your vendor as eavesdropper

CIPA's wiretapping provision requires three parties to trigger liability: a sender, a recipient, and an unauthorized third party intercepting the communication. In a traditional phone wiretap, that's obvious — caller, receiver, and the person on the tap. Plaintiffs' attorneys have applied this same framework to your website.

When a user visits your site and types something into a search bar, fills out a form, or interacts with a chat widget, they are the sender. Your company is the recipient. But embedded in your website's code are tools built by third-party vendors — and those vendors, the theory goes, are intercepting the communication in real time as it passes between your user and your server.

The critical phrase is "in real time." Courts have drawn a meaningful distinction between capturing data as it's being transmitted — which can constitute interception — and accessing data that's already been stored. The former is a CIPA risk. The latter is generally not. This is why session replay tools and live chat widgets are more legally exposed than, say, your CRM pulling a customer's past order history.

Meta Pixel

Meta Pixel — formerly Facebook Pixel — is the most frequently named technology in CIPA claims. When a user visits a page on your site, the Pixel fires and sends data to Meta's servers: what page they visited, what they searched for, what they added to a cart. Meta uses that data for its own advertising purposes, which is precisely what makes it legally dangerous under CIPA. A vendor that collects data solely on your behalf looks like a tape recorder. A vendor that uses the data for its own business — which Meta explicitly does — looks more like an independent eavesdropper. The 9th Circuit's 2022 decision in Javier v. Assurance IQ established that this distinction matters enormously.

Google Analytics and Google Tag Manager

Google Analytics and Google Tag Manager present a similar profile. Analytics data flows to Google's servers, and while the terms of service restrict how Google uses that data, the practical reality is that a third-party infrastructure is capturing your users' behavior in real time. GTM compounds the risk because it acts as a container for other tracking scripts — meaning a single misconfigured GTM deployment can introduce multiple CIPA-risky tools simultaneously, often without your marketing team realizing it.

Session replay tools

Session replay tools — Hotjar, FullStory, Microsoft Clarity, and their competitors — are particularly exposed under Section 631(a) because their entire value proposition is capturing exactly what a user does on your site: every mouse movement, every keystroke, every hesitation before clicking away. In St. Aubin v. Carbon Health, a 2024 Northern District of California decision, the court held that descriptive URLs — the kind that reveal what a user was searching for or looking at — can qualify as communication "contents" under CIPA. Session replay tools capture exactly this kind of data.

Live chat and chatbot widgets

Live chat and chatbot widgets are the most intuitively obvious risk. When a user types a message into your chat window, that message is a communication. If the chat vendor's infrastructure captures that message before it reaches you — or routes it through their servers in a way that gives them access to it — the third-party eavesdropper theory applies directly.

The consent timing problem

You may be reading this thinking: but we have a cookie banner. Users consent before we track them. That consent protects us.

It might. But only if it's working correctly — and most aren't.

The consent timing problem is this: many cookie banners are configured to load after the tracking scripts have already fired. A user arrives on your homepage. In the milliseconds before they see your consent banner, your session replay tool has already begun capturing their activity, your Meta Pixel has already fired, and your Google Analytics tag has already recorded their session. The banner appears, they click "accept," and your system logs a consent — but the interception already happened before consent was given.

California courts have been unambiguous on this point: retroactive consent is not valid consent. You cannot capture data first and obtain permission afterward. The legal standard requires prior consent — meaning the tracking must not begin until the user has affirmatively opted in.

A secondary problem is false positives: users who click "decline" or "reject all" but whose data gets collected anyway because the consent signal isn't properly wired to the tracking tags. At least one California court has noted that this mismatch — telling users their choice matters while ignoring it technically — is actually worse than having no banner at all, because it creates an affirmative misrepresentation.

Anatomy of a CIPA demand letter: what they're claiming and what they want

Now that you understand the law and the technology, let's look at the document in front of you with clear eyes.

CIPA demand letters are not random. They follow a playbook — a deliberate structure refined by plaintiffs' attorneys who have sent hundreds or thousands of them. Once you know what each part of the letter is doing, it stops feeling like an incomprehensible legal threat and starts looking like what it actually is: a negotiating opening position, written to maximize your anxiety and minimize your inclination to fight back.

That doesn't make it ignorable. But it does make it readable.

The standard structure

Most CIPA demand letters contain the same five components, in roughly this order.

The statutory recitation comes first. Two or three paragraphs explaining what CIPA is, which sections apply, and what the law prohibits. This section is written for you, not a judge — its purpose is to establish that the law is real, serious, and clearly violated. It will cite § 631(a), § 638.51(a), or both. It will not mention the decisions that went the other way.

The factual allegation follows. This is the section that names your company, identifies a specific California resident who visited your website, and describes what allegedly happened during that visit. Pay close attention to this section. The factual specificity here varies enormously between letters. Some are genuinely detailed — they've run your site through a scanning tool and documented the consent mechanism's behavior. Others are almost entirely generic.

The damages calculation is where most recipients stop reading everything else. The letter will state the $5,000 statutory penalty per violation and then gesture toward the total exposure. A business with 100,000 California visitors per year, a tracking tool running for 18 months, and a generous interpretation of "per violation" can find itself looking at nine-figure theoretical liability. This number is designed to make settlement look rational by comparison.

The demand itself is usually a specific dollar figure with a response deadline, typically 30 days. The amount requested bears no consistent relationship to the theoretical maximum exposure. For smaller businesses, demands commonly range from $25,000 to $150,000. For larger companies with significant California traffic, the opening number can be considerably higher.

The threat of escalation closes most letters, noting that failure to respond will result in individual litigation, a class action, or both. This is the section designed to make the deadline feel like a cliff edge.

Individual demand vs. class action threat

An individual CIPA claim is manageable. One plaintiff, one set of damages, one litigation track. Even if the claim has legal merit, the economics of litigating a single case often favor a negotiated resolution.

A class action is a different creature entirely. If a plaintiff successfully certifies a class of California residents who visited your site during the period the tracking tool was running, every member of that class becomes a potential claimant. At the demand letter stage, the class action threat is almost always posturing. Plaintiffs' attorneys send these letters precisely because individual settlements are economically efficient for them. But do not treat the threat as empty. Some firms do file.

The arbitration variant

A significant and growing subset of CIPA demand letters don't threaten court at all. They threaten arbitration. If your website's terms of service contain an arbitration clause, plaintiffs' attorneys have discovered they can use it against you — filing individual arbitration demands, often dozens or hundreds simultaneously against a single company. Each arbitration proceeding carries its own filing fees and administrative costs, regardless of merit. The economic pressure isn't the damages — it's the cost of defending hundreds of simultaneous arbitrations. If your letter references arbitration rather than litigation, flag it specifically for your counsel.

What they actually want

Strip away the statutory citations and the theoretical exposure numbers, and most CIPA demand letters want the same thing: a check, written quickly, for an amount the sender has calculated is less painful than fighting.

The sending attorneys have done the math. They know approximately how much it costs to defend a CIPA case through motion to dismiss. They've set the demand at a number designed to sit just below your pain threshold for resistance. Understanding this doesn't mean you should simply pay. It means you should recognize the demand for what it is — an opening bid — and respond accordingly.

What to do in the next 72 hours

This is the section that matters most. Everything before it was context. This is action.

The companies that navigate CIPA demand letters well share one characteristic: they treat the letter as a project to be managed, not a crisis to be survived. That shift — from reactive panic to deliberate process — happens faster when you know exactly what to do and in what order.

Here are the seven steps. Do them in sequence.

Step 1: Do not ignore it

This sounds obvious. It is not universally practiced.

A significant number of CIPA demand letters go unanswered. If you ignore a demand letter and the sending attorney files suit, you lose your ability to negotiate from a position of relative strength. Default judgments are real. Note the response deadline in the letter — it is typically 30 days from the date of the letter, not the date you received it. Check the postmark. If you are already inside that window — or past it — tell your attorney immediately.

Step 2: Do not respond yet

This is the counterintuitive one. You've just been told not to ignore the letter. Now you're being told not to respond to it. Both are true.

What you must not do is send any communication to the demanding party before you have counsel involved and a clear-eyed view of your actual exposure. An unguided response can: create a written record of admission, signal that you are unrepresented and anxious, anchor the negotiation at your first number rather than theirs, and potentially waive defenses that would otherwise be available to you.

Acknowledge receipt internally. Brief your CEO or general counsel. Open a dedicated email thread and document folder for everything related to this matter. Then stop all external communication until Step 3 is complete.

Step 3: Engage privacy counsel — the right kind

Not all privacy attorneys are equally useful here. CIPA litigation is a specialized sub-field, and the attorney who drafted your privacy policy may not be the right person for this. What you need is counsel with direct CIPA experience — ideally someone who has defended CIPA claims through the motion to dismiss stage and understands the current state of the case law in the specific federal district where you'd likely be sued.

Ask any prospective attorney directly: have you defended a CIPA demand letter or CIPA lawsuit in the last 18 months? How many? What was the outcome? The plaintiffs' bar has professionalized this space — your defense should match that level of specialization.

Step 4: Conduct an emergency technology audit

Before your attorney can advise you on the strength of the claim or the likely defenses, they need to know the factual reality of your website's tracking setup. That means you need to know it first.

This audit has four components:

1. Identify every third-party tool currently running on the site. Use a technical scanning tool — browser developer tools, a tag auditing platform, or your consent management platform's reporting — to see what is actually firing when a user lands on your pages. What's in your tag manager is not always what's on your site.

2. Determine whether the specific tool named in the demand letter is present and active. If the tool named in the letter isn't actually running on your site — or was removed months ago — that is an immediate and significant defense. Document it with screenshots and server logs.

3. Check the consent timing. Load your website in a fresh browser with no prior cookies, and watch the network requests in your browser's developer tools. Which tracking tags fire before the consent banner resolves? If your session replay tool or Meta Pixel fires in the first 200 milliseconds of a page load — before any human could possibly have seen and responded to a consent banner — you have a consent timing problem that is central to the claim against you.

4. Preserve everything. Before you change a single line of code, take screenshots of the current state, export your tag manager configuration, and preserve server logs if available. This is your litigation hold. Do not remediate first and document second.

Step 5: Evaluate the legal merits — your available defenses

Armed with the results of your technology audit, your attorney will assess the strength of the claim against you. CIPA cases are not slam dunks for plaintiffs — the law is unsettled, courts have ruled both ways, and several defenses have meaningfully succeeded.

The tape recorder exception is your strongest potential defense if your vendor relationship is structured correctly. In Graham v. Noom (2021), the court dismissed a CIPA claim because the session replay vendor collected data solely on the defendant's behalf and was contractually prohibited from using that data for its own purposes. If your vendor agreement contains strong data use restrictions and the vendor demonstrably doesn't monetize your users' data independently, this defense may apply.

The contents vs. metadata distinction gives you a second line of defense if the tool named in the letter captures behavioral or technical data rather than the substance of what users communicated. Section 631(a) applies to the contents of communications — what someone said or typed — not mere metadata like IP addresses or click timestamps.

Prior consent is a complete defense if your consent mechanism was properly configured and demonstrably working at the time of the alleged violation. The bar here is higher than most companies expect — it requires that no tracking fired before affirmative consent was captured, and that users who declined were actually not tracked.

Lack of standing or California nexus is worth exploring if the alleged California resident's connection to your site is thin or if their identity can't be verified. CIPA requires the affected user to have been in California at the time of the alleged interception.

Step 6: Decide on remediation timing — carefully

At some point, you are going to fix your tracking setup. The question is when, relative to your legal response.

There is a genuine tension here. Remediating quickly demonstrates good faith and eliminates ongoing exposure. On the other hand, it can be read as an admission that a violation was occurring. The general approach most privacy counsel recommend: remediate, but do not characterize. Fix what needs fixing, document the technical reasons for the change as a routine compliance improvement rather than a response to the letter, and do not make any external statements connecting the remediation to the demand.

Step 7: Negotiate strategically — if you're going to settle

Not every CIPA demand letter should be settled. Not every one should be fought. Your attorney will help you make that determination based on the strength of the defenses, the credibility of the sending firm, and the practical economics of litigation versus resolution.

If you decide a negotiated resolution makes sense: know your actual exposure before you negotiate (the theoretical maximum is not your real exposure); understand that the first demand is an opening bid (the gap between initial demand and final settlement is often 70 to 90 percent); and be careful about the precedent a fast settlement sets. A company that pays quickly and generously on the first letter can become a target for subsequent letters from other firms.

How to CIPA-proof your website going forward

Let's assume you've handled the letter. The legal immediate crisis is behind you. Now comes the question every company asks at this stage: how do we make sure this never happens again?

The answer is not a one-time fix. It is a compliance infrastructure — a set of technical, contractual, and operational practices that work together to make your website defensible on an ongoing basis. CIPA demand letters target opportunistically. They find companies whose tracking setup has drifted out of compliance, often through no deliberate decision — a new vendor tag someone in marketing added, a website update that broke consent timing, a cookie banner that was never properly wired to the tools it claimed to control.

The three structural fixes

Pre-consent blocking means that no tracking tool fires until a user has affirmatively provided consent. Not "the banner has appeared." Not "the user hasn't declined yet." Affirmative, prior, explicit consent — and only then does the tag execute. To verify this yourself, open your site in a private browser window and watch your network traffic before you interact with the consent banner. If you see requests going out to Meta, Google, your session replay vendor, or any other third-party tracking infrastructure before you've clicked anything — you do not have pre-consent blocking.

Accurate consent UI means that what your banner says it controls is precisely what it controls — technically, completely, and consistently across every browser, device, and page on your site. Cross-browser, cross-device testing is not optional. The California resident in your demand letter was almost certainly using a mobile browser.

Ongoing audit cadence is the fix that most companies implement once and then let atrophy. Every marketing campaign brings new tracking tags. Every website update can introduce new scripts or break existing consent configurations. A monthly technical audit — scanning what tags are present, verifying consent timing, confirming cross-browser behavior — is the minimum frequency for any business with meaningful California traffic.

Vendor contract hygiene

The distinction that saved Noom in Graham v. Noom was contractual: the session replay vendor was explicitly prohibited from using data for its own independent purposes. Review your vendor agreements for the tracking tools running on your site. Look for: a clear restriction on the vendor's right to use data for their own commercial purposes; a data processing agreement that classifies the vendor as a processor acting on your instructions; and an obligation on the vendor to notify you of any changes to their data collection practices.

Privacy policy alignment

Demand letters consistently highlight mismatches between what a company's privacy policy says and what its technology actually does. Conduct a side-by-side comparison: every tool identified in your technology audit should have a corresponding disclosure in your privacy policy. Every vendor named in your contracts should appear in your policy. If your privacy policy is more than 12 months old and your website has changed in any meaningful way during that period, assume it needs updating.

The GPC obligation

The Global Privacy Control is a browser-level signal that allows users to communicate their privacy preferences automatically. California's CPRA requires businesses to honor GPC signals as a valid opt-out of data sale and sharing. A user who has enabled GPC in their browser arrives at your site with a pre-existing privacy preference already expressed. If your website ignores that signal — if tracking fires despite a GPC opt-out being present — you have a compliance failure that is increasingly being cited in demand letters as an independent basis for claims. Test this by enabling GPC in Firefox or Brave and visiting your own site.

The out-of-state trap

California's long-arm jurisdiction over CIPA claims is settled law. If your website is accessible to California residents and any California resident uses it, you are subject to CIPA regardless of where your company is incorporated, where your servers are located, or whether you have a single employee in the state. A brand headquartered in London selling to American consumers, a SaaS company based in Austin with no California office, a DTC beauty brand shipping from New Jersey — if California residents visit your website, CIPA applies to you.

Where CIPA litigation is headed in 2025 and 2026

CIPA is not a static threat. The legal landscape around it is moving — in courts, in the California legislature, and in the strategic behavior of the plaintiffs' bar itself. Understanding where things are headed helps you make smarter long-term decisions about compliance investment.

The California legislature has tried and failed to fix this

In 2024, California legislators introduced two bills specifically aimed at clarifying CIPA's application to online tracking technologies. One would have created an explicit safe harbor for companies using tracking tools for ordinary commercial purposes. The other would have required plaintiffs to demonstrate actual harm before collecting statutory damages. Either bill, if passed, would have significantly reduced the volume of demand letters being sent. Neither made it out of committee.

A third attempt at legislative reform is likely in the 2025–2026 session. Do not build your compliance strategy around the assumption that legislative relief is coming. It may. It may not. And even if it does, the timeline between a bill's introduction and its practical effect on pending claims is long enough that the demand letters will keep arriving in the interim.

The federal courts are producing contradictory outcomes

The Northern District of California has been somewhat more receptive to defendants' arguments — particularly the tape recorder exception and the contents-versus-metadata distinction. The Central District, covering Los Angeles, has produced more plaintiff-friendly outcomes on similar facts. Cases involving the same technology, the same consent mechanism, and nearly identical allegations have been dismissed in one district and allowed to proceed in another.

This inconsistency reflects genuine unsettled questions in the law that the courts are working out in real time. The 9th Circuit Court of Appeals has weighed in on some of these questions, but not all of them, and its decisions have not fully resolved the district-level disagreement.

The plaintiffs' bar is professionalizing rapidly

When CIPA demand letters first began circulating at scale in 2022 and 2023, many were generic — bulk-produced documents with minimal investigation behind them. That is changing. The firms that have stayed in the CIPA space have learned from the cases that failed. Their letters are increasingly specific — naming exact tools, describing precise behavioral sequences, documenting consent mechanism failures with technical specificity. Some are conducting genuine pre-filing investigations, including running their own browser audits and preserving screenshots of consent mechanism behavior at the time of the alleged violation.

The margin for technical error is shrinking. The demand letter you received in 2023 may have been sent by a firm doing minimal investigation. The one you receive in 2026 is increasingly likely to come from a firm that has done its homework.

One ruling that would change everything

The single development that would most significantly alter the CIPA landscape for businesses is a definitive 9th Circuit ruling establishing a clear, technical standard for what constitutes valid prior consent in the context of website tracking. Currently, the prior-consent defense is available but its requirements are not precisely defined at the appellate level. A ruling that specified — with technical clarity — that a consent management platform blocking tag execution until an affirmative user signal is received satisfies the prior-consent requirement under § 631 would be transformative. That ruling has not come.

The volume is not declining

The economic model that drives demand letter campaigns — low cost per letter, high rate of pre-litigation settlement, minimal litigation risk for sending firms — remains intact. The realistic expectation for any business with California web traffic is not that CIPA demand letters will become someone else's problem. It is that they will remain a feature of the operating environment for the foreseeable future — a recurring compliance risk to be managed rather than a crisis to be weathered once and forgotten.

The companies that are positioned well for this environment are not the ones hoping the letters stop. They are the ones that have made it structurally difficult for a letter to arrive with a valid claim.

What this all comes down to

CIPA was written to stop eavesdroppers from tapping phone lines. Sixty years later, it is being used to hold businesses accountable for the invisible infrastructure running beneath their websites — the pixels, scripts, session recorders, and chat tools that modern marketing depends on, deployed without adequate consent mechanisms, in a legal environment that has decided all-party consent applies to them.

The demand letter you received is a symptom of that gap — between what your website is doing technically and what California law requires. Closing that gap is both the immediate task and the long-term imperative.

If you take one thing from this guide, make it this: CIPA compliance is not a legal exercise that ends when the current letter is resolved. It is a property of how your website is built and maintained — one that requires the right technical infrastructure, the right vendor relationships, and the right operational habits to sustain. The companies that stop appearing in plaintiffs' attorney targeting lists are the ones that have made their websites structurally difficult to claim against. Not because they found a clever legal argument. Because they built something that works correctly.