California CIPA Demand Letters: What Businesses Need to Know and Do

We provide a step-by-step plan for responding to these demand letters


Alan M. Winchester

July 1, 2026 04:05 PM

Businesses across the country are increasingly receiving pre-suit demand letters and complaints alleging that ordinary website analytics, advertising pixels, chat tools, session technologies and similar tracking technologies violate the California Invasion of Privacy Act (CIPA). Recent demand letters from a pro se litigant, Vivek Shah, and a California firm, Tauler Smith, LLP, assert that common website technologies — including pixels, tags, Software Development Kits (SDKs), analytics tools, consent-management platforms, chat solutions and advertising technologies — constitute illegal “pen registers” under California Penal Code §§ 638.50–638.51.

The letters seek settlements and threaten class action litigation based on alleged transmission of IP addresses, browser identifiers, cookie identifiers, URLs, referral data and related metadata to third-party service providers.

While these claims have generated significant litigation activity, courts have increasingly scrutinized both the underlying legal theory and whether California courts may exercise personal jurisdiction over out-of-state businesses. Most of the recent decisions have dismissed these claims, but those that do, make a point of examining the nature of the information carried on the cookie, so it is still very fact specific.

What Are Plaintiffs Alleging?

Recent demand letters generally follow a common pattern. Plaintiffs typically allege that:

  • The company operates a publicly accessible website.

  • The website loads third-party scripts, pixels, tags, SDKs, analytics tools, advertising technologies, chat tools or similar services. Those technologies receive information such as: IP addresses, device identifiers, browser identifiers, cookies, session identifiers, URLs visited, referral information and related network request metadata.

  • The third-party requests occur automatically when a page loads.

  • The website did not obtain legally sufficient consent before those network requests occurred.

  • The technologies allegedly function as “pen registers” or “trap-and-trace devices” under CIPA.

Many complaints further assert claims under:

  • Intrusion upon seclusion

  • Unjust enrichment

  • Related privacy theories

Why Many Courts Have Become Increasingly Skeptical

1. CIPA Was Not Enacted to Regulate Ordinary Internet Communications

The central plaintiff theory attempts to apply statutes enacted decades before the modern internet to commonplace website communications. Defendants have argued — and an increasing number of courts have acknowledged — that:

  • CIPA’s pen register provisions were modeled on traditional telephone and telecommunications surveillance concepts.

  • Ordinary website requests involve routine internet communications necessary for modern web functionality.

  • Applying pen-register statutes to routine browser-server communications would dramatically expand the statute beyond its original purpose.

  • Standard analytics, security, content delivery, advertising and functionality tools are fundamentally different from the surveillance devices that motivated enactment of the statute.

    Although the case law continues to evolve, defendants increasingly possess substantial arguments that CIPA should not be extended to ordinary internet architecture and website communications.

    2. Personal Jurisdiction has Become a Significant Defense

    A second major issue involves whether California courts may exercise personal jurisdiction over out-of-state businesses. Many recent complaints rely on allegations that a California resident visited the website; the plaintiff accessed the site while physically located in California; and website tracking allegedly occurred during that visit.

    Businesses frequently have strong arguments these allegations alone are insufficient. Courts increasingly examine:

    • whether the company specifically targeted California;

    • whether the company purposefully directed activities toward California residents;

    • whether the plaintiff’s claims arise from those California contacts;

    • the extent of California sales and operations; and

    • whether the company has meaningful California-based commercial activity.

      For companies headquartered outside California with primarily local, regional or non-California operations, jurisdiction can be a powerful threshold defense.

      Immediate Response Steps Upon Receiving a Demand Letter

      One of the most common mistakes companies make is modifying their website before preserving evidence. These letters threaten litigation and thus trigger a duty to preserve content relevant to the dispute. If the information is not preserved, an adverse inference could be allowed, which could be damaging to the defense.

      Before making substantive changes, companies should work with counsel to preserve the website’s condition and operation.

      1. Institute a Litigation Hold

      Immediately preserve:

      • website source code

      • tag manager configurations

      • consent-management platform settings

      • analytics configurations

      • advertising platform configurations

      • deployment logs

      • change-management records

      • privacy policies

      • cookie policies

      • vendor contracts

      • website architecture documentation

      Suspend any routine deletion procedures affecting potentially relevant evidence.


      2. Capture and Preserve a HAR File

      Counsel should work with technical personnel to create a properly preserved HAR (HTTP Archive) file. The HAR capture should document:

      • initial page load behavior;

      • all third-party requests;

      • timing of requests;

      • identifiers transmitted;

      • cookies set;

      • consent-banner behavior; and

      • communications occurring before and after user consent.

      A HAR capture can become critical evidence because it preserves the website’s actual operation at the time the claim is asserted.

      3. Inventory All Tracking Technologies

      Develop a complete inventory of:

      • analytics tools

      • advertising pixels

      • retargeting technologies

      • heat-map technologies

      • chat tools

      • session replay tools

      • SDKs

      • customer-data platforms

      • marketing automation tools

      • consent-management technologies

      Many organizations discover that historical tags remain deployed even after business use has ended.

      Compliance Improvements to Consider

      Even where a business has substantial defenses, receiving a demand letter often creates an opportunity to strengthen privacy compliance. Here are some steps you can take:

      Update Privacy Policies

      Review whether the privacy policy accurately describes: categories of information collected, categories of disclosures, analytics activities, advertising activities, service providers, retention practices and California privacy rights.

      Policies should reflect actual practices rather than aspirational language contained in some off-the-shelf template. Also, while this alert focuses on California, there are several other states aggressively increasing the rights that data subjects have to privacy.

      Update Cookie Disclosures

      Cookie disclosures should identify, where appropriate, categories of cookies, purposes of processing, retention periods, third-party recipients and opt-out mechanisms.

      Evaluate Consent-Management Platforms

      Organizations should assess whether their consent-management platform:

      • properly blocks non-essential technologies before consent when required;

      • accurately records consent preferences;

      • allows revocation of consent;

      • properly categorizes technologies; and

      • synchronizes across devices and domains where appropriate.

      Review Global Privacy Control (GPC) Handling

      California regulators have emphasized recognition of Global Privacy Control signals. Organizations should evaluate whether:

      • GPC signals are detected;

      • opt-out requests are honored;

      • documentation exists regarding signal handling; and

      • disclosures accurately describe GPC practices.

      Reassess Vendor Management

      Review agreements with analytics vendors, advertising vendors, chat providers, marketing platforms and consent-management providers. Contractual provisions should align with actual information flows and applicable privacy obligations.

      Strategic Considerations Before Settlement Discussions

      Every demand letter should be evaluated individually. Before engaging in settlement discussions, management and counsel should analyze:

      1. Whether California courts have jurisdiction over the business.
      2. Whether the technologies identified actually transmit the information alleged.
      3. Whether the plaintiff accurately captured website behavior.
      4. Whether meaningful consent mechanisms existed.
      5. Whether the challenged technologies are essential, functional, analytical or marketing related.
      6. Whether the demand letter contains technical inaccuracies.
      7. Whether recent CIPA decisions undermine the asserted legal theories.

        An evidence-based response frequently places the company in a substantially stronger position than a reactive settlement approach.

        Key Takeaways

        • A growing number of plaintiffs and law firms are pursuing CIPA-based website tracking claims.

        • Businesses should not assume that these claims are legally or factually meritorious.

        • Courts have increasingly questioned efforts to apply traditional pen-register statutes to ordinary internet communications.

        • Personal jurisdiction frequently presents a significant defense for companies located outside California.

        • The first priority after receiving a demand letter is evidence preservation — not website modification.

        • HAR captures, website snapshots, tag inventories and preservation of consent records can be critical.

        • Organizations should use these demands as an opportunity to strengthen privacy notices, cookie disclosures, consent-management practices and GPC compliance.

        If your organization receives a CIPA demand letter or website-tracking complaint, experienced counsel should be engaged promptly to evaluate jurisdictional defenses, preserve evidence, assess technical allegations and develop an appropriate response strategy. Harris Beach Murtha’s Cybersecurity Protection and Response Practice Group can help. Please reach out to attorney Alan M. Winchester at (212) 313-5403 and awinchester@harrisbeachmurtha.com, or the Harris Beach Murtha attorney with whom you most frequently work.

        This alert is not a substitute for advice of counsel on specific legal issues.

        Harris Beach Murtha’s lawyers and consultants practice from offices throughout Connecticut in Bantam, Hartford, New Haven and Stamford; New York State in Albany, Binghamton, Buffalo, Ithaca, New York City, Niagara Falls, Rochester, Saratoga Springs, Syracuse, Long Island and White Plains; as well as in Boston, Massachusetts, and Newark, New Jersey.