Tags
Read time
4 min read
Last updated
May 11, 2026
Received a CIPA demand letter? Don't freak out, read this first
Your website trackers collect consumer data. When a consumer opts-out of data collection, do the trackers stop firing? They should.
Ketch makes consent banner set-up a breeze with drag-and-drop tools that match your brand perfectly. Let us show you.
Hundreds of brands receive CIPA demand letters every week, alleging that standard website tracking tools constitute illegal wiretapping under California law. CCPA compliance won't protect you, and settling once doesn't stop the next letter. This guide covers what the letter means, how to assess it, and what audit-ready consent infrastructure you need to defend your brand confidently.
If you work in privacy, legal, or marketing at a brand with a digital presence, there's a reasonable chance you’ve already received a CIPA (California Invasion of Privacy Act) demand letter.
Online tracking lawsuits skyrocketed from roughly 200 cases in 2023 to nearly 4,000 in 2024, with demand letters and arbitration filings stacking on top of that. More than 70% of those claims are coming from just four law firms operating a volume-based model designed to turn mass mailings into mass settlements.
The instinct when one arrives is to panic. The letter looks serious, the deadline is real, and the damages figures cited – $5,000 per violation or three times actual damages, whichever is greater, with no requirement to prove actual harm – can run into the millions on paper. But the first thing worth understanding is that these letters are not all created equal, and many of them don't hold up to scrutiny.
"The allegations are often sloppy," says Alysa Hutnik, partner at Kelley Drye. "These firms are going for breadth, not accuracy. What you're really doing is risk mitigation; making sure you've cleaned up the collection errors that make cases expensive."
That's exactly the right frame. This may be a legal problem, but the solution is technical. As Ketch's DPO and Corporate Counsel, I want to walk through what we're seeing, what actually matters when a letter arrives, and what brands can put in place so they're never starting from zero when one does.
CIPA is a 1967 California wiretapping statute, written long before the internet existed. In recent years, plaintiffs' attorneys have reinterpreted it to apply to website tracking technologies — pixels, cookies, session replay tools, chatbots, search bars, SDKs — arguing that these tools "intercept" user communications in real time, in the same way a wiretap intercepts a phone call.
For background on why these old wiretapping laws are increasingly targeting digital brands, read our deep-dive: Wiretapping Laws in the Digital Era.
A CIPA demand letter is a pre-litigation notice claiming your website's tracking tools — pixels, cookies, or session replay software — illegally intercepted user communications under California's 1967 Invasion of Privacy Act. It demands a settlement, typically within 30 days, and cites $5,000 in statutory damages per violation.
The statute provides $5,000 in statutory damages per violation, with no need for plaintiffs to prove actual harm. That statutory damage structure is what makes CIPA so attractive to plaintiffs' firms and so alarming to brands receiving demand letters.
A CIPA demand letter typically references who visited your website and when, which specific tracking tool is alleged to have fired and what it transmitted, the legal theory being invoked (usually California Penal Code Section 631(a) or Section 638.51), a damages calculation that can project thousands of violations, and a settlement demand with a deadline of 20 to 30 days.
The most important thing to understand immediately: CCPA compliance does not protect you here. CIPA and CCPA are separate statutes addressing different legal theories.
Being compliant with California's consumer privacy law does not immunize a brand from CIPA litigation. This distinction surprises many privacy and legal teams who assumed their consent management program covered them.
Not every demand letter is equal. Start your assessment with a few key steps:
A small number of plaintiffs' firms are responsible for the overwhelming majority of CIPA demand letters.
These firms have developed highly industrialized operations: they scan websites in bulk using automated tools, look for any tracking pixel that fires before consent is captured, and generate templated letters.
Knowing whether the firm has a reputation for actually filing litigation, or primarily uses letters to extract nuisance settlements, affects your calculus significantly.
The letter will reference a specific tool — often the Meta Pixel, Google Analytics, TikTok Pixel, or a session replay product — and describe the behavior that triggered the claim.
What exactly was alleged to have been intercepted? Was it an IP address, a search term, a form entry, a page navigation? Courts are increasingly distinguishing between different types of data, and not all claims are equally strong.
The legal landscape around CIPA is genuinely in flux. Courts are reaching different conclusions on similar facts, and precisely how you respond is a question for legal counsel – not something any software vendor should be prescribing. What we can tell you is that the strength of your technical posture will directly shape the options your counsel has to work with.
At a glance, it may seem that the path of least resistance is to quietly settle these letters. Write a check, move on, and hope the next one doesn’t arrive.
The problem with that approach isn't that settling is wrong. Sometimes it's the right call, and experienced privacy counsel will tell you that a negotiated settlement can be perfectly reasonable depending on the circumstances.
The real problem? Choosing to settle without knowing whether the claim is even credible.
These letters are generated at scale by a small number of firms using automated scanning tools. They are designed for volume, not precision, and the allegations are often sloppy and built on incomplete or outright incorrect readings of what your site was doing.
The brands that handle this well are the ones that can actually answer: did this happen? They can pull up their consent logs, run a scan of their tag behavior, and evaluate the technical claim on its merits before deciding how to respond. That changes everything: not because it guarantees a particular outcome, but because it turns a reactive scramble into an informed decision.
That's the posture worth building toward: not litigation readiness, but technical visibility and accuracy.
I spoke with Max Anderson, our Co-founder and Head of Product, about what he's seeing across the brands we work with. His view is blunt: there is no silver bullet. But there are three concrete things that meaningfully change your ability to respond confidently to a demand letter claim.
A central argument in many CIPA demand letters today is that presenting a notice to users at the same moment data collection begins doesn't give consumers enough time to read and understand what's happening.Plaintiffs' attorneys argue that isn't reasonable.
One practical response that we see some companies take is to create a time delay between notice and collection. Give the user a window to absorb what they're being told before tags start firing.
"The next move on the privacy tool side," says Max, "is to create some separation between when that notice is given and when the data collection starts happening. Imagine adding a ten or fifteen second delay or buffer between the data collection and the notice itself. As it stands today, that is one of the best things, if not the only thing, that you can do on the notice side."
This is a meaningful shift from how most brands think about consent banners. The banner existing isn't enough. The sequence and timing of what fires relative to when the user sees the notice is what plaintiffs' attorneys are scrutinizing, and getting that right requires more than a standard banner implementation.
If a plaintiffs' attorney makes a set of claims about your site's behavior, you need to be able to verify or refute those claims with actual evidence. Not a privacy policy. Not a general description of your consent setup. Timestamped, individual-level records of what fired, when, and what the user's consent state was at that moment.
"Sometimes these claims are just completely irrational," says Max. "Having a strong auditability framework in your privacy tool is certainly useful. You want to be able to prove that whatever claims they're making are or aren't true."
The technical cause underlying most CIPA demand letters is the same: a tracking tool allegedly fired before the user had an opportunity to consent. If you can produce a timestamped record showing that didn't happen, or that the user affirmatively consented, your position changes dramatically. If you can't produce that record, that's the gap that needs closing.
Most plaintiffs' attorneys build their cases around something called a HAR file, a detailed technical record of every network request a browser makes during a session on your site. It captures what fired, when, and what data was transmitted. That HAR file becomes their evidence.
"Sometimes they actually make mistakes in processing that information," Max notes. "So being able to process that HAR file yourself, graphically represent what was happening, and do a little fact-checking on the claims the plaintiffs' attorney is making, is very useful."
But the more important use of this capability is proactive. You don't have to wait for a demand letter to run this kind of scan. Doing it yourself first tells you exactly what a plaintiffs' attorney would see if they visited your site today: whether sensitive data is being transmitted to third parties, whether tags are firing in the right sequence, whether your notice setup holds up to scrutiny.
"You want to understand that before they come after you," Max says. "Check yourself first.”
Having the right technical foundation isn't just about being prepared for a demand letter. It's about being able to answer the question confidently when one arrives: did this actually happen? Here's how Ketch's products map to each of the three areas Max outlined.
Data Sentry — know what's actually running on your site. Data Sentry is your privacy pentest. It continuously scans your live digital properties and shows you exactly what a plaintiff's attorney or regulator would see when they visit: which tags fired, which third-party domains received data, and whether any of that happened before a consent signal was captured.
Critically, Data Sentry can also process HAR files directly. If a demand letter arrives with technical claims about your site's behavior, you can upload the HAR file, graphically represent what was actually happening, and fact-check the allegation before you respond. That's not a capability most brands have, and it changes the dynamic considerably.
Not a point-in-time audit. A live, always-on map of your real data collection behavior, tuned to the exact technical patterns that generate CIPA demand letters.
Consent management — pause first, fire second. Ketch Consent Management supports configurable time delay between notice presentation and data collection, directly addressing the timing argument at the center of most modern CIPA claims: that data collection begins before users have had reasonable opportunity to absorb what they're being told.
Consent banners are configurable without engineering, and consent signals propagate automatically to downstream systems through Ketch's native integrations, so the choice a user makes is honored consistently across every connected system.
Privacy 360 Analytics Suite — your audit trail, automatically. The granular, identity-driven reporting available in Privacy 360 Analytics Suite captures the full lifecycle of every consent decision: timestamp, method, banner interaction, and every system that received and enforced the signal. When a plaintiffs' attorney makes a claim about what your site was doing at a specific moment for a specific visitor, Privacy 360 is how you pull up that record and answer the question with evidence rather than assertion.
This is what transforms a demand letter from a crisis into a manageable situation. Not just knowing your consent setup is correct, but being able to prove it, at the individual level, on demand.
The result isn't just a stronger legal position when letters arrive. It's a fundamentally different posture: instead of scrambling to reconstruct what happened after a claim lands, you have a continuous, living record of what your systems did and what your users chose.
That's what it looks like to confidently prove you're doing things right, not just saying it.
Legislative relief is possible, but not imminent.
California's SB 690 appeared poised for an easy path to enactment. The bill, which would have clarified that routine commercial tracking technologies fall outside the scope of CIPA, passed the State Senate unanimously and drew broad support in the Assembly. Despite that momentum, the legislation ultimately stalled and has now been converted into a two-year bill, delaying any immediate change to the statute.
Even if it eventually passes, it will not take effect until 2027 at the earliest and will apply prospectively only. Pending cases are unaffected.
That timing matters. As SB 690 approaches its eventual effective date, plaintiffs' firms have every incentive to file as many claims as possible before any safe harbor kicks in. Legal experts are predicting a surge in filings in the lead-up to any effective date, which means the period between now and 2027 remains an active one for this type of litigation.
Meanwhile, the case law is fracturing in ways that make outcomes difficult to predict:
For brands, this uncertainty reinforces the same point we've been making throughout: the most reliable position is a proactive one. Know what's running on your site, have consent records that hold up, and be able to demonstrate both before a letter arrives rather than after.
If you just received a letter, a few immediate steps matter:
But the real leverage? What you have in place before the letters arrive. The brands that handle demand letters well aren't scrambling to reconstruct what happened after the fact. Here's what that foundation looks like:
CIPA demand letters are not going away. The firms sending them have a working business model, the legislative fix is years out, and the case law is fractured enough to keep the threat alive regardless of how any individual court rules.
The brands that come out ahead are the ones that stop treating this as purely a legal problem. The technical foundation – notice timing, auditability, continuous scanning – is what gives you something to stand on when a letter arrives. Build it before you need it.
See what's actually running on your site: Talk to a Ketch privacy expert →
