CIPA Shakedown Letters: What Every Business with a Website Needs to Know

Businesses across the country are receiving demand letters alleging that their websites violate California’s decades-old wiretapping law -- the California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 630–638.

The CIPA was enacted in 1967 to address phone and telegraph wiretapping. California plaintiffs’ attorneys and pro se litigants are now claiming that common website technologies, such as cookies, pixels, and similar targeted advertising and analytics technologies violate the CIPA when they capture browser activity before a user has given meaningful consent. These claims often focus on website tracking tools such as Google Analytics, LinkedIn, Meta Pixel, TikTok Pixel, and other third-party scripts.

At present, courts are split over how whether the CIPA applies to modern website technologies. That uncertainty has fueled a steady flow of demand letters from plaintiffs’ firms and pro se individuals to businesses with an online presence.

Although these letters may look like spam, they should not be ignored. While the legal theory being asserted is aggressive and the question of how CIPA applies to modern web-tracking technology remains legally unsettled, CIPA is nonetheless a genuine statute — one that permits private lawsuits and exposes violators to statutory damages of $5,000 per incidence. Until courts provide more clarity, the best means of protection is compliance.

All businesses with an online presence should:  

• Update their privacy policy. Confirm that it accurately describes the tracking technologies used, the categories of data collected, and when data may be shared with third parties. 

• Ensure no tracking occurs before consent. Cookies, pixels, and third-party scripts should not collect any information relating to website visitors before consent is obtained. They should be gated behind a consent-management layer with a default-deny state, not merely covered by a banner overlay after scripts have already loaded. 
• Make consent enforcement match consent collection. Obtain consent using an affirmative opt-in, not an opt-out. If a user withholds consent, that choice should carry through to backend systems and vendor integrations. In other words, the website’s stated practices should reflect what its systems actually do. 
• Make the consent banner clear and obvious. Do not bury the banner, soften the language, or make “decline” harder to find than “accept.”

If you have questions or concerns about data privacy or compliance, please contact Brian McCormac or another member of BrownWinick’s data privacy practice.

Thanks to summer associate Kate Muller, who assisted with the drafting of this article.