Businesses across the country are opening demand letters alleging that their websites violate California privacy laws by using common tracking technologies — the Meta Pixel, Google Analytics, TikTok Pixel, session replay tools, and advertising cookies. These letters often threaten class action litigation under statutes such as the California Invasion of Privacy Act (CIPA), the Electronic Communications Privacy Act (ECPA), and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA). Many seek substantial pre-litigation settlements and threaten statutory damages that can escalate into millions of dollars. If your business received one of these letters, here is what you need to understand before you respond.

What Are CIPA Website Tracking Demand Letters?

The California Invasion of Privacy Act was enacted in 1967 to address telephone wiretapping. In recent years, plaintiffs’ firms have applied it to ordinary website analytics and advertising technologies, arguing that tracking pixels and cookies “intercept” user communications in violation of the statute. The theory goes like this: when a visitor lands on your website, tracking tools send data — browsing behavior, clicks, page views — to third parties like Meta or Google. The plaintiffs’ firms argue that transmission constitutes an unlawful interception under CIPA’s wiretapping provisions.

Technologies Commonly Named in Demand Letters

• Meta Pixel (formerly Facebook Pixel): A tracking script that sends behavioral data to Meta for advertising targeting and analytics.
• Google Analytics and Google Tag Manager: Tools that collect user interaction data for website performance measurement.
• TikTok Pixel: An advertising tracking tool similar to the Meta Pixel.
• Session replay tools: Software such as FullStory, Hotjar, or Microsoft Clarity that records visitor interactions for UX analysis.
• Advertising and retargeting cookies: Third-party cookies that track users across sessions and websites for ad targeting.

These technologies are standard across most commercial websites. Their use in a demand letter does not automatically mean your business violated the law.

How This Litigation Wave Works

Most of these cases follow a recognizable pattern. A plaintiff’s firm visits a website and uses browser developer tools or a HAR (HTTP Archive) file to capture network traffic. The firm then sends a demand letter alleging that the website unlawfully “wiretapped” the visitor by transmitting information to third parties without consent. The letters frequently contain sweeping technical conclusions — that tracking software “intercepts” communications, that websites secretly disclose sensitive information, that browsing activity is shared with third parties without knowledge — while citing large statutory penalties designed to pressure businesses into quick settlements.

The business model works because the gap between receiving a threatening demand letter and actually defending litigation is expensive to close. Many businesses conclude that paying a nuisance settlement is cheaper than litigation, even when the underlying claims have real weaknesses. That calculus deserves scrutiny, because paying settlements in weak cases invites more of them.

Courts Are Divided — And That Matters for Your Defense

Website tracking litigation is developing rapidly, and courts have reached conflicting conclusions about whether ordinary analytics and advertising technologies actually violate CIPA. This legal uncertainty is important because it directly affects the strength of any demand made against your business.

Doe v. Eating Recovery Center: A Significant Defense Win

In Doe v. Eating Recovery Center LLC, the Northern District of California granted summary judgment for the defendant and criticized the current state of CIPA litigation directly. The court observed that CIPA — enacted in 1967 to address telephone wiretapping — is poorly suited for modern internet technologies, noting that courts are issuing conflicting rulings and that companies have no reliable way to know whether standard online business practices will expose them to liability. The court held that the alleged conduct did not satisfy CIPA’s “in transit” interception requirements, which is a threshold requirement the plaintiffs’ bar has struggled to satisfy consistently.

Surviving a Motion to Dismiss Is Not the Same as Proving Liability

Other courts have allowed certain CIPA claims to survive motions to dismiss where plaintiffs alleged detailed facts about how tracking technologies allegedly operated. But surviving a motion to dismiss sets a low bar — it means only that the complaint states a plausible claim, not that the plaintiff can prove one. The cases that survive early motions often turn on highly fact-specific technical questions: whether tracking loaded before consent was obtained, what specific data was actually transmitted, how the consent management platform was configured, and whether the visitor’s session matched the alleged interception. These factual questions can be addressed with evidence — and that evidence frequently tells a different story than the demand letter suggests.

Demand Letters Don’t Always Reflect What Your Website Actually Did

One of the most important things to understand about CIPA demand letters is that the technical allegations in them are frequently inaccurate. Plaintiffs’ firms often rely on generalized assumptions about how tracking technologies operate rather than a detailed investigation of what actually happened on your specific website, during a specific visitor session, under your specific consent configuration.

At Revision Legal, we investigated a matter where a demand letter alleged that a website unlawfully transmitted visitor data through tracking technologies without consent. The plaintiff relied heavily on a HAR report purporting to show unauthorized disclosures to third parties. After a detailed technical review with the client’s web consultant, the technical evidence told a very different story — the central allegations in the demand letter did not match the actual website analytics. Tracking had been properly gated behind consent, no sensitive information had been transmitted, and the configurations the plaintiff described did not reflect the website’s actual setup during the relevant period.

This is why technical investigation matters before any response or settlement decision. The demand letter is one party’s characterization of the facts. The actual facts are often more favorable to the business than the letter suggests.

What to Do After Receiving a CIPA Demand Letter

1. Don’t Panic — But Don’t Ignore It

These letters are designed to create urgency and pressure fast settlements. That does not mean the claims are meritorious. At the same time, ignoring the letter is not a strategy. Website tracking litigation is active and potentially expensive to defend. Treat the demand seriously while understanding that the letter’s allegations may not hold up under scrutiny.

2. Preserve Evidence Before Changing Anything

Before making changes to your website, preserve the technical records that will be needed to evaluate the allegations. This includes:

• Records showing whether users accepted or declined cookies at the time of the alleged visit
• Copies of your cookie banner, consent management platform configuration, and privacy policy as they existed at the relevant time
• Records of which third-party tracking technologies were active and how they were configured
• Website logs showing what data was actually transmitted
• Records showing whether tracking was disabled when users declined consent
• Communications with web developers, marketing vendors, or analytics providers about tracking configurations

Immediately changing website configurations or deleting logs after receiving a demand letter can make it harder to evaluate what actually occurred and may create evidentiary problems down the line. A technical review should happen before remediation, not instead of it.

3. Audit Your Consent and Tracking Configuration

One of the most common allegations in CIPA cases is that non-essential tracking technologies load before a user provides consent. Even businesses that have cookie banners in place should verify that those banners are actually functioning as intended. Misconfigurations are common, particularly after website updates, plugin changes, marketing integrations, or third-party script modifications. Work with your web developers or privacy counsel to confirm that:

• Tracking pixels do not fire before consent is obtained
• Consent management platforms (CMPs) are functioning correctly
• Scripts are properly categorized as necessary or non-essential
• User consent preferences are actually honored by each tracking tool
• Tracking stops when consent is declined
• Your privacy policy accurately describes the tracking technologies in use

Businesses that have not yet received a demand letter should treat this audit as a proactive step. Identifying and correcting misconfigurations before litigation is far cheaper than addressing them after a demand letter arrives.

How Revision Legal Can Help

Revision Legal’s internet law attorneys assist businesses at every stage of CIPA and website tracking litigation — from evaluating the technical strength of a demand letter to defending active litigation and reducing future exposure. Not every demand reflects a viable legal claim. Before responding, settling, or making website changes, businesses should understand the actual facts, preserve the relevant evidence, and get a realistic legal and technical assessment of the allegations.

The legal landscape around website tracking is evolving. Courts are divided, statutes originally written for telephone wiretapping are being stretched to cover technologies that didn’t exist when they were enacted, and the factual record in each case matters enormously. If your business has received a CIPA demand letter or wants to reduce its exposure to this type of litigation, contact Revision Legal to speak with one of our internet law attorneys.