At a Glance
- CIPA demand letters are driving a significant share of new CMP evaluations in 2026. You are not the first to receive one.
- These letters are largely templated documents produced at scale by a small number of plaintiffs’ law firms targeting websites with common tracking technologies.
- Under CIPA, per-violation statutory damages of USD 5,000 can aggregate rapidly; your legal exposure depends heavily on your current consent infrastructure.
- Implementing or upgrading a consent management platform (CMP) is one of the most actionable steps a business can take to address the underlying conditions that attract CIPA claims.
If your business received a CIPA demand letter, you are not alone. Privacy litigation is rising sharply across California, with plaintiffs targeting websites that track user activity without proper consent mechanisms. CCPA compliance does not protect you in these cases. This guide explains what these letters typically claim, what your exposure may be, and how a consent management platform can help support your response.
If you have received a demand letter alleging violations of the California Invasion of Privacy Act (CIPA), the first thing to know is that you are not alone. In 2026, these letters are arriving in the inboxes of businesses across the country at an increasing rate.
They are alarming to receive, and typically written to induce urgency, with relatively short response deadlines. In many cases they are the opening move in a volume-driven litigation strategy that may have little to do with the specific technology and operation of your website.
This guide explains what these letters typically claim, how the litigation economics work, what your realistic exposure may be and how to assess these letters, and the practical steps your business can take. This includes how a consent management platform (CMP) can help address the underlying conditions that attract these claims.
What Is a CIPA Demand Letter?
A demand letter is a pre-litigation notice sent by or on behalf of an individual, typically a plaintiff represented by a specialized privacy litigation firm. This letter alleges that your website has violated one or more provisions of California privacy law.
The letter will usually cite specific statutes, describe the alleged conduct in general terms, and set out what the sender is demanding in response, most commonly a settlement payment and remediation.
Most letters you will encounter in the current wave of privacy litigation are not bespoke documents prepared after a careful review of your business. More than 70 percent of these types of privacy claims are coming from only four law firms.
These plaintiffs’ firms have built high-volume, template-driven dockets targeting any company whose website transmits user data to a third-party vendor. Their intake process is largely paralegal-driven: network traffic is captured on consumer-facing sites, a pixel or tracking script is identified, and a near-identical complaint or demand letter is dispatched.
The most common framework cited in demand letters today is CIPA. A reasonable understanding of the law is essential to assessing what the letter is actually claiming.
What Is the California Invasion of Privacy Act?
CIPA was passed in 1967 as a criminal anti-wiretapping statute. Its original purpose was to protect telephone conversations from unauthorized interception during the height of the Cold War. Since then, plaintiffs’ attorneys have successfully argued that its provisions extend to modern tracking technologies, including cookies, pixels, session replay tools, and chat functions deployed on websites.
The two sections most commonly cited in demand letters are CIPA § 631, which prohibits the unauthorized interception of electronic communications, and CIPA § 638.51, which prohibits the installation or use of a pen register or trap and trace device without consent.
A pen register is defined by the statute to mean any device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted. It does not capture the content of the communication itself, only the metadata, like who is being contacted, when, and how the communication is being routed.
Courts have reached inconsistent conclusions about whether common website analytics and advertising tools constitute pen registers under Section 638.51, and the legal landscape remains unsettled pending the outcome of SB 690, which remains stalled in the California Assembly, though a hearing is scheduled for July 1, 2026.
Critically, CIPA, which itself appears in the Penal Code, typically reserved for governmental enforcement only, provides a private right of action. Any California resident can bring a civil claim directly without involving a regulator, which is a primary reason it has become the statute of choice for high-volume privacy litigation.
The statutory damages are USD 5,000 per violation. On a website with meaningful California traffic, that figure can aggregate to numbers that compel serious attention.
May 2026 CIPA Ruling
A May 2026 ruling by the Los Angeles Superior Court found that CIPA’s pen register provisions apply only to telephone communications and do not extend to software deployed on commercial websites. This is a notable development for defendants facing § 638.51 claims.
However, this is a trial court decision and does not bind other courts. Businesses should treat the legal landscape as still developing and seek counsel accordingly.
Should You Also Worry About the California Consumer Privacy Act (CCPA)?
The California Consumer Privacy Act (CCPA) and its amendment/replacement, the California Privacy Rights Act (CPRA), govern how businesses collect, use, share, and sell the personal information of California residents. Unlike CIPA, the CCPA is primarily an opt-out framework.
Businesses generally do not need prior consent to collect personal information (with the exception of sensitive data and children’s data), but must provide consumers with the ability to opt out of the sale or sharing of their data and must honor opt-out signals, including the Global Privacy Control (GPC).
Importantly, CCPA compliance does not protect against CIPA claims. The two laws operate on different legal foundations. The CCPA governs what data is collected and what consumer rights apply; CIPA governs how communications are intercepted, with provisions that require prior consent regardless of whether a business otherwise meets its CCPA obligations.
A website with a fully compliant privacy policy and functioning opt-out mechanism can still face CIPA liability if it deploys third-party tracking tools without consent.
Why Are More of These Letters Arriving Now?
Privacy class action litigation under CIPA, CCPA, the Video Privacy Protection Act (VPPA), and related statutes has become a lucrative revenue stream with minimal costs for plaintiffs and potentially high costs for the defendants.
The cost to plaintiffs of sending a demand letter is low, typically in the low four figures. The cost to file a templated complaint is in the low five figures. The cost to a defendant of defending through a motion to dismiss with a conventional law firm team can reach USD 400,000–800,000.
Against that backdrop, settling for far less than the cost of defense can often be the rational short-term choice. This is precisely what plaintiffs are counting on.
The statutory exposure numbers are a significant part of the leverage. Consider the following ranges cited in recent litigation.
| Statute | Per-Violation Exposure | Typical Putative Class |
| CIPA § 631 (wiretap) | USD 5,000 per violation | All California visitors over the limitations period |
| CIPA § 638.51 (pen register) | USD 5,000 per violation | All California visitors with device data captured |
| CCPA (statutory damages) | USD 100–750 per incident / actual damages | California consumers affected by qualifying breach |
| VPPA § 2710 | USD 2,500 per violation + attorneys’ fees | All subscribers exposed to unauthorized pixel disclosure |
A website with one million California visitors (only 2.5 percent of the state’s population of nearly 40 million) running a non-compliant advertising technology tool could, in theory, face statutory exposure in the billions.
That outcome is unlikely, but the gap between theoretical exposure and realistic settlement is the mechanism plaintiffs’ firms use to extract settlements. The only durable way to reduce that leverage is to reduce the underlying exposure, which is where consent management infrastructure becomes directly relevant.
What the Demand Letter Actually Means for Your Business
Receiving a demand letter does not mean you have been found to have violated the law. It means that a plaintiff, or more commonly a plaintiff’s firm, has identified your website as a potential target based on tracking technologies in use and is testing your response.
A demand letter typically initiates a clock. Response windows vary, but deadlines of 20–30 days have been reported. Ignoring the letter carries risks, including escalation to formal litigation. The appropriate first step is to forward the letter to qualified legal counsel promptly. While counsel assesses the specific claims, there are several questions your business should be prepared to answer.
What Tracking Technologies Does Your Website Deploy?
Most CIPA claims rest on the presence of specific tracking technologies, such as advertising pixels, session replay tools, chat functions, or analytics scripts. These tools transmit data to third parties.
Conducting a website compliance scan to inventory what technologies your site deploys, and under what consent conditions they fire, is an essential first step. Usercentrics’ free scanner surfaces these technologies quickly.
Does Your Site Honor the Global Privacy Control Signal?
GPC compliance is an active enforcement priority across multiple states. Since January 1, 2026, businesses subject to the CCPA must confirm to consumers that their opt-out preference signal has been processed.
A visible acknowledgment is required, not just silent backend processing. If your site does not currently detect and honor the GPC signal, that is an immediate gap to address regardless of the demand letter’s outcome.
What Does Your Consent Infrastructure Look Like?
Under CIPA, the question of whether a tracking technology requires prior consent is still being litigated in California courts, and SB 690 has not yet been enacted.
In the absence of statutory clarity, implementing a consent management platform that obtains prior user consent before firing tracking scripts positions your business more defensibly than relying on opt-out alone.
Under the CCPA, the relevant questions are whether your opt-out mechanisms are functional, whether your privacy policy accurately describes your data practices, and whether you have a documented process for honoring consumer rights requests within the required 45-day window.
What to Do When You Receive a CIPA or CCPA Demand Letter
The following steps are not legal advice. They are practical actions that businesses in this situation commonly take in parallel with engaging legal counsel.
Engage Qualified Legal Counsel Immediately
The demand letter will likely have been written by attorneys who litigate these cases at volume. The response should be handled by counsel with specific experience in CIPA, CCPA, VPPA, and related privacy litigation. Ask your counsel for their track record on dispositive motions, not just settlements.
Do Not Ignore the Letter or Respond Directly Without Counsel
Any written response you make to the plaintiff’s firm without counsel involved could become part of the record if litigation follows. Expertise in use of tracking technologies is useful, but only part of the equation.
Preserve Relevant Documentation
Do not delete website logs, consent records, privacy policy versions, or vendor contracts. Preservation obligations may attach at the moment you receive the letter.
Conduct a Technology Audit of Your Website
Identify every third-party script, pixel, and analytics tool currently deployed. Determine under what conditions each fires: before or after consent, always on, or blocked until consent is given.
Review Your Privacy Policy for Accuracy
Your privacy policy must accurately describe the categories of personal information you collect, the purposes for which it is used, and the third parties with whom it is shared. It must also be kept up to date as business operations, regulatory requirements, and technologies in use change.
A material discrepancy between your stated practices and your actual data flows is an independent compliance risk.
Assess Your Opt-out Mechanisms
Confirm that your “Do Not Sell or Share My Personal Information” link (and “Limit the Use of My Sensitive Personal Information” where relevant) is visible, functional, and correctly wired to your data infrastructure. Confirm that opt-out via GPC is detected and honored, and that a visible acknowledgment is displayed when the signal is processed.
Consider Implementing or Upgrading Your Consent Management Platform
No technology can completely eliminate litigation risk, but a CMP addresses the consent infrastructure failures that underlie most CIPA claims.
How Usercentrics Can Help Support Your Response
Usercentrics is one of the world’s most widely used consent management platforms, supporting over 2.4 million websites and apps. Usercentrics Web CMP is built to help businesses meet global consent requirements, including CCPA and CPRA, honors the GPC signal, and enables businesses to maintain auditable consent records.
From the perspective of the CIPA demand letter context, the most directly relevant capabilities are as follows.
Consent-Gated Technology Firing
Usercentrics CMP enables businesses to configure whether third-party tracking technologies fire before or after a visitor provides consent. For technologies that the business determines require prior consent, based on regulatory or partner platform requirements and legal advice, the CMP can block those technologies from loading until consent is given.
This is the foundational mechanism for addressing the “unauthorized interception” theory underlying most CIPA Section 631 and 638.51 claims. It is also a requirement for businesses operating internationally, as many privacy laws, such as Europe’s GDPR, require prior consent before collecting or using personal data.
GPC Signal Detection and Honoring
Usercentrics CMP supports Global Privacy Control signal recognition, enabling websites to automatically detect and honor consumer opt-out preferences communicated through the browser. Usercentrics also displays the required visible acknowledgement of GPC processing.
Consent Records and Audit Logs
In the event of litigation or regulatory inquiry, the ability to produce timestamped, granular consent records demonstrating what each visitor was shown, what choices were available, and what the visitor selected is significant. Usercentrics stores consent data in a format designed to support these audit requirements.
Do Not Sell / Share Opt-Out Infrastructure
Usercentrics CMP supports the implementation of opt-out mechanisms required by the CCPA, including the “Do Not Sell or Share My Personal Information” link, the “Limit the Use of My Sensitive Personal Information” mechanism, and the downstream signaling of consumer preferences to connected third-party services, such as Google, Microsoft, and Amazon consent modes.
Web Compliance Scan
If you have not yet conducted a technology audit of your website, Usercentrics offers a free web compliance scan that identifies cookies and other tracking technologies deployed on your site and assesses their consent configuration. This is a useful first step in understanding your current exposure.
CIPA and CCPA: What Makes Them Attractive as Litigation Tools
Understanding why plaintiffs’ firms choose these statutes over others helps clarify what the demand letter is actually about.
CIPA’s Private Right of Action Is Unusually Broad
To date California is the only U.S. state with a comprehensive privacy law that allows for private right of action. However, it’s limited to data breaches and subject to a 30-day cure period before litigation can proceed.
CIPA is quite different. Any individual can bring a civil claim for any alleged unauthorized interception or recording, not just a breach event, if the individual or business is based in California. That breadth, combined with USD 5,000 per-violation statutory damages, no cure period, and no requirement to prove actual harm, makes CIPA the preferred vehicle for digital tracking claims.
The Aggregation Problem
The per-visit or per-user nature of the claimed violations is what creates the massive theoretical exposure figures. A website with significant California traffic, where a tracking technology fires on every page load without prior consent, creates a separate arguable violation per visit.
At those numbers plaintiffs do not need to win. They only need to survive a motion to dismiss long enough to create settlement pressure.
The Defense Cost Asymmetry
The plaintiffs’ bar prices its demands precisely against the cost of defense, not the probability of winning at trial. Conventional defense through motion to dismiss with a large law firm can cost USD 400,000 to USD 800,000.
A targeted, technically fluent defense that understands how the specific tracking technology at issue actually works — and can argue that at the pleading stage — can compress that cost significantly while improving the probability of a dispositive outcome.
This is a decision your legal counsel is best placed to advise on. The point for present purposes is that the settlement demand you receive is calibrated to your expected defense costs, not to the merits of the claim.
The Broader Enforcement Landscape in 2026
The demand letter arrives in a context of escalating enforcement activity at both the regulatory and private litigation levels.
On the regulatory side, CalPrivacy’s enforcement program has grown substantially. In May 2026, a USD 12.75 million settlement with General Motors, which is the largest CCPA penalty to date, resolved allegations that the company shared location and driving data with data brokers without consumer knowledge or consent.
Earlier enforcement actions against Tractor Supply Company (USD 1.35 million, September 2025) and American Honda Motor Co. (USD 632,500) addressed similar themes: non-functional opt-out mechanisms, failure to honor GPC signals, and inadequate data minimization.
The Consortium of Privacy Regulators, a bipartisan coalition established in April 2025 and comprising CalPrivacy and the attorneys general of California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, has formalized cross-state coordination on enforcement priorities. Businesses operating across multiple states should treat CCPA requirements as a baseline, not a California-only concern.
On the private litigation side, the volume of digital wiretapping lawsuits has been substantial and shows no sign of declining while SB 690 remains unenacted. Businesses that address their consent infrastructure proactively are better positioned than those that wait for litigation to resolve the legal questions.
Usercentrics does not provide legal advice. The content of this article is for educational purposes only. Businesses that have received a demand letter should engage qualified legal counsel promptly.
