Businesses across the US, UK, and EU are receiving pre-litigation demand letters claiming that their websites are committing illegal wiretapping. The tools named in these letters are not obscure: Meta Pixel, Google Analytics, session replay scripts, chat widgets, and advertising SDKs. The law being invoked is the California Invasion of Privacy Act (CIPA), a statute written in 1967 that plaintiffs are now applying to modern website analytics.
If your website is accessible to visitors in California, you may already be a target.
• CIPA demand letters target standard website tools: Meta Pixel, Google Analytics, session replay scripts, and chat widgets. The common claim is that these tools intercept user data before consent is obtained.
• The statute provides for $5,000 per violation in statutory damages. Class actions in this space have settled for amounts ranging from $1.2 million to $21.5 million.
• CIPA protects California residents, not California businesses. Any website accessible to California visitors can receive a demand letter, including businesses based in the UK, EU, and elsewhere outside the US.
• The core timing problem is pre-consent script firing. A tracking script that loads before the user sees or acts on a consent banner creates exposure under the plaintiff theory.
• The Blaker v. NetScout ruling (May 2026) dismissed pen register claims with prejudice, holding CIPA does not apply to web analytics software. This is persuasive authority but not binding across all courts.
• GDPR-compliant prior-consent architecture reduces CIPA exposure if applied to California traffic, not just EU traffic.
• If you receive a demand letter, preserve evidence before modifying your website. Changing configurations without a litigation hold can harm your legal position.
CIPA is a California criminal and civil privacy statute, codified in the California Penal Code. It was originally enacted to prohibit telephone wiretapping and the use of pen registers: devices that record the phone numbers dialled from a telephone line. Over the past several years, plaintiffs’ lawyers have reframed these provisions to cover third-party tracking technologies on websites.
The two main provisions appearing in current demand letters are:
• Section 631, which prohibits the unauthorised interception of communications while they are in transit. Plaintiffs argue that when a website loads a third-party tracking script, that script intercepts the communication between the user and the website before the user has consented.
• Sections 638.50–638.51, which prohibit the use of “pen register” and “trap-and-trace” devices without authorisation. Plaintiffs argue that tracking pixels and SDKs function as modern pen registers, recording metadata about who visits a site and what they do there.
California Penal Code § 637.2 gives any person whose communications are allegedly intercepted a private right of action for statutory damages of $5,000 per violation, or three times actual damages, whichever is greater.
Since 2023, a wave of pre-litigation demand letters has been sent to businesses across the US and, increasingly, to companies outside it. The letters allege that standard website technologies violate CIPA and threaten class action litigation unless the business settles.
Two names appear repeatedly in recent demand letters. Vivek Shah, a serial pro se litigant, has filed hundreds of individual claims against businesses. Tauler Smith LLP, a California law firm, has sent mass demand letters to businesses identified through automated website scans.
The demand letters follow a consistent pattern. They allege that:
• The business operates a publicly accessible website.
• The site loads third-party scripts, pixels, or SDKs that receive user data automatically on page load.
• That data includes IP addresses, browser identifiers, cookies, session IDs, URLs visited, and referral information.
• The tracking occurred before any user consent was obtained.
• The technologies constitute illegal pen registers or interception devices under CIPA.
The letters seek financial settlements and, in some cases, proceed to file class actions if no settlement is reached.
Plaintiffs are not targeting niche or exotic tools. The technologies cited in demand letters are tools that appear on most commercial websites.
• Meta Pixel: fires on page load by default, transmitting behavioural data to Meta’s servers before a consent banner has been displayed or acted upon.
• Google Analytics: begins collecting session data immediately on page load unless explicitly configured to fire only after consent is confirmed.
• TikTok Pixel and LinkedIn Insight Tag: subject to the same pre-consent firing problem as other advertising pixels.
• Session replay tools such as Hotjar and FullStory, which record mouse movements, clicks, and keystrokes. Under CIPA Section 631, recording a user’s input before consent is arguably an interception of a communication in transit.
• Chat widgets from third-party providers that load tracking scripts alongside the chat interface.
• Software Development Kits (SDKs) embedded in websites that transmit user data to advertising or analytics platforms.
• Consent Management Platforms (CMPs) that are misconfigured, allowing non-essential scripts to fire before consent is registered.
The central compliance issue is timing. When a user lands on a webpage, scripts load within milliseconds. A consent banner may appear a fraction of a second later. In that gap, tracking scripts may have already fired, sending data to third parties before the user has seen, read, or responded to any consent notice.
This is what legal commentators have called the “millisecond problem.” Under CIPA’s theory, the tracking that occurs in that window constitutes an illegal interception. A cookie banner displayed after the fact does not retroactively authorise what already happened.
The same problem applies to pages a user browses before ever reaching a consent banner, or to users who load a page and immediately close it without interacting with any consent interface.
CIPA protects California residents, not California businesses. Any website accessible to California residents may be subject to CIPA, regardless of where the website operator is headquartered.
Courts examining CIPA claims against out-of-state defendants look at personal jurisdiction: whether a California court can legitimately exercise authority over the defendant. The key factors courts examine include:
• Whether the company specifically targeted California consumers in its marketing or operations.
• Whether the company had meaningful California-based sales, offices, or commercial activity.
• Whether the plaintiff’s claim arises directly from that California activity.
For companies with minimal California presence, personal jurisdiction can be a strong threshold defence that ends a claim before substantive litigation costs accumulate.
Yes, in principle. Non-US companies operating websites accessible to California residents have received CIPA demand letters. The law does not include a geographic carve-out for international businesses.
In practice, an EU or UK business with no California office, no California employees, no California-targeted advertising, and no meaningful California revenue has a credible jurisdictional argument. However, “credible argument” is not the same as immunity. Defending a jurisdictional challenge still requires legal representation and costs money.
For any business with a US-facing website and genuine California traffic, CIPA is a live consideration. This is particularly relevant for companies in sectors that commonly attract US visitors: SaaS platforms, e-commerce, legal and professional services, and publishing. Reviewing your US privacy law obligations alongside CIPA is a sensible starting point.
At $5,000 per violation, and with websites generating thousands of page views from California residents, the theoretical exposure in a class action is significant. Several major settlements illustrate the range:
• The Los Angeles Times reached a $3.85 million settlement over claims that tracking technologies on its website and mobile app collected California visitors’ data without consent between January 2023 and December 2025.
• Sutter Health settled for $21.5 million over claims it deployed third-party tracking pixels on its patient portal and marketing website, transmitting health-related information to third-party vendors without consent.
• Fandom settled for $1.2 million over claims that its GameSpot website deployed unauthorised third-party trackers without prior consent to California visitors.
These are class action figures. Individual pre-litigation demand letters typically seek amounts ranging from $5,000 to $30,000 per complainant, calibrated to encourage settlement before legal costs make defending the case attractive.
Not fully, but it helps.
GDPR requires opt-in consent before placing non-essential cookies or running tracking technologies on EU users. A business that has genuinely implemented prior consent requirements (blocking all non-essential scripts until affirmative consent is recorded) has already addressed the core timing problem that CIPA plaintiffs target.
The difference is territorial. GDPR consent applies to EU users. If your consent management platform is configured to require prior consent only for visitors flagged as EU-based, a California visitor may not receive the same treatment. Your GDPR consent banner does not automatically cover California traffic unless your CMP is configured to apply the same pre-consent blocking globally, or specifically to California IP addresses.
CIPA is also stricter than California’s own consumer privacy law, the CCPA/CPRA, which operates on an opt-out model, meaning tracking is permitted by default, and users must actively opt out. CIPA, as plaintiffs interpret it, requires opt-in consent before any third-party interception occurs. A website configured to comply with the CCPA’s opt-out model may still face CIPA exposure if it tracks before any consent interaction.
Organisations that have invested seriously in GDPR compliance and implemented genuine prior-consent architecture are better positioned than those relying on opt-out banners. But a gap analysis specifically for California traffic is still necessary.
On 27 May 2026, the Los Angeles County Superior Court dismissed all claims in Blaker v. NetScout Systems, Inc. with prejudice. The plaintiff alleged that NetScout’s deployment of a third-party SDK from X Corp on its website constituted an illegal pen register under CIPA Sections 638.50–638.51.
The court held that CIPA’s pen register provisions were designed to apply to telephone communications, not to software operating on commercial websites. Applying standard rules of statutory construction and examining the legislative history of the pen register provisions, the court found the statute simply does not reach routine web analytics technologies.
The ruling is significant for two reasons. First, it gives defendants solid persuasive authority to seek dismissal at the earliest stage of litigation, before costs accumulate. Second, it was issued with prejudice, with no amendment permitted, signalling that the court found the underlying legal theory, not just the pleading, to be defective.
The case law remains unsettled across California courts and federal courts applying California law. Not every court has reached the same conclusion, and the pen register theory is only one of the CIPA provisions plaintiffs invoke. Section 631 wiretapping claims remain live in courts that have declined to extend the NetScout reasoning. No appellate court has definitively resolved the question.
The priority is evidence preservation, not website modification. Demand letters trigger a duty to preserve relevant evidence. Changing your website configuration before preserving evidence of its prior state can result in an adverse inference, meaning the court may assume the deleted evidence would have supported the plaintiff’s case.
Immediately on receipt of a demand letter, before any technical changes are made:
• Preserve all website source code in its current state.
• Preserve tag manager configurations, including all deployed tags and their firing rules.
• Preserve consent management platform settings, including what fires before and after consent.
• Create a preserved HAR (HTTP Archive) file with legal counsel. This captures every network request made on page load, showing exactly what fires, when, and what data is transmitted to third parties, before and after consent interaction.
• Preserve all analytics and advertising platform configurations, deployment logs, and change-management records.
• Preserve vendor contracts, privacy policies, and cookie disclosures as they exist at the time of the demand.
• Suspend any routine deletion procedures that might affect potentially relevant records.
Once evidence is secured, engage legal counsel experienced in CIPA to assess the personal jurisdiction question, evaluate the technical allegations in the letter, and determine whether the tracking described actually occurred as claimed.
For any business with California-facing website traffic, the following steps address the core risk:
• Audit all deployed tracking technologies. Many organisations discover that legacy tags remain active in their tag manager long after the underlying marketing campaigns ended. Every active tag is a potential exposure point.
• Configure your CMP to block all non-essential scripts until affirmative consent is recorded. This means scripts do not fire on page load; they fire only after the user has interacted with the consent banner and accepted relevant categories. Verify this in a HAR capture.
• Apply the same prior-consent requirement to California traffic that you apply to EU traffic under GDPR. If your consent architecture already requires opt-in for EU users, extending it globally or to California-geolocated users is the most direct mitigation.
• Confirm your cookie disclosure accurately identifies the tools deployed, their purpose, and which third parties receive data. Disclosures that list categories without identifying specific tools provide weaker protection than those that identify specific tools.
• Assess Global Privacy Control (GPC) signal handling. California regulators have emphasised that GPC signals must be honoured as opt-out signals under CCPA/CPRA. Non-compliance with GPC is a separate but related regulatory risk.
• Review vendor agreements covering analytics, advertising, and chat providers. Contracts should reflect actual data flows and assign responsibility for compliance with applicable law.
GDPRLocal works with businesses to review consent architecture across GDPR and US privacy law requirements, identify gaps in tracking configurations, and build documentation that supports a defensible compliance position. Contact us to discuss your data protection compliance needs.
CIPA is a 1967 statute enacted for telephone surveillance. The litigation wave applying it to web analytics is legally contested, and recent court decisions are beginning to push back on the broadest versions of the theory. The Blaker v. NetScout ruling in May 2026 is the clearest signal yet that courts are sceptical of applying pen register law to routine website technology.
That does not mean the risk has passed. Section 631 wiretapping claims remain in play. The financial cost of even a successfully defended claim is significant. And for businesses that have not audited their pre-consent tracking, a demand letter is a useful prompt to close gaps that were likely there already.
For UK and EU businesses with US-facing websites, the intersection of GDPR’s consent requirements and CIPA’s emerging obligations points in the same direction: prior consent, applied consistently, documented carefully, with a clear audit trail of what fires, when, and on whose authority.
CIPA stands for the California Invasion of Privacy Act. It is a California criminal and civil statute that prohibits the unauthorised interception of communications and the use of pen register or trap-and-trace devices. Originally enacted to regulate telephone wiretapping, it is now being applied by plaintiffs’ lawyers to website tracking technologies such as pixels, SDKs, and session replay tools.
Yes. CIPA protects California residents, not California businesses. Any website that California residents can visit is potentially subject to CIPA, regardless of where the operator is based. UK and EU businesses with US-accessible websites have received demand letters. A jurisdictional defence may be available to businesses with minimal California commercial activity, but it must be asserted and argued, incurring legal costs.
Partly. A GDPR-compliant consent architecture that blocks all non-essential tracking until affirmative user consent is recorded addresses the core timing problem that CIPA plaintiffs target. However, GDPR consent applies to EU users. If your CMP only applies prior-consent blocking to EU-geolocated visitors, California visitors may not receive the same treatment. To reduce CIPA exposure, the same prior-consent standard should be applied to California traffic.
California Penal Code § 637.2 provides for statutory damages of $5,000 per violation, or three times actual damages, whichever is greater. In a class action covering thousands of California website visitors, the theoretical aggregate exposure is substantial. Class action settlements in CIPA website tracking cases have ranged from $1.2 million (Fandom/GameSpot) to $21.5 million (Sutter Health).
Do not modify your website. A demand letter triggers a legal duty to preserve relevant evidence in its current state. Changing tag configurations, CMP settings, or privacy policies before preserving a snapshot of their current state can lead a court to draw an adverse inference. Preserve your website source code, tag manager configurations, CMP settings, and consent records, then engage legal counsel before taking any further action.