If your business has a website with a search bar, a chat widget, a contact form, or Google Analytics, you may already be a target.
Businesses across the country, including those with no connection to California, are receiving demand letters and lawsuits claiming that these ordinary website features violate a 1967 California wiretapping law. Many of these claims are aggressive. Some are weak. All demand a fast, informed response.
What’s Driving the Wave
A wave of pre-litigation demand letters and lawsuits is targeting websites under the California Invasion of Privacy Act (“CIPA”). CIPA was written to address telephone wiretapping decades before websites existed, but plaintiffs’ firms are now applying it to everyday website features:
- Analytics tools like Google Analytics
- Advertising pixels (Meta, LinkedIn, TikTok, and similar)
- Session replay software
- Live chat and chatbot widgets
- Search bars and online forms
The core theory: when a visitor types something into your search bar or form, and that data flows to a third-party vendor, the vendor has “intercepted” a private communication without consent. A second theory treats the tracking tool itself as an illegal “pen register,” a term borrowed from decades-old telephone surveillance law. Traditional pen registers captured metadata about the source of outgoing phone calls. Plaintiffs now argue that capturing IP addresses or device data through online trackers is functionally equivalent to identifying the source of a communication from the user to the website.
One name shows up repeatedly: Vivek Shah, a self-represented litigant who has sent demand letters and filed lawsuits against businesses nationwide using this exact playbook, regardless of whether the business has any connection to California. He is not alone, but his volume of activity has made him a recognizable figure in this wave and a useful shorthand for the broader trend.
Whether either theory holds up is genuinely unsettled. Courts have reached conflicting conclusions on similar facts, and defendants have prevailed on meaningful arguments in several cases. But legal uncertainty does not make demand letters disappear. It means each one requires careful evaluation rather than a reflexive settlement.
Why This Wave Doesn’t Stop at the California Border
Two features of these claims make them attractive to plaintiffs’ firms and expensive for businesses:
- No proof of actual harm required. CIPA allows statutory damages, commonly cited at $5,000 per violation, without requiring the plaintiff to demonstrate any real loss.
- Per-visitor exposure. Some complaints allege that each website visitor, or even each individual interaction, constitutes a separate violation. That math escalates quickly.
The exact volume of these filings is difficult to pin down, and figures in legal media vary significantly. What remains consistent: the volume has grown sharply since 2023 and shows no sign of slowing. Critically, you do not need a business presence in California, or even California customers, to be a target. If your website is publicly accessible, that alone is enough to attract a California plaintiff.
Is a Seawall Coming? Not Yet, But California Is Trying.
The California Legislature is aware of the problem. A bill known as SB 690 is under active consideration as of July 1, 2026. Before the Legislature adjourned for summer recess on July 2, 2026, the bill’s sponsor, Senator Anna Caballero, amended it to: (1) cover pen register and trap and trace devices under CIPA, and (2) eliminate the private right of action for CIPA violations. The amended bill would instead vest enforcement authority exclusively in the California Attorney General. Notably, the bill would apply retroactively for a two-year period, meaning that if enacted, it would bar any individual-plaintiff lawsuits alleging CIPA violations that have been filed and remain pending within the last two years.
SB 690 is not yet law. The Legislature reconvenes on August 3, 2026, and must pass the bill before the August 31, 2026, adjournment for it to be enacted this year. While the bill’s progress is encouraging, businesses should not rely on its passage and must take steps now to manage their own exposure.
Already Caught in the Wave?
- Route it to legal counsel. Do not let a marketing team member, IT vendor, or customer service representative respond. Even an informal reply can become an admission.
- Do not ignore it, and do not assume it is fake because it looks templated. Many demand letters follow a similar format because they are sent at scale, not because they lack legal merit.
- Preserve your website’s current configuration. Take screenshots, export tag manager settings, and document consent banner configurations. All of these become critical evidence if the claim is litigated.
- Do not pay before an investigation. Some claims present real exposure. Others collapse once counsel actually reviews what the website does. You need to know which category you are in before deciding how to respond.
How to Keep the Wave From Reaching You
- Inventory your website’s third-party tools. Identify every script, pixel, and tag live on your site. Document what data each one collects, and when each one fires (e.g., immediately on page load versus only after affirmative visitor consent).
- Map where user-entered data goes. If a name, health term, job application detail, or other sensitive information typed into a form is transmitted to a third-party vendor, know that before a plaintiff’s lawyer discovers it.
- Deploy a functional cookie consent banner. Most website platforms support consent banners that require visitors to affirmatively opt in before trackers fire. If you use marketing, analytics, or tracking technologies, ensure a consent mechanism is actually in place and configured correctly.
- Test your consent banner; do not assume it works. Load your site in an incognito browser window and monitor network traffic. If analytics or advertising scripts fire before you interact with the consent banner, the banner is decorative rather than functional. That gap is exactly what plaintiffs’ firms look for.
- Verify your privacy policy matches reality. A privacy policy that understates what your website actually collects creates its own liability exposure, separate from and in addition to CIPA.
- Review your insurance coverage. Confirm whether your cyber liability or general liability policy responds to CIPA claims before you need the answer. Coverage gaps discovered during litigation are costly.
- Build a response playbook now. Decide in advance who reviews a demand letter, within what timeframe, and what the escalation path looks like. A plan developed under a 20-day deadline will be a worse plan.
Staying Above Water
This is a legal problem with a largely technical fix. The businesses best positioned to defend, or avoid, these claims are those that know exactly what is running on their websites and have already closed the obvious gaps. The businesses worst positioned are those scrambling to answer basic questions after a demand letter arrives.
If you need assistance auditing your website’s tracking tools, tightening your consent and privacy disclosures, or evaluating a demand letter you have already received, our team is ready to help.