ConsentPixel – Privacy · Verified

CIPA & Legal Risk

What Happens When You Receive a CIPA Demand Letter — A Step-by-Step Response Guide

A demand letter just landed: formal letterhead, a 1967 statute you've never heard of, and a damages figure that made your stomach drop. Here's exactly what it means, what to do in the first 72 hours, what not to do, and a checklist you can act on immediately.

By the ConsentPixel — Privacy · Verified team June 2026 17 min read
20–30 days
Typical response deadline stated in a CIPA demand letter
72 hours
The window where your early moves matter most
72%
Of web-privacy claims tied to just four firms, per one insurer report

If a CIPA demand letter has arrived in your inbox or by FedEx, take a breath before you do anything else. First, don't panic. These letters are engineered to make your stomach drop — the formal letterhead, the unfamiliar 1967 statute, the damages figure with a lot of zeros — but the most useful first fact is this: you are not being singled out, and the letter is not a lawsuit. Online tracking claims exploded from roughly 200 in 2023 to nearly 4,000 in 2024, with demand letters and arbitration filings stacked on top — and a large share of them trace to a handful of firms running a volume model designed to convert mass mailings into mass settlements. You are one of thousands who received a near-identical letter. That doesn't make it harmless — the deadline is real and ignoring it has consequences — but it does mean there's a known, methodical way through this, and that the panic the letter is designed to produce is exactly the thing to set aside.

Before you do anything: breathe

The single most expensive reactions to a demand letter are the panic moves — paying immediately to make it disappear, or stripping trackers off your site that same hour. Both can make your position worse. You have time inside the deadline to do this properly. Read the steps below, then act in order.

This guide walks the response end to end: what the letter is, what to do in the critical early days, the defenses your lawyer will weigh, how to think about settling versus fighting, and how to fix the underlying problem so you're not back here in six months. There's a checklist near the end you can use the moment a letter lands. One thing up front, and it runs through everything below: this article is informational and is not legal advice. CIPA outcomes are fact-specific and the law is genuinely unsettled — the steps here are about helping you act sensibly and engage the right counsel, not about replacing them.

What a CIPA demand letter actually is

A CIPA demand letter is a pre-litigation notice. It alleges that your website's tracking technologies — pixels, cookies, session-replay tools, chat widgets, or similar — illegally intercepted a user's communications under the California Invasion of Privacy Act, and it invites you to settle before a lawsuit is filed, typically within 20 to 30 days. No complaint has been filed and no court is yet involved. That last point is the one to hold onto: a demand letter is an invitation to settle, not a judgment, and how you respond is still entirely within your control.

The legal theory usually rests on one of two provisions: California Penal Code § 631(a), the older "wiretapping/interception" clause, or § 638.51, the "pen register / trap and trace" provision that plaintiffs increasingly favor as courts grow skeptical of the wiretapping framing. Many letters also invoke federal and related statutes such as ECPA or California's CDAFA alongside CIPA.

CCPA compliance does not protect you

This surprises many teams: being compliant with California's consumer-privacy law (CCPA/CPRA) does not immunize you from CIPA. They are separate statutes addressing different legal theories. A polished CCPA program and a cookie banner do not, by themselves, answer a CIPA claim — what matters is whether trackers fired before consent.

The first instinct to resist

The natural reaction to a demand letter is one of two extremes: pay quickly to make it disappear, or ignore it and hope it does. Both are mistakes. Paying on your own, without counsel and without fixing the underlying issue, can mark you as a willing payer and leaves you exposed to the next letter. Ignoring it forfeits your chance to evaluate or negotiate the claim, and firms commonly file within weeks of a missed deadline. The right posture is in between: move deliberately, preserve your position, and get advice before you say anything on the record.

What's inside the letter

Demand letters from the high-volume firms follow a recognizable script. Knowing the parts helps you read one calmly:

  • The allegation — who allegedly visited your site and when, which specific tracking tool is said to have fired, and what data it transmitted to a third party.
  • The legal hook — the CIPA provision invoked (§ 631(a) or § 638.51), often with companion statutes.
  • The damages math — CIPA's $5,000 per violation (or three times actual damages, whichever is greater, with no proof of harm required), multiplied across many alleged interactions to produce an alarming on-paper total.
  • The settlement demand — a number, with a deadline of roughly 20–30 days, frequently sized to sit below what mounting a defense would cost.
  • Sometimes, an arbitration framing — invoking the arbitration clause in your own terms of service to push the matter into confidential individual arbitration rather than court.

A growing subset of these don't threaten court at all — they threaten arbitration, which offers plaintiffs lower costs, speed, and confidentiality. The class-action threat, where present, is often posturing at the demand stage (individual settlements are what the model is built to harvest), but "often posturing" is not "always empty," and some firms do file.

Here's what those pieces look like assembled. The mock-up below is an illustrative example with fictional details — not a real letter from any firm — annotated to show the standard parts:

Illustrative sample — not a real letter
SAMPLE & EXAMPLE LLP
Attorneys at Law · 100 Illustration Way, Suite 000 · Anytown, CA 90000
Via Federal Express

Re: Notice of Violation — California Invasion of Privacy Act

Dear Business Name,

This firm represents an individual who visited your website, www.[yoursite].com, on or about [date]. Our investigation has determined that your website deploys third-party tracking technologies, including the Meta Pixel and a session-replay tool, which transmitted our client's data to third parties without prior consent.

This conduct constitutes a violation of California Penal Code §§ 631(a) and 638.51, which provides for statutory damages of $5,000 per violation. Based on the interactions recorded during our client's visit, the potential exposure exceeds $XXX,XXX on an individual basis, and substantially more on a class-wide basis.

To resolve this matter without litigation, we are prepared to accept a settlement of $[amount] if received within 30 days of the date of this letter. Should we not hear from you, we are prepared to initiate arbitration proceedings pursuant to the arbitration clause in your Terms of Service.

Sincerely,
[Attorney Name], Esq.
Sample & Example LLP

The visitor & date — the alleged "victim" and when they visited
The named technology — the specific trackers said to have fired
The statutory hook — the CIPA sections and the $5,000 figure
The settlement demand & deadline — usually 20–30 days
The arbitration framing — using your own ToS clause against you
Note

The letter above is entirely fictional, created to illustrate structure only. Real letters vary in tone and detail, and the specific facts asserted are often thin or unverified — which is part of why a calm, counseled review (rather than a panicked payment) is the right response.

1

Don't ignore it — calendar the deadline first

Before anything else, find the response deadline in the letter and put it on a calendar with a reminder several days ahead. Everything else happens inside that window. Note the date the letter arrived and how it was delivered (email, FedEx, certified mail), and keep the envelope or delivery confirmation. If the deadline is alarmingly close, that itself is a reason to engage counsel quickly rather than to rush a response yourself.

2

Preserve everything — this is your litigation hold

This is the step people get wrong, and getting it wrong can be worse than the original claim. Before you change a single line of code, preserve the current state of your website: take screenshots, export your tag-manager configuration, save server logs if available, and document your existing consent mechanisms (banner, privacy policy, terms). Note every third-party script currently running.

Do not remediate first and document second

Stripping trackers off your site the moment the letter arrives — before preserving evidence — can be characterized as spoliation (destruction of evidence), which can hurt you more than the underlying claim. Capture the current state first, then fix. Issue an internal litigation hold so no one "helpfully" cleans things up.

Equally important: be careful how you communicate internally about the matter. Loose emails speculating about liability can become non-privileged evidence. Keep substantive analysis under the umbrella of counsel where possible, and keep internal chatter factual and minimal.

3

Engage privacy counsel before responding

Do not draft or send a response without advice from a lawyer experienced specifically in California privacy litigation. Your response creates a record that can be used against you, and the analysis here is genuinely fact-intensive. CIPA-experienced counsel can read the specific letter, assess your specific site, and tell you quickly whether the claim is strong, weak, or somewhere in between — and what to say (and not say) to the sender.

If you carry cyber-liability or media-liability insurance, notify your carrier promptly; some policies cover these claims and may have their own notice deadlines and panel-counsel requirements. The IAPP's resources are one starting point for finding qualified privacy counsel if you don't already have a relationship.

4

Run the technical audit (in parallel, not instead)

Alongside the legal track, establish the facts about what your site was actually doing. The single most important question in almost every CIPA pixel claim is: did the tracking script fire before the user consented? To check, load your site in a fresh browser session with no prior cookies and watch the network requests in developer tools. If the Meta Pixel, a session-replay tool, or a chat widget fires in the first fraction of a second — before any human could have responded to a banner — that's the consent-timing problem at the heart of the claim.

Two facts your audit might surface can be strong defenses, so document them carefully: whether the tool named in the letter was actually running on your site at all (sometimes it wasn't, or was removed months earlier), and exactly when each tag fires relative to the consent interaction. Remember Step 2 — capture this evidence before you remediate.

Day 0 Letter arrives Calendar deadline Days 1–3 Preserve evidence · counsel · audit Days 3–10 Assess defenses · settle or defend Deadline Respond via counsel · remediate root cause ! Preserve evidence BEFORE you remediate — fixing first can look like spoliation. Document the current state, then fix the root cause.
A typical response timeline inside the 20–30 day window. The order matters: preserve, then remediate.
5

Assess the defenses with counsel

Despite the confident tone of a demand letter, the issues are rarely clear-cut, and the sender often lacks key facts about your specific technology and site. Courts in the same district have reached opposite conclusions on similar facts. Your counsel will weigh defenses that have succeeded for other defendants, including:

  • The "party exception." A line of cases holds that a party to a communication can't "wiretap" it, and that a vendor acting solely as a tool for the website (not using the data for its own purposes) is more like a tape recorder than a third-party eavesdropper.
  • Consent. If a properly configured consent mechanism obtained affirmative consent before any tracking fired, that directly answers the core allegation.
  • The "in transit" requirement. § 631(a) requires interception of a communication in transit; some courts have dismissed claims that don't meet this threshold.
  • Standing. Some courts have dismissed CIPA claims where the plaintiff couldn't show a concrete injury.
  • Statute of limitations and whether the named technology was even present during the relevant period.

The unsettled state of the law cuts both ways. It means many claims are genuinely weak — but also that prediction is hard, which is exactly why specialized counsel evaluating your facts is worth far more than any general guide.

6

Decide: settle or defend

With the audit and the legal assessment in hand, you can make an informed decision rather than a fear-driven one. There's no universal right answer; it's a business judgment your counsel will help frame:

Consider settling when…Consider defending when…
The audit confirms trackers fired before consent and the facts are unfavorable.The named tool wasn't running, or fired only after consent.
Early resolution is available with a full release and no admission of liability, at a cost below defense.Strong party-exception, consent, or "in transit" defenses apply to your facts.
The business needs certainty and closure quickly.The firm has a reputation for not following through, or the claim is template-thin.

If you do settle, counsel should insist on a full release and no admission of liability — and you should still complete Step 7, because a settlement that leaves the technical problem in place simply invites the next letter.

7

Remediate the root cause

Whether you settle or defend, fix the underlying issue: trackers firing before consent. Settling without remediating leaves you exposed to the next demand. After preserving evidence (Step 2), implement genuine consent gating so that non-essential pixels, analytics, session replay, and chat tools do not execute until the visitor affirmatively consents — and keep verifiable records proving what fired and when for each visitor.

This is the difference between a cosmetic banner and real enforcement. A banner that appears after tracking has already started does not satisfy CIPA's prior-consent requirement; a mechanism that technically prevents tags from firing until consent is received is a meaningful defense. Most deployed banners do not meet that standard without careful configuration — which is precisely the gap the plaintiff firms scan for.

Why prevention is the real win

Every source on CIPA response converges on the same conclusion: the most reliable position is proactive. Know what runs on your site, block it until consent, and keep records that hold up — before a letter arrives. Remediation after the fact limits ongoing exposure; doing it beforehand means the scan that drives this entire industry finds nothing to flag.

The first-72-hours checklist

Print this or copy it into your incident doc. It's organized in the order you should act. (Reminder: this supports, and does not replace, advice from your own counsel.)

CIPA Demand Letter — Response Checklist

First 72 hours, in order. Informational only — not legal advice.

Immediately (Day 0)

Find and calendar the response deadline (usually 20–30 days), with a reminder several days ahead.
Record arrival details — date, delivery method, and keep the envelope or delivery confirmation.
Do not reply to the sender yet and do not call them to "explain."
Do not start deleting trackers or changing the site yet.

Preserve (Day 0–1) — your litigation hold

Screenshot the current site state, including any consent banner as it appears now.
Export your tag-manager configuration (e.g., GTM container) and save it.
Save server logs if available, and list every third-party script currently running.
Issue an internal litigation hold so no one alters or "cleans up" the site or related records.
Keep internal comms factual and minimal — avoid speculating about liability in writing.

Engage (Day 1–2)

Retain privacy-litigation counsel experienced specifically with CIPA — before drafting any response.
Notify your insurer if you have cyber- or media-liability coverage; mind their notice deadlines.

Audit (Day 1–3, in parallel)

Load the site in a clean browser session and watch the network tab.
Confirm which tags fire before consent — this is the central question.
Verify whether the named tool was actually running during the alleged period.
Document the audit results for counsel — before any remediation.

Then, with counsel

Assess defenses (party exception, consent, "in transit," standing, limitations).
Decide settle vs. defend based on facts, not fear.
Remediate the root cause — block non-essential trackers until consent, and keep verifiable records.

Costly mistakes to avoid

Each of these comes up again and again — and each one can make a bad situation worse.

  • ×Remediating before preserving. The instinct to "just fix it" can destroy the evidence that helps you — and create a spoliation problem on top of the original claim.
  • ×Paying quickly and alone. An uncounseled settlement can flag you as a soft target and rarely addresses the technical root cause.
  • ×Assuming CCPA compliance covers you. It doesn't — different statute, different theory.
  • ×Treating the banner as proof of consent. A banner that loads after tracking starts isn't prior consent; only technically enforced gating is.
  • ×Going silent. Missing the deadline forfeits negotiating leverage and invites a filing.
  • ×Over-communicating internally. Speculative emails about fault can become discoverable, non-privileged evidence.

The bottom line

A CIPA demand letter is frightening by design, but it's a known quantity with a methodical response. It's a pre-litigation invitation to settle, not a judgment — so don't panic, and don't react at either extreme of paying instantly or ignoring it. Calendar the deadline, preserve your evidence before touching anything, engage CIPA-experienced counsel before you respond, audit whether trackers fired before consent, weigh the defenses on your actual facts, and decide settle-or-defend as a business judgment. Then fix the root cause regardless of outcome. And the deeper lesson, true for every business that hasn't yet received one: the cheapest response to a CIPA demand letter is the consent enforcement you put in place before it ever arrives.

The best response is the one you make before the letter

ConsentPixel — Privacy · Verified blocks trackers before consent and keeps verifiable, page-scoped consent records — the exact gap CIPA letters target. Scan your site free and see what fires before consent.

Scan my site free

Frequently asked questions

Do I have to respond to a CIPA demand letter?

Ignoring one is generally not advisable. The deadline is real, non-response can strengthen the sender's position, and you forfeit the chance to evaluate or negotiate. That said, you should not respond on your own — engage privacy-litigation counsel before sending anything, because your response creates a record. The goal is a deliberate, counseled response within the deadline, not silence and not a rushed reply.

Is a demand letter the same as a lawsuit?

No. A demand letter is a pre-litigation notice and an invitation to settle before any complaint is filed — no court is yet involved. However, failing to respond can lead to an individual suit, a class action, or an arbitration demand, at which point costs rise significantly. Firms commonly file within weeks of a missed deadline, so "not a lawsuit yet" is not "safe to ignore."

Does my CCPA compliance protect me from CIPA?

No. CIPA and CCPA are separate statutes with different legal theories. A strong CCPA/CPRA program and a cookie banner do not, by themselves, defeat a CIPA claim. What matters for CIPA is whether tracking technologies fired before the visitor consented — the timing of the tags, not the existence of a privacy program.

Should I remove the trackers as soon as I get the letter?

Not before preserving evidence. Changing or stripping your site before documenting its current state can be characterized as spoliation, which can hurt your position more than the original claim. Capture screenshots, export your tag-manager config, save logs, and issue an internal litigation hold first. Then remediate the root cause — blocking trackers until consent — with that evidence safely preserved.

How much do these letters typically demand?

CIPA allows $5,000 per violation (or three times actual damages, whichever is greater) with no proof of harm required, and letters multiply that across many alleged interactions to reach a large on-paper figure. Actual opening settlement demands are often sized to fall below the cost of mounting a defense, which is what makes settling tempting. Your counsel can assess whether the demand is proportionate to the real exposure.

Can a cookie banner be a defense?

Only if it's properly configured. A banner that appears after tracking has already begun does not satisfy CIPA's prior-consent requirement. A consent mechanism that technically prevents non-essential tags from executing until affirmative consent is received — and that keeps records proving it — is a meaningful defense. Many deployed banners do not meet that standard without careful configuration and regular auditing.

ConsentPixel — Privacy · Verified
We build CIPA-first consent enforcement that blocks scripts rather than simulating consent. This article is informational and not legal advice — consult qualified privacy counsel for your specific situation.
Scroll to Top