CIPA “Wiretapping” Demands Are Surging — Is Your Website a Target?

June 26, 2026

What businesses with California website visitors need to know — and the steps that meaningfully reduce your exposure.

Donahue Fitzgerald is seeing a sharp rise in demand letters and class-action threats under the California Invasion of Privacy Act (“CIPA”), a 1967 anti-wiretapping statute now being aimed at ordinary website technology. A small group of repeat “tester” plaintiffs — most prominently Vivek Shah, along with firms such as Tauler Smith and the Swigart Law Group — visit business websites, capture the data those sites transmit, and demand payment.

The theory: when your site loads cookies, tracking pixels, analytics scripts, session-replay tools, or chat widgets that send a visitor’s information to third parties (Google, Meta, HubSpot, and the like) before the visitor consents, plaintiffs argue that you have unlawfully “intercepted” a communication — treating the tracker like a wiretap or “pen register” under Penal Code §§ 631 and 638.51.

The catch most businesses miss: a cookie banner and a privacy policy are not enough if the trackers fire the instant a visitor lands on the page — before anyone could read a notice or click “accept.” Courts have been skeptical of consent obtained after the data has already been transmitted.

Why It Should Matter to You

  • $5,000 per violation regardless of harm. CIPA carries statutory damages of $5,000 per violation (or three times actual damages), plus attorney’s fees and injunctive relief, under Penal Code § 637.2. There is no opportunity to cure the violation(s).
  • Violations stack. Plaintiffs argue that each tracker — and each third party your site transmits to — is a separate violation. Demands commonly open at $15,000 and climb with every additional tracker they can document.
  • Class-action leverage. Because the theory applies to every California visitor, a single complaint can balloon into class exposure far larger than any individual claim. Recent privacy settlements have reached eight figures.
  • You may not even know you’re exposed. Tracking tools are often installed by outside developers or marketing vendors and left running — “set it and forget it.” Many businesses have no current inventory of what their own site collects or where it sends it.

Important context: the law here is genuinely unsettled. Some courts have narrowed or rejected these claims; others have let them proceed. A 2025 reform effort (SB 690) that would have carved out routine commercial tracking did not pass. The practical takeaway is not panic — it is that the exposure is real enough, and the fixes cheap enough, that prevention beats litigation.

How to Protect Your Company — Action Items

  1. Check when your trackers fire — today. Confirm that pixels, analytics, and similar scripts do not activate until a visitor affirmatively consents. If a tool fires on page load, reconfigure it (with your IT, marketing, or web developer) to wait for consent. If you have no consent mechanism, switch the non-essential trackers off until one is in place.
  2. Make consent real, not cosmetic. Use a clear, prominent cookie banner that blocks non-essential trackers until the visitor chooses. A banner that looks compliant but lets tags fire anyway provides little protection. We recognize the trade-off with a frictionless visitor experience — but a genuine accept/reject choice is the single most effective safeguard.
  3. Take inventory of every tracker. Many vendor-built sites ship with pixels you never asked for and don’t use. Catalog your cookies, pixels, analytics, session-replay tools, chat widgets, and embedded scripts — then disable anything you don’t need.
  4. Strengthen your Terms of Use. Consider Terms that require visitors to resolve disputes in arbitration and waive class claims. This won’t bar a suit outright, but it can blunt the class-action leverage that makes these demands expensive. We can help you implement enforceable terms tied to your consent flow.
  5. Know your vendor and insurance position. Understand what each vendor collects, whether it reuses your visitors’ data for its own purposes, whether your contracts include indemnification, and whether your insurance covers privacy claims. (Note: sites handling personal, health, or other sensitive data draw heightened scrutiny.)

If a Demand Letter Arrives

Receiving a CIPA demand does not mean you violated the law — many letters rely on automated scans and boilerplate allegations. But don’t ignore it, and don’t alter your site before preserving proof of how it worked. In short:

  • Preserve evidence. Capture your current site configuration, third-party scripts, consent settings, privacy policy, and vendor contracts before changing anything.
  • Investigate before responding. A technical review often shows the allegations are inaccurate or overstated.
  • Loop in counsel early. Key defenses turn on whether data was truly “in transit,” the party and consent exceptions, and procedural standing.

Looking Ahead

If this issue concerns you, it is also worth contacting your state legislators. Reform proposals to exempt reasonable business uses have moved slowly, and it is not clear lawmakers appreciate the scale of the problem. In the meantime, the steps above are the most reliable way to keep your business out of the demand-letter pipeline.

Questions, or received a demand letter?

If you receive a CIPA demand from Vivek Shah, Tauler Smith, the Swigart Law Group, or any other party — or simply want to confirm your website is on solid footing — please contact a member of our Data Privacy & Security Team.

The client alert was contributed by Summer Associates, Hajun Jeon (UC Berkeley School of Law 3L) and Olivia Arballo- Saenz (UC Berkeley School of Law 3L).