Alerts

Client Alert: Surge of Demand Letters Alleging Violation of the California Invasion of Privacy Act

July 13, 2026

By: Coleen M. Penacho, Douglas G. Verge

CLIENT ALERT

Surge of Demand Letters Alleging Violation of the California Invasion of Privacy Act  

By Attorneys Coleen Penacho and Douglas Verge


Several New Hampshire businesses recently have received demand letters from California attorneys and/or residents alleging that the use of third party tracking technologies on the businesses’ websites violates the California Invasion of Privacy Act (Cal. Penal Code § 630, et seq.) (“CIPA”). CIPA is a criminal statute which provides for statutory damages of $5,000 per violation. The letters threaten to file suit seeking statutory damages and other remedies unless the parties reach an informal resolution of the alleged dispute.

Background

In recent years, there has been a wave of digital wiretapping claims against website owners, alleging that commonly used website analytic tools violate CIPA, a California statute that was originally enacted to prevent the interception of telephone calls. Many of these claims have focused on CIPA’s prohibition on the use of pen registers - devices/processes which identify the source of a communication, without a court order, see Cal. Penal Code § 638.51, and, to a lesser extent, CIPA’s prohibition on eavesdropping, a third-party attempting to read, or reading the contents of an in-transit communication, see Cal. Penal Code § 631(1). After some early suits making these allegations survived motions to dismiss, some businesses decided to settle these claims rather than suffer the expense and uncertainty of trial. The spate of settlements opened the floodgates for additional claims against businesses throughout the country, including in New Hampshire, and not necessarily limited to California law.

Pen Register Claims

Under CIPA, a court order is required for the use of a pen register. See Cal. Penal Code §638.51. A pen register is “a device or process that records or decodes dialing, routing,addressing, or signaling information transmitted by an instrument or facility from which awire or electronic communication is transmitted, but not the contents of acommunication.” See Cal. Penal Code §638.50(b). The CIPA demand letters allege thattracking devices used on websites constitute pen registers “because they capture andtransmit dialing/routing/addressing/ signaling information – including IP addresses andrelated device/browser identifiers – associated with the [website visitor’s] electroniccommunications to use and load the [w]ebsite.” The IP addresses and related identifiersare then transmitted to software providers or other third parties, such as marketing or analytics providers, “without a court order and without the [website] visitor’s informed and specific consent.” Recently sent demand letters allege that this conduct violates CIPA and causes injury to the website visitor. The tracking devices implicated are not limited to cookies but also include other technologies such as third-party scripts, pixels, tags, and SDKs.

Eavesdropping Claims

Although not as prevalent, eavesdropping claims also may be included in CIPA demand letters. These claims usually are based on a business’s failure to obtain website visitors’ consent to record their website visits and share those recordings with one or more service providers. California courts also have held that a service provider may be considered a third-party eavesdropper, in violation of CIPA, where the provider does not just record the visits for the website owners but has the ability to use the recorded data for its own benefit.

Legislative Reform

Although some courts have started to express doubt about these claims, this has not yet led to uniform judicial relief or legislative reform. For example, in Jane Doe v. Eating Recovery Center LLC, No. 23-cv-05561-VC (N.D. Cal. 2025), the court noted that CIPA is a criminal statute, and that it was unlikely that the California Legislature meant to criminalize the collection and analysis of website traffic. The court called on the Legislature to update CIPA to provide guidance on these issues. Although a bill curtailing these claims passed the California Senate in 2025, it stalled in the California Assembly.

What Should Businesses Consider Doing?

It is a good practice for businesses to notify their insurers if they receive one of these claims. Beyond that, there are several approaches available to respond to these letters, but the proper approach is dependent on the specific circumstances facing the business. The attorneys in our Data Privacy and Security Practice Group are available to discuss the various options to help determine the proper one for your business.

Further, there are proactive steps that businesses can take to help protect against these claims. A good first step is an audit of your website tracking technologies. This audit should include identification of the tracking tools used, the data collected, how that data is used, and how it is shared with and used by service providers and other third-parties. Businesses also should limit the data they collect to that required for the operation of the business and ensure that privacy notices/policies are comprehensive and describe the use of tracking technologies (which may include using or enhancing a cookies/tracking technologies pop-up notice seeking the website visitor’s consent). Our Data Privacy attorneys can discuss these steps and others that are appropriate for your business model, as well as assist you if you have already received one of these letters.


Coleen and Douglas are members of the firm’s Data Privacy and Security Practice Group and Douglas serves as Co-Chair of this Group. 

 This Client Alert is provided for informational purposes only and does not constitute legal advice or establish an attorney-client relationship. Readers should not act upon the information contained in this alert without seeking advice from qualified counsel. Prior results do not guarantee similar outcomes.

Related Practice Group

Data Privacy & Security