If you receive a CIPA demand letter, do three things immediately: do not ignore it, do not pay it on the spot, and do not change your website before documenting its current state. Then contact a qualified privacy attorney. These letters carry real risk, with statutory damages of $5,000 per violation, but they are also mass-produced, and a measured response protects you far better than panic.
CIPA demand letters are arriving by the tens of thousands, generated from automated scans of websites that send visitor data to third parties before consent. Most target ordinary tools: a Meta Pixel, Google Analytics, a chat widget. If you have not seen the background on the law itself, read What Is CIPA and How Can It Affect Business. Websites first, or the complete CIPA Compliance Guide. This article covers the response itself: the first 48 hours, your options, and how to make sure there is no second letter.
What is a CIPA demand letter, exactly?
It is a pre-litigation letter from a plaintiff attorney or sometimes a serial pro se litigant alleging that your website’s tracking tools intercepted a visitor’s communications or captured their identifiers in violation of the California Invasion of Privacy Act. It typically cites Penal Code Section 631, Section 638.51, or both, names the tools its scan detected on your site, threatens a lawsuit, and offers to settle, commonly for an amount between $5,000 and $50,000.
Two things are usually true at once. First, the letter is boilerplate: nearly identical letters go to hundreds of businesses, and the sender is running a volume operation built on quick settlements. Second, the threat is not empty: unanswered letters do turn into filed lawsuits, where statutory damages and attorney fee exposure apply. Treat it as routine but real.
What should you do in the first 48 hours?
- Preserve everything. Keep the letter, the envelope, and any emails. Note the date received.
- Document your website as it is today. Take dated screenshots of your consent banner or its absence, your privacy policy, and a browser Network-tab recording of what fires on page load. Your attorney needs an accurate picture of the moment the claim was made, and undocumented changes can look worse than the original problem.
- Do not respond to the sender yourself. Anything you write can be used in negotiation or litigation. No calls, no emails, no explanations.
- Contact a privacy attorney. Not a general business lawyer if you can help it; CIPA defense has developed its own playbook around standing, the “in transit” requirement, and whether pixels qualify as pen registers. Courts remain split on several of these questions, which is exactly what a specialist uses.
- Alert your web team. They will run the exposure audit that determines whether the letter’s claims are even accurate, and they will handle remediation once your attorney gives the go-ahead.
Should you pay, negotiate, or fight?
That decision belongs to you and your attorney, but it helps to understand the three paths and what each trades off:
| Response path | What it looks like | Trade-offs |
|---|---|---|
| Ignore the letter | No response, hope it goes away | Worst option. Risks an actual lawsuit with statutory damages, attorney fees, and litigation costs far above the demand |
| Settle early | Attorney negotiates a payment with a full release and no admission | Fast and predictable, but without fixing the website you remain a target for the next scan, and payment can mark you as a payer |
| Defend | Attorney challenges the claim, including standing, whether data was read in transit, or whether a pixel is a pen register | Courts have dismissed some of these theories, but defense costs money and outcomes vary by court; strongest when your site had consent controls in place |
The honest summary: the law is unsettled, some claims get dismissed, others survive, and the right path depends on what your website was actually doing when the scan ran. That is why the documentation from the first 48 hours matters so much.
How do you fix the website exposure?
Whatever your attorney decides about the letter, remediate the site in parallel with their sign-off on timing. A corrected website is both leverage in negotiation and significantly lowers the odds of letter number two, because the plaintiff firms rescan.
The fix follows the same sequence as prevention: inventory every third-party script, remove the ones you do not use, install a consent management platform that blocks all non-essential tags until the visitor agrees, verify the decline state actually stops tracking, and align your privacy policy with reality. The full step-by-step is in our CIPA Compliance Checklist for Business Websites.
One warning: half-fixes are dangerous. A banner that displays but does not block, or that keeps tracking after a visitor declines, gives future plaintiffs a stronger claim than no banner at all, because it adds misrepresentation on top of the wiretap theory.
Under a deadline and need the technical side handled now?
Our Website Security Reinforcement Package delivers the full script audit, consent platform configuration, decline-state testing, and dated documentation your attorney can use. For sites we rebuild or maintain, WordPress Maintenance keeps the fix verified month after month.
How do you prevent the next demand letter?
The businesses that get hit twice are the ones that settled and changed nothing. Prevention is operational, not one-time:
- Monthly script monitoring. New pixels, plugin updates, and vendor changes silently reintroduce exposure. Ongoing website management should include a standing third-party script check.
- Consent logs. Keep records proving visitors consented before tracking fired. If a future letter arrives, dated logs are your best evidence.
- A change rule for marketing. No new tag, pixel, or widget goes live without passing through the consent platform. One campaign shortcut can undo the entire remediation.
The bottom line
A CIPA demand letter is a stressful piece of mail, but it follows a predictable script, and so should your response: preserve, document, lawyer up, fix the site, then monitor so it never happens again. If you want to know your exposure before a letter ever arrives, start with the free scan on our CIPA Compliance Guide.
Check your site before a plaintiff firm does
Get a free CIPA Exposure Scan: we test your website in a fresh session, document every tracker that fires before consent, and send you a plain-English report.
Frequently Asked Questions
Is a CIPA demand letter the same as a lawsuit?
No. A demand letter is a pre-litigation settlement demand; no case has been filed yet. But ignoring it can lead to an actual lawsuit in California state or federal court, where statutory damages of $5,000 per violation and attorney fees apply.
How long do I have to respond to a CIPA demand letter?
Letters usually state a response deadline, often two to four weeks. Whatever the stated date, involve a privacy attorney within days of receiving it, because documentation and strategy take time and unanswered letters are more likely to become filings.
Should I take down my website tracking immediately?
Coordinate with your attorney first. Documenting the site’s current state before making changes matters, and abrupt undocumented removals can complicate your defense. Remediation should happen quickly, but in the right order.
Can I just pay the settlement and move on?
You can, and sometimes early settlement with a full release is the pragmatic call. But paying without fixing your website leaves you exposed to the next automated scan, and businesses that settle without remediating are frequently targeted again.
Will my business insurance cover a CIPA claim?
It depends on your policy. Some cyber liability and media liability policies respond to privacy claims, while many general liability policies exclude them. Notify your broker promptly, because late notice can jeopardize coverage that would otherwise apply.
My business is not in California. Can I really be liable?
Potentially, yes. CIPA claims are based on the location of the website visitor, not the business. If California residents used your site while tracking fired without consent, out-of-state businesses receive these letters routinely.
This article is for general informational purposes only and does not constitute legal advice. CIPA litigation is evolving, court decisions vary by jurisdiction, and the right response depends on your specific facts. If you have received a demand letter, consult a qualified privacy attorney promptly.



