|
BLOG
brenden kellwy law NEWS
Insightful Legal Perspectives for Ohio Residents
|
CIPA Demand Letters and Website Tracking: What Businesses Need to Know About Vivek Shah’s Privacy Claims
Brenden Kelley

Business owners are increasingly receiving demand letters accusing their websites of violating the California Invasion of Privacy Act, commonly known as CIPA. Many of these letters are being sent by Vivek Shah, a California-based pro se claimant who has reportedly sent similar demand letters to businesses across the country and has filed several lawsuits asserting website privacy claims.
These letters can be alarming. They often arrive with a draft complaint, references to California privacy statutes, screenshots from browser developer tools, and claims for statutory damages and injunctive relief. But businesses should understand two things at the same time:
- First, these claims should not be ignored.
- Second, receiving one of these letters does not mean the claim is valid.
What Is Happening?
California’s Invasion of Privacy Act was passed to protect private communications from improper monitoring and surveillance. See Cal. Penal Code § 630. Recently, however, plaintiffs have been using CIPA to target ordinary business websites that use common marketing and analytics tools.
The general theory is that a website violates CIPA when it automatically sends visitor information to third-party services before the visitor consents. These third-party services may include tools like:
- Google Analytics
- Google Tag Manager
- Google Ads/conversion tracking
- Meta/Facebook Pixel
- CallRail or other call-tracking tools
- Chat widgets
- Session replay or heatmap tools
- Online scheduling platforms
- Marketing automation tools
- Embedded forms and plugins
The demand letters often allege that these tools collect or transmit IP addresses, browser information, device identifiers, page URLs, or search/form data. Shah and others have argued that these tools function like unlawful “pen registers” or “trap and trace” devices under California law. See Cal. Penal Code §§ 638.50(b), 638.50(c), 638.51(a).
In plain English, the claim is not usually that a business intentionally hacked anyone or secretly spied on customers. Rather, the claim is that routine website tools sent technical visitor data to third parties before the visitor gave clear consent.
Why Should Ohio and Pennsylvania Businesses Care About a California Privacy Law?
Many business owners assume California privacy laws do not apply to them because they are not located in California. That may be true in many cases, but it should not be assumed.
If a business has a website that can be accessed from California, a California claimant may argue that California law applies because the alleged website visit occurred in California. Whether a California court actually has personal jurisdiction over an out-of-state business depends on the facts.
Important questions include:
- Does the business advertise to California residents?
- Does the business sell products or services to California customers?
- Does the website allow California residents to purchase, book, apply, subscribe, or submit information?
- Does the business knowingly collect or monetize data from California users?
- Is the website purely informational for a local business?
- Is the alleged tracking connected to the defendant’s own website, or did the claimant identify the wrong website or wrong company?
For a local dental office, medical practice, contractor, professional service business, restaurant, or local service provider that does not target California, personal jurisdiction may be a strong defense. But the analysis is fact-specific. In Briskin v. Shopify, Inc., the Ninth Circuit held that specific personal jurisdiction may exist where a company allegedly knew it was collecting data from California consumers and exploited that data for commercial gain. 135 F.4th 739 (9th Cir. 2025). That case is important, but it is very different from a purely local business with no California customers, no California advertising, and no California-directed services.
What Does CIPA Allow Plaintiffs to Seek?
The reason these demand letters get attention is that CIPA can carry statutory damages. Under California Penal Code § 637.2, a claimant may pursue statutory damages of $5,000 for each alleged violation, or three times the actual damages sustained, whichever is greater. The statute also permits a request for injunctive relief. Cal. Penal Code § 637.2(a)-(b). The statute also says actual damages are not a prerequisite to bringing an action. Cal. Penal Code § 637.2(c).
Plaintiffs may try to argue that each website visit, each third-party transmission, or each tracking tool is a separate violation. Whether that theory is legally valid depends on the facts and the court. But even weak claims can create risk because defending a lawsuit in California can become expensive quickly.
That is the leverage behind many of these demand letters.
The Law Is Still Developing
Courts are not uniform in how they evaluate website tracking claims under CIPA. Some courts have allowed claims to proceed past the pleading stage where plaintiffs alleged that tracking software collected IP addresses or other addressing information without consent. See Shah v. Fandom, Inc., 754 F. Supp. 3d 924 (N.D. Cal. 2024); Camplisson v. Adidas America, Inc., 809 F. Supp. 3d 1095 (S.D. Cal. 2025); Hassid v. Alex and Ani, LLC, 816 F. Supp. 3d 1196 (C.D. Cal. 2026).
Other courts have dismissed claims where the plaintiff failed to allege a concrete privacy injury, failed to plead the necessary communication, or failed to connect the alleged tracking to the statutory requirements. See Mitchener v. CuriosityStream, Inc., 815 F. Supp. 3d 845 (N.D. Cal. 2025); D’Antonio v. Smith & Wesson Inc., 820 F. Supp. 3d 928 (N.D. Cal. 2026); Shah v. MyFitnessPal, Inc., 2026 WL 216334 (N.D. Cal. Jan. 27, 2026).
That uncertainty is exactly why these claims are being brought. Plaintiffs are testing the outer limits of an older privacy statute against modern website technology.
Do Not Ignore the Letter, But Do Not Rush to Pay
If your business receives a CIPA demand letter from Vivek Shah or anyone else, do not panic and do not immediately pay. The first step is to evaluate whether the demand is factually and legally sound.
Some demand letters may have serious problems, including:
- The wrong website is identified
- The wrong domain is identified
- The screenshots are from another company’s website
- The claimant assumes ownership or control without evidence
- The business does not target California
- The website is purely informational
- The alleged third-party tools are not actually present
- The claimant did not submit a form, use a search bar, chat, or otherwise communicate with the business
- The business already had a consent banner or privacy disclosures in place
A plaintiff generally must connect the alleged tracking technology to the defendant. In Shah v. Fandom, the court allowed the claim to proceed in part because the plaintiffs alleged that the website owner incorporated third-party tracker code into its own website code, causing the trackers to install when users visited the website. 754 F. Supp. 3d 924 (N.D. Cal. 2024). If the claimant’s screenshots or technical allegations relate to a website your company does not own, operate, maintain, control, host, or redirect, that may be the strongest defense.
Preserve Evidence Before Making Changes
One of the biggest mistakes a business can make is immediately changing the website without preserving evidence first.
Before removing plugins, deleting code, changing cookie banners, or updating privacy policies, the business should preserve the current condition of the website. This helps avoid later arguments that evidence was destroyed or altered.
Businesses should preserve:
- Screenshots of the website as it exists now
- The privacy policy, terms of use, cookie policy, and consent banner
- A list of all website plugins and third-party tools
- Google Tag Manager settings, if used
- Google Analytics and Google Ads settings, if used
- Call-tracking settings, if used
- Chat widget, scheduling, form, and CRM integrations
- Developer-tool network logs showing what loads on page visit
- Domain ownership and hosting records
- Copies of the demand letter, envelope, draft complaint, and attachments
This preservation step does not mean the business agrees with the claim. It simply protects the business and its defenses.
What Should Your IT or Website Vendor Do?
After preserving evidence, your website professional should audit the site for privacy and tracking issues. The legal analysis should be handled by counsel, but the technical work usually needs to be done by the website developer, IT provider, marketing company, or compliance vendor.
At a minimum, your website team should identify:
- What scripts, pixels, cookies, tags, and third-party tools load on the site
- Which tools load automatically when a visitor first lands on the site
- Whether any non-essential tools load before consent
- Whether search terms, form entries, chat content, phone numbers, emails, or other user-submitted information are sent to third parties
- Whether Google Analytics, Google Ads, Meta Pixel, CallRail, chat tools, heatmaps, scheduling tools, or CRM integrations are active
- Whether the website has a functioning cookie consent banner
- Whether the consent banner actually blocks non-essential scripts before opt-in
- Whether the privacy policy accurately discloses the tools being used
- Whether California visitors should receive a stricter consent experience
The most common practical fix is to implement a real consent-management platform that blocks non-essential analytics, advertising, retargeting, tracking, and call-attribution tools until the visitor affirmatively consents.
A privacy policy alone may not be enough if the tools fire before the visitor has a meaningful opportunity to consent. Courts have been skeptical of relying on footer links or passive terms to establish consent where the user did not take clear affirmative action. See Camplisson v. Adidas America, Inc., 809 F. Supp. 3d 1095 (S.D. Cal. 2025); Hassid v. Alex and Ani, LLC, 816 F. Supp. 3d 1196 (C.D. Cal. 2026).
Updating Your Website Is Not an Admission of Liability
Some business owners worry that fixing the website will make them look guilty. Generally, updating a website to reduce legal risk should not be treated as an admission that the prior setup was unlawful.
Businesses update compliance practices all the time. Laws change. Litigation trends change. Technology changes. Risk tolerance changes.
The better view is simple: even if the claim is weak, it is still smart to reduce the chance that the same claimant, or another claimant, visits the correct website later and sends a new demand.
How Businesses Should Respond
A business that receives a CIPA demand letter should usually take the following steps:
- Do not communicate directly with the claimant.
- Send the letter to legal counsel.
- Preserve the website and related evidence before making changes.
- Confirm whether the business owns or controls the website identified in the letter.
- Confirm whether the screenshots and technical allegations actually relate to the business.
- Determine whether the business targets or serves California residents.
- Have IT or the website vendor audit the site.
- Update the website’s consent tools, privacy policy, cookie policy, and third-party script settings as needed.
- Evaluate defenses before discussing settlement.
- If the claim is factually wrong, respond clearly and firmly.
Depending on the facts, the best response may be a denial, a request for more information, a technical correction, a settlement discussion, or preparation to defend the claim if a lawsuit is filed.
The Bigger Lesson for Business Owners
The broader lesson is not limited to Vivek Shah or CIPA. Website privacy claims are becoming a real legal risk for small and mid-sized businesses.
Many businesses have websites built by marketing vendors who install analytics, pixels, call tracking, forms, and plugins without much thought about privacy law. For years, that was treated as ordinary website marketing. That is changing.
Business owners should know what their websites are collecting, where that information is going, and whether visitors are given meaningful notice and consent before non-essential tracking occurs.
Bottom Line
If your business receives a CIPA demand letter, do not ignore it. At the same time, the letter should be tested carefully before accepting its allegations as true.
The claimant may have the wrong website. The business may not target California. The website may not use the tools alleged. The law may provide defenses. But those defenses are much stronger when the business acts carefully, preserves evidence, and gets the website reviewed before responding.
At the same time, this is a good reminder for every business owner: your website is part of your legal risk profile. Privacy policies, cookie banners, analytics tools, call tracking, and marketing pixels should not be afterthoughts.
Brenden Kelley Law helps business owners respond to legal threats, assess website privacy risks, and work with their IT and marketing professionals to reduce exposure before litigation begins.
Legal Authorities Cited
Cal. Penal Code § 630
Cal. Penal Code § 637.2
Cal. Penal Code § 638.50
Cal. Penal Code § 638.51
Briskin v. Shopify, Inc., 135 F.4th 739 (9th Cir. 2025)
Shah v. Fandom, Inc., 754 F. Supp. 3d 924 (N.D. Cal. 2024)
Camplisson v. Adidas America, Inc., 809 F. Supp. 3d 1095 (S.D. Cal. 2025)
Mitchener v. CuriosityStream, Inc., 815 F. Supp. 3d 845 (N.D. Cal. 2025)
Hassid v. Alex and Ani, LLC, 816 F. Supp. 3d 1196 (C.D. Cal. 2026)
D’Antonio v. Smith & Wesson Inc., 820 F. Supp. 3d 928 (N.D. Cal. 2026)
Shah v. MyFitnessPal, Inc., 2026 WL 216334 (N.D. Cal. Jan. 27, 2026)

