CIPA
Unsplash

The letter gives you 20 to 30 days. It arrives on law firm stationery, says your website has been illegally wiretapping its visitors, and offers to settle for anywhere between US$10,000 and US$100,000.

The law it cites was written in 1967 to stop people from bugging telephones. Thousands of American businesses have opened one this year, many of them nowhere near California.

"Outdated statutes like CIPA are being repurposed in ways that impose significant operational and compliance burdens on in-house counsel, diverting resources from meaningful governance and consumer protection efforts," says Susanna McDonald, chief legal officer of the Association of Corporate Counsel, which told a California appeals court in April that its members are left "jumping from one CIPA demand letter to the next."

From phone taps to pixels

The California Invasion of Privacy Act, or CIPA, was written for the age of the rotary phone. It bans recording or listening in on a private conversation unless everyone involved agrees, and it lets any Californian sue over a violation, with damages of US$5,000 each time it happens.

For half a century that meant phone calls. Then plaintiffs' lawyers noticed the law's language also fits the tools most websites quietly run, the ones that log who visits, what they look at and where they came from, then pass it to advertisers.

In their reading, a tracking cookie is a wiretap, and every website using one without asking first is breaking a 59-year-old law.

CIPA

The argument found an audience. When state Senator Anna Caballero drafted her reform bill, there were roughly 600 of these cases. There are now about 4,000, plus tens of thousands of settlement demands that never reach a courtroom.

Most trace back to a small group of firms and repeat plaintiffs running a production line.

They scan what a website tracks, flag anything that starts before visitors are asked for permission, and mail the template.

It explains why consent tools like Cookiebot by Usercentrics, which stop a site's trackers from running until visitors say yes, have moved from a compliance checkbox to something closer to lawsuit insurance.

The math only works one way

Sending one of these letters costs the sender a few thousand dollars. Fighting the lawsuit that follows can cost US$400,000 to US$800,000 before a judge even reaches the question of guilt.

So when the demand is US$10,000 to US$25,000, most businesses pay. Behind every letter sits a threat with far more zeros.

At US$5,000 per violation, per visitor, a site with modest California traffic faces theoretical exposure in the millions, and nobody wants to find out how a jury does that arithmetic.

The courts have started to push back. In May, a Los Angeles judge threw out one of these cases entirely, ruling that the law's tracking provisions were written for telephones and do not stretch to software on a website. Defense lawyers celebrated. But the decision binds no other court, some judges have gone the opposite way, and the letters have not slowed.

Sacramento is trying to shut the door. On July 1, a state Assembly committee advanced SB 690, Caballero's bill to, in her words, "protect California businesses from a new wave of abusive lawsuits." It would take these claims out of private hands. Only the state attorney general could pursue ordinary business tracking on websites and apps, and the change would reach back two years, erasing most of the cases already filed. The bill faces its next vote in August. It has stalled before.

CIPA

What to do before the law catches up

Many businesses assume they are safe because they comply with California's better-known privacy law, the CCPA, which lets consumers opt out of having their data sold. These wiretap claims sidestep it entirely. They target the moment before any opt-out is offered, when the tracking has already begun. A company can follow one California privacy law faithfully and still be sued under the other.

A newer rule raises the bar further. Since January 1, businesses covered by the CCPA must show visitors on-screen confirmation that their browser's do-not-track request and the Global Privacy Control have been honored. Handling it quietly in the background no longer counts.

The lasting fix is to reverse the order of operations, so nothing tracks anyone until the visitor agrees. A consent management platform such as Cookiebot by Usercentrics does this automatically. It finds every tracking tool a site actually runs, holds each one back until consent is given, and keeps a record proving it happened. That record is the point. In this wave of lawsuits, the difference between a target and a bystander is what a stranger finds when they come looking.

The reform bill may rescue everyone by autumn, and the appeals courts may yet agree that a cookie is not a phone tap. Neither will arrive before the next batch of letters does.