Over the past year, more and more businesses have received legal demand letters or threats related to website tracking and cookie compliance. Many business owners assume they are protected because they have a privacy policy or a small cookie notice. Unfortunately, that may no longer be enough.
Two sources in particular illustrate what is happening right now in the legal world:
Tauler Smith LLP has filed lawsuits against major brands such as Adidas, IHOP, Skullcandy, HoMedics, and Rack Room Shoes for alleged cookie and tracking violations under California law.
Hien Nguyen, a California resident, is named as the plaintiff in many of the demand letters going around now — including ones addressed to some of our clients.
These claims are not always filed lawsuits yet, but they show a growing trend where plaintiffs are targeting companies for how their websites handle tracking and user data.
The Legal Theories Behind These Claims
CIPA and the “Wiretapping” Theory
The core legal mechanism used in these claims often comes from the California Invasion of Privacy Act (CIPA). This law was originally passed in 1967 to prevent actual wiretapping of telephone conversations.
Plaintiffs and their attorneys are arguing that modern website tracking technologies — like pixels, cookies, and session replay software — function as illegal “eavesdropping” or “interception” devices. They claim these tools collect data about users without their explicit consent.
Pen Register and Trap & Trace Claims
A frequent argument in these cases is that certain tracking tools act as illegal “pen registers” or “trap and trace devices” under CIPA. These are technologies that capture information about the source or destination of communications, for example an IP address, browser type, or browsing history, rather than the actual content.
Some courts have accepted the theory that gathering this kind of tracking data before the user consents could violate CIPA’s prohibitions against these devices.
Statutory Damages and Why This Matters
One reason these lawsuits attract attention from plaintiffs’ attorneys is financial exposure. CIPA provides a private right of action with statutory damages of $5,000 per violation or three times actual damages, whichever is greater, without requiring the plaintiff to prove actual financial harm.
In a class action scenario with thousands of visitors to a site, these statutory damages could quickly add up to millions of dollars.
Session Replay Software as a Major Target
Session replay technology, which creates a video‑like recording of a user’s interaction with a website (mouse movements, clicks, keystrokes, form entries), has become a particular focus of these claims.
Plaintiffs argue that this type of software essentially records “communication content” without consent, which they say clearly falls into CIPA’s wiretapping prohibition.
Timing of Consent Matters
A key point highlighted in legal arguments is that consent must be prior and explicit. That means a privacy policy that appears at the bottom of a site or a link that users might see later is often considered insufficient.
If tracking begins before the user clicks a consent button, plaintiffs argue it is “too late” and therefore non‑compliant under these theories.
Legal Uncertainty Still Exists
Not every court has accepted these arguments. Some rulings have rejected certain claims, such as those tied to session replay, on the basis that the data collected was not “communication content” or that the technology did not intercept content in transit.
This mixed landscape means the legal risk is real, but there are viable defenses. That said, the trend is toward stronger expectations around consent and user control.
Demand Letters Today
The demand letters circulating now often propose specific settlement amounts to avoid formal litigation. These can range from several thousand dollars for a single claimant to much larger exposures if a class action is pursued.
Why This Is Happening Now
California privacy laws such as CIPA and the California Consumer Privacy Act (CCPA) focus on consent, transparency, and opt out rights for personal data collection.
Unlike GDPR in Europe, U.S. privacy laws generally follow an opt out model. Under this model:
- Users must have a clear way to opt out of the sale or sharing of their personal information
- Businesses must provide that mechanism and honor opt out requests
- Several states have passed similar privacy laws, and more are expected
Because many websites do not provide a clear opt out or consent mechanism before tracking begins, these gaps are being targeted in demand letters.
There is also new legislation like the 2025 Opt Me Out Act, which will require browsers to support universal opt out signals (like Global Privacy Control). That means users can set a browser preference to automatically opt out of tracking across all sites.
Are You Protected If You Have a Privacy Policy?
A privacy policy is necessary, but on its own it does not guarantee protection from these claims.
A privacy policy explains what your business says it does with data. A compliance mechanism actually gives users control over whether data is collected or shared.
Many websites rely on a privacy policy alone, without blocking tracking until consent is given or providing an obvious opt out option. Plaintiffs argue this is insufficient.
What You Should Consider Doing
1. Use a Cookie Compliance Solution
A proper compliance solution includes:
- A visible consent banner with opt in and opt out controls
- Blocking of non essential cookies until consent
- Logged consent records for audit purposes
- Ongoing regulatory updates
This is the most defensible position if you receive a demand letter or legal claim.
2. Provide a Clear Opt Out Option
If you choose not to use a full compliance tool, you should at minimum make it extremely easy for users to opt out of tracking. This aligns more closely with what current U.S. privacy laws focus on.
3. Review Third Party Tracking
If your site uses pixel or tracking tools that share with platforms like Meta, TikTok, or Bing, ensure they are not firing before the user has consented.
How This Affects Your Business
- A privacy policy alone may not fully protect you
- If your website is accessible to California residents, you are generally expected to comply with opt out rights
- Other states have similar privacy requirements or are moving in that direction
- Acting now is better than reacting after a demand letter arrives
Downsides to Intrusive Compliance Banners
While full compliance tools offer the strongest legal protection, it’s important to understand the trade offs.
Some businesses use a very prominent cookie pop up that forces the user to opt in before any cookies are fired. This may be the clearest way to document consent and avoid legal challenges. However, there are consequences to consider:
- Many users will choose to opt out of tracking when presented with a strong pop up
- This can affect site performance metrics and analytics data
- Tools like Google Analytics rely on cookies to track users, so when users opt out, it may appear as if traffic has dropped even when real traffic has not
- This is because the analytics system simply stops tracking those users
Other brands often take a lighter approach by offering opt out links in the footer or a less intrusive notice. This approach may track more users, but it does not provide the same level of documented consent.
Every business needs to balance the trade offs between legal defensibility and tracking visibility.
Not Sure If Your Website Has Cookie Compliance In Place? We Can Help
If you are not sure whether your website is compliant or just want to review how your tracking is set up, we can help.
Our team offers a full cookie compliance solution starting at $35 per month. It includes:
- Opt in and opt out banner with geo targeting
- Blocking of non essential cookies until the user consents
- Consent log storage for audit protection
- Configurable styling to match your brand
- Ongoing updates for changing legal requirements
We can also run a free scan of your website and provide recommendations based on what tracking tools are currently deployed.
This is a small investment compared to the risk and cost of responding to a legal complaint. If you would like to learn more, just reach out and we will walk you through it.
Disclaimer
We are not lawyers and this content does not constitute legal advice. This post reflects our experience, research, and conversations with clients on this topic.
We have seen multiple customers receive privacy demand letters in the last few months, and while we have posted about this issue and sent email communications to our clients over the past few years, formal legal actions seem to be increasing. Our goal with this article is to help you stay informed so you can decide what makes sense for your business.
Frequently Asked Questions (FAQs) About Website Tracking Lawsuits
- I’m not located in California. Does this apply to my business?
If your website is accessible to and used by residents of California, you are subject to the state's privacy laws, including CIPA and the CCPA. These laws follow the user, not just the physical location of your business. Given the nature of e-commerce and web access, it's highly likely your site has California visitors, making compliance relevant to you. Other states, such as Virginia, Colorado, and Connecticut, also have their own robust privacy laws.
- What specific laws are these lawsuits using to target businesses?
The primary law being leveraged in many of these cases is the California Invasion of Privacy Act (CIPA), a law dating back to 1967 designed to prevent actual wiretapping. Plaintiffs argue that modern tracking pixels, cookies, and session replay software function as illegal "eavesdropping" devices or "pen registers" that intercept electronic communications without the user's explicit prior consent. The California Consumer Privacy Act (CCPA) is also often cited.
- A standard "cookie banner" pops up when I visit most sites. Is that enough protection?
It may not be. These lawsuits often hinge on the timing of the tracking. If your website drops non-essential cookies or activates tracking pixels before the user has actively clicked "Accept" or "Agree," the plaintiff’s attorneys argue the data collection happened without prior consent. A compliant solution must actively block tracking until consent is given.
- How much money are we talking about if my business is targeted?
The financial risk is significant due to CIPA’s statutory damages provision. The law allows for damages of $5,000 for each violation, or three times actual damages, whichever is greater. In a class action lawsuit representing thousands of website visitors whose data was allegedly collected improperly, the total potential liability can quickly escalate into millions of dollars.
- We use standard tools like Google Analytics and Meta Pixels. Are those a problem?
Yes, they can be if not configured correctly. These tools use cookies and pixels to track user behavior and share data with third parties (Google/Meta) for analytics or targeted advertising. The issue arises when these scripts fire immediately upon page load, before the user has a chance to opt out or consent. They must be integrated with a compliance tool that delays their activation.
- What counts as "explicit consent" that will hold up in court?
Explicit consent typically requires an unambiguous, affirmative action by the user before data collection begins. A checkbox they manually tick, or an "Accept All" button on a clear, visible banner that simultaneously blocks tracking until clicked, provides strong legal defensibility. Simply having text that says "By using this site, you agree to our cookies" is likely insufficient.
- Can I just ignore a demand letter from a law firm like Tauler Smith LLP?
Ignoring a formal demand letter is risky. These firms are actively filing lawsuits and are prepared to litigate. The best course of action is to immediately engage legal counsel experienced in data privacy law. Your attorney can assess the validity of the claim, review your website’s current compliance posture, and advise on the appropriate response or settlement negotiations.
- Is "session replay" technology also a target in these cases?
Yes, absolutely. Session replay software records a user's entire journey on a website, including mouse movements, clicks, scrolling, and sometimes keystrokes entered into forms. Plaintiffs argue this is an extreme violation of privacy, as it records the content of communications and interactions, leading to strong CIPA claims.