CIPA Demand Letter Examples: 3 Real Redacted Letters
Table of Contents
Most businesses that receive a CIPA demand letter have never seen one before. The language is dense, the legal citations are unfamiliar, and the damages figures are alarming by design.
This page reveals real redacted CIPA demand letters, with plain-language annotations explaining what each part means and why it is written the way it is. For what to do after receiving a letter, see our CIPA demand letter response guide. For background on the law itself, see our California Invasion of Privacy Act compliance guide.
Example 1: The standard Meta Pixel pre-consent letter
This is the most common type of CIPA demand letter. It targets websites where Meta Pixel fires on page load before the consent banner has been interacted with. The following is a properly redacted real demand letter sent by Swigart Law Group. All identifying information has been removed. The legal language, structure, evidence methodology, and damages calculation are from the actual letter.
Note on redactions
The PDFs embedded on this page are redacted real demand letters. Company names, website URLs, claimant names, email addresses, case reference numbers, and dollar amounts specific to the recipient have been removed. The legal language, citations, evidence exhibits, and damage calculations are from the actual letters.
Meta Pixel demand letter example
| Redacted letter text | What this means for you |
|
RE: Notice of Violation of California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.) and California's Trap and Trace Statute (Cal. Penal Code §§ 638.50 et seq.) Dear [Company Name],This firm represents [Claimant Name] ("Client") in connection with privacy violations occurring on your website located at [REDACTED] (the "Website"). During Client's visit, the Website caused Client's browser to transmit electronic communications to Meta Platforms, Inc. via the Meta Pixel — a JavaScript tracking tool embedded in your website — prior to obtaining Client's consent. This conduct constitutes a violation of Cal. Penal Code § 631 (wiretapping) and § 638.51 (pen register/trap and trace).Statutory damages: $5,000 per violation under § 631; $5,000 per violation under § 638.51. To resolve this matter, Client requests written confirmation within 21 days that the Meta Pixel has been disabled or placed behind a consent gate, together with a settlement offer. |
The subject line names two statutes simultaneously — §631 (wiretapping) and §638.51 (pen register). This is standard in Swigart Law Group letters and doubles the damages floor on a single pixel firing. The key phrase is "prior to obtaining consent." The pixel firing before the consent banner is the entire basis of the claim. If your CMP loads the pixel conditionally on consent, this letter has no foundation. If the pixel fires on page load regardless, every visit is a separate violation. The 21-day window and settlement demand are tactical. Most recipients settle without litigation. The ask for a consent gate is exactly what a CMP solves.
|
Example 2: The multi-statute, high-exposure letter
Not all CIPA demand letters are created equal. This type targets websites with a broad martech stack: multiple pixels, session replay tools, analytics SDKs, and live chat widgets all firing before consent. It cites CIPA §631, CIPA §638.51, and the federal ECPA simultaneously, then multiplies damages across every tool identified. The following is a properly redacted real demand letter sent by co-counsel firms. All identifying information has been removed.
Multi-statute demand letter example
| Redacted letter text | What this means for you |
|
RE: Notice of Violation of California Invasion of Privacy Act (Cal. Penal Code §§ 630 et seq.), Pen Register/Trap and Trace Statute (Cal. Penal Code §§ 638.50 et seq.), Electronic Communications Privacy Act (18 U.S.C. §§ 2510 et seq.), and Related California Statutes. This letter is sent by [Law Firm A] and co-counsel [Law Firm B] on behalf of our clients and all similarly-situated individuals. During Client's visit to the Website, Client's browser transmitted identifying and behavioral data to Meta Platforms, Inc. via the Meta Pixel, and to 43 additional third-party vendors — advertising networks, analytics providers, session replay tools, and live chat platforms — prior to any consent being obtained. Statutory damages exposure:— Meta §631 violation: $10,000— Third-party §631 violations: $215,000 (43 × $5,000)— Third-party §638.51 violations: $225,000 (45 × $5,000)— ECPA §2520 violation: $10,000 minimumTotal per-claimant exposure: $460,000 — multiplied across similarly-situated class members. Our clients request written confirmation within 21 days that all third-party tracking tools have been disabled or placed behind a consent gate, a consent management audit by a qualified vendor, and a settlement offer. |
Four legal frameworks cited simultaneously: CIPA §631, CIPA §638.51, federal ECPA, and a catch-all reserve for additional California statutes. Co-counsel arrangement signals a coordinated campaign; both firms run books of similar cases. The $460,000 exposure is entirely mechanical. Every third-party tool that fires before consent generates two separate violations: one under §631 (wiretapping, captures content) and one under §638.51 (pen register, captures metadata). A standard martech stack — analytics, pixels, session replay, live chat — easily reaches 40+ interceptors. ECPA then adds a federal damages floor on top. The "class members" note converts a $460K individual demand into a seven-figure threat. The 21-day window and the ask for a "qualified vendor" audit are tactical. Most recipients engage rather than face arbitration. The audit ask is a soft referral — it creates a need that a CMP directly fills. |
Example 3: The TikTok trap-and-trace letter
A newer wave of CIPA demand letters targets TikTok Pixel specifically, but under §638.51 (the pen register statute) rather than §631 (wiretapping). This changes the legal theory, the damages floor, and the escalation path. These letters are typically filed as class actions from the outset, not individual pre-arbitration demands. The following is a properly redacted real demand letter sent by a plaintiff firm specializing in §638.51 claims. All identifying information has been removed.
TikTok demand letter example
| Redacted letter text | What this means for you |
|
RE: Notice of Violation of California's Pen Register and Trap and Trace Statute (Cal. Penal Code §§ 638.50–638.55) This firm represents [Claimant Name] and a class of similarly situated individuals. During Client's visit to your Website at [REDACTED], Client's browser transmitted identifying metadata — including IP address, browser fingerprint, referral URL, page path, and behavioral events — to TikTok Inc. via the TikTok web beacon, without Client's prior consent. This constitutes the installation and operation of a pen register and trap and trace device under Cal. Penal Code § 638.51. This letter is addressed to [Company Name] c/o [Registered Agent Name], [Registered Agent Address], identified through the California Secretary of State. Client requests that [Company Name] confirm within 14 days that the TikTok Pixel has been removed or placed behind a consent gate, and that [Company Name] is prepared to discuss a class-wide settlement. Failure to respond will result in the filing of a class action complaint without further notice. |
This letter cites §638.51 only — not §631. That is a strategic choice. Section 638.51 governs pen registers: tools that capture metadata (IP, page paths, timestamps) rather than content. The TikTok Pixel is classified here as a pen register, which has a lower threshold to meet than wiretapping. Any site running TikTok for Ads without a consent gate is exposed. Service on a registered agent rather than the company's operating address signals this is not a mass-blast campaign. The firm ran a Secretary of State lookup before sending, which establishes formal legal notice and starts the clock. The key difference from Example 2: this goes straight to class action, not individual arbitration. The 14-day window is shorter, there is no audit ask, and the escalation path is compressed. At even a modest class of 10,000 visitors, the $5,000-per-violation minimum under §638.51 creates a $50M theoretical exposure.
|
Why plaintiff firms send CIPA demand letters
Private plaintiff firms file claims under California Penal Code Section 631 because the statute provides $5,000 in statutory damages per violation with no proof of actual harm required. This means the plaintiff does not need to demonstrate that a specific user suffered a specific injury. They only need to demonstrate that the interception occurred without consent.
The business model works because the economics are asymmetric. A firm can use automated scanning tools to visit thousands of websites, identify non-compliant pixel implementations in minutes, and send demand letters calibrated to be cheaper to settle than to litigate. Most businesses settle without going to court. The ones that do not settle face the prospect of a filed lawsuit, discovery costs, and legal fees that often exceed the original settlement demand.
The scanning process is straightforward. The firm visits your website in a fresh browser session, opens the network tab in developer tools, and watches for any outbound request to a third-party advertising or analytics domain (facebook.com, tiktok.com, doubleclick.net) that fires before the user has interacted with a consent banner. If the scan captures such a request, that is the evidence that goes in the letter. For a full profile of how Swigart Law Group, the most active filer of these claims, operates, see our firm profile.
The pattern across every demand letter we have reviewed
Every CIPA demand letter Enzuzo has reviewed shares the same underlying technical pattern: a tracking tool fires before a user has consented, transmits data to a third-party server in real time, and the business has no timestamped consent log that could demonstrate the user chose to allow it.
The variation between letters is in the tool cited, the damages calculation, and the settlement amount. The cause is always the same. The technical fix is always the same.
Companies that came to Enzuzo after receiving demand letters include a fashion accessories brand with 700,000 monthly visitors, regional news publishers, a childcare platform that was sued rather than just receiving a demand letter, a wellness brand, and an arts education platform. Across all of them, the demand letter described a real technical problem. The letter was the symptom; the misconfigured pixel was the cause.
For the complete step-by-step guide to responding to a demand letter and fixing the underlying technical issue, see our CIPA demand letter response guide. For a comparison of the best consent management platforms for businesses in this situation, see our full guide.
Do not wait for a demand letter to fix your consent setup.
Enzuzo is a Google-certified consent management platform that blocks non-essential tracking scripts until consent is granted and logs every consent event with a timestamp. Rated 4.6/5 on G2.
Frequently asked questions
Are these real demand letters?
Yes. The PDFs embedded on this page are properly redacted real demand letters, not reconstructed examples. Company names, website URLs, claimant names, email addresses, and case-specific figures have been removed using black redaction bars. The legal language, statute citations, evidence screenshots, and damages calculations are taken directly from the actual letters as sent. Enzuzo received these letters from customers who came to us after receiving them.
What does a CIPA demand letter look like?
A typical CIPA demand letter is two to four pages long and contains five core sections: an opening that identifies your website and the claimant; a factual allegation describing the specific tracking technology observed firing before consent; the legal theory citing California Penal Code Section 631 or 638.51; a damages calculation referencing the $5,000 per violation statutory amount; and a settlement demand with a 20-to-30-day deadline.
How do plaintiff firms get evidence of the violation?
They use automated scanning tools that visit your website in a fresh browser session and record network activity before the user interacts with any consent interface. The scan captures a timestamped log of every outbound request to a third-party domain that fires on page load. If Meta Pixel sends a request to facebook.com before the user has clicked Accept, that request is the evidence. You can replicate this yourself: open your site in an incognito window, open the Network tab in Developer Tools, and watch what fires before you touch the consent banner.
Can I see an actual unredacted demand letter?
Unredacted demand letters contain confidential information about the claimant and the legal proceedings. We do not publish unredacted letters. The redacted examples on this page represent the structure and language of real letters while removing all identifying details.
Is the settlement demand in the letter negotiable?
Generally yes. The initial demand is a starting position, not a final offer. The amount is set to be cheaper than litigation but above the floor that makes the case worth the firm's time. Businesses that respond through experienced privacy litigation counsel typically negotiate settlements below the initial demand. Non-response is the worst outcome — it typically results in the firm filing a formal lawsuit, at which point your leverage decreases and your legal costs increase.
What if I fix my pixel setup after receiving the letter?
Remediating your implementation after receiving a demand letter does not eliminate liability for past violations but it does eliminate future exposure and demonstrates good faith in negotiations. Plaintiff firms are looking for a combination of settlement payment and assurance that the violation has been corrected. Fixing the underlying implementation is a practical and legal necessity — settling without remediating typically invites additional demand letters from other firms monitoring settlement patterns.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.