Over the past year, a growing number of technology companies have received demand letters alleging that their websites violate California’s Invasion of Privacy Act by deploying unlawful pen registers. The letters follow a recognizable pattern: a browser screenshot, a count of third-party network requests, a six-figure statutory damages calculation, and a settlement offer at a fraction of that number. The implied message is that the company has been caught doing something clearly illegal and should pay to make the problem go away. The legal reality is more complicated.
What the statute actually says. CIPA’s pen register provisions, codified at California Penal Code sections 638.50 through 638.52, were designed in 1967 to address law enforcement surveillance of telephone communications. A pen register under section 638.50(b) is a device or process that records addressing or signaling information transmitted in connection with an electronic communication, but not the contents of that communication. Section 638.51(a) prohibits installing or using such a device without a court order, and section 637.2 provides a private right of action with statutory damages of $5,000 per violation, no proof of actual harm required. Claimants argue that third-party analytics tools, advertising pixels, and session recorders qualify as pen registers because they capture IP addresses and device identifiers, which constitute addressing or signaling information. Some courts have allowed claims on this theory to survive motions to dismiss, most notably in Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023). Surviving a pleading challenge is not a finding of liability, and claims that have proceeded have done so on specific, reproducible technical allegations, not on the bare presence of a third-party domain in a network log.
Consent is the central question. CIPA section 638.51 prohibits pen register use without a court order, and courts have recognized that valid user consent defeats liability. See Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. 2022). The Ninth Circuit in Javier held that CIPA requires prior consent, meaning retroactive consent does not help. Claimants argue that if any tracking fires before the user interacts with a cookie banner, no prior consent was ever obtained. The court in McClung v. AddShoppers, Inc. supported this view, noting that trackers syncing with a user’s device at page load have collected data before the user sees any consent interface.
That argument, however, does not apply equally to every request that appears in a network log. The website’s own content delivery network must load to render the page at all. The consent management platform must load before the banner can appear. Embedded video players load to serve functional content. None of these are tracking tools in any legally meaningful sense, and treating them as pen registers misrepresents what they do. The question that actually matters is whether the analytics and advertising tools identified in the complaint were technically prevented from executing until the user made an affirmative choice, and whether the claimant’s evidence supports that conclusion with specificity.
What to do when the letter arrives. There is no statutory deadline to respond to a CIPA demand letter. Ignoring it is nonetheless a poor strategy, because claimants who receive no response may proceed to file in court or initiate arbitration. A substantive response challenging the claims on legal and technical grounds signals that the company has counsel, is prepared to defend, and will not settle based on the threat alone. In our experience, this materially changes the trajectory of the matter. Before responding, counsel should review the website’s tracker inventory as it existed at the time of the alleged visit, confirm whether the consent management platform was configured to actually block non-essential scripts prior to user interaction rather than merely display a banner, and verify whether analytics tools were implemented in consent mode.
The broader picture. These claims reflect a systematic enforcement model built around a statutory damages provision that requires no proof of harm. Companies that have invested in a technically sound consent architecture and can document it are in a meaningfully stronger position than those that display a banner while trackers run freely in the background. The decision to respond, defend, or resolve a CIPA demand should be made on an honest assessment of the actual technical facts, not on the anxiety the letter is designed to provoke.
If your business has received a CIPA demand letter or any similar privacy claim involving website tracking technologies, contact Abhilipsa Panda at abhilipsa@inventuslaw.com.
Abhilipsa Panda is Of Counsel at Inventus Law PC, where she heads the Commercial Law Practice Group. Her practice focuses on data privacy, AI governance, and commercial transactions for technology companies and startups. She holds the CIPP/US, CIPP/E, CIPT, and AI Governance Professional certifications and is licensed to practice law in California.
This article is for informational purposes only and does not constitute legal advice. Reading this article does not create an attorney-client relationship.
