LimeLight Marketing

CIPA Pixel Lawsuits: Why Your Tracking Is a Target

CIPA Pixel Lawsuits: Why Your Tracking Is a Target
MarketingNews

Published on June 25, 2026

Andy Warren Andy Warren

Over the past year, a wave of demand letters and lawsuits has hit California businesses over something almost every website does: running standard analytics and advertising tags. If your site loads Google Analytics, the Meta Pixel, a TikTok pixel, Google Ads tags, or anything similar, you are a potential target, and these letters are going out at industrial scale. We have watched a string of them land on clients' desks in recent months, so here is the plain-English version: what is going on, why it is different from the privacy rules you already follow, and what you can actually do about it.

One thing up front: LimeLight is a marketing agency, not a law firm, and nothing here is legal advice. This is a technical and practical explainer from people who implement tracking for a living. For your specific situation, talk to a qualified privacy attorney.

What is actually happening

A small group of plaintiffs' firms is mailing large volumes of demand letters to companies whose websites load third-party trackers. Names that come up repeatedly in legal coverage include Tauler Smith, Swigart Law Group, and Pacific Trial Attorneys. The letters target ordinary, widely used tools: Google Analytics, the Meta Pixel, TikTok and Google Ads tags, session-replay scripts, and the like.

The tell is that the letter almost never mentions your privacy policy or your cookie banner. That is because no one read your site. A scanner flagged outbound requests to known trackers and a template did the rest. The demands are usually calibrated to settle for less than it would cost you to defend, which is what makes the model work at volume. By mid-2025, legal-industry sources were already counting these filings in the four figures, and the pace has not let up.

Why standard analytics tags are the target

The legal theory is the surprising part. These claims lean on the California Invasion of Privacy Act (CIPA), a 1967 anti-wiretapping law, and specifically its "pen register and trap and trace" provision, California Penal Code section 638.51. The argument: a tracking pixel captures "dialing, routing, addressing, and signaling" information (your IP address, the page URL, the referring page, and device and session identifiers) and therefore acts like an unlawful pen register installed without a court order or consent. A statute written for phone taps gets pointed at a marketing tag.

The money comes from CIPA's civil-remedy section, Penal Code section 637.2, which lets a private plaintiff recover the greater of $5,000 per violation or three times actual damages, with no requirement to prove any real harm. That per-violation math is the engine of the whole thing. The claims are often stacked with the federal Wiretap Act (ECPA, 18 U.S.C. section 2511, with statutory damages under section 2520 of the greater of $100 per day or $10,000) and California's computer-fraud statute, CDAFA (Penal Code section 502), which is included largely because it can award attorneys' fees.

Courts are split, and that matters. California state courts have generally read the statute narrowly and turned these claims away, while several California federal district courts have let them survive a motion to dismiss. In Camplisson v. Adidas America (Southern District of California, November 2025), a federal court declined to dismiss a claim that the TikTok and Bing pixels were unlawful pen registers, in part because the only notice to visitors was a link buried in the page footer. That is a pleading-stage ruling letting the case proceed, not a final finding that Adidas broke the law, but it is exactly the kind of decision that keeps the letters coming.

Why this is not the CCPA problem you already solved

If you have done website privacy work before, you almost certainly built it around the CCPA: a privacy policy, a "Do Not Sell or Share" link, an opt-out for California visitors. It is reasonable to assume that covers you. It does not, because these claims are not CCPA claims.

The CCPA has no general private right of action. A consumer can sue privately under the CCPA only for a narrow category of data breaches; every other CCPA obligation is enforced by the California Attorney General and the California Privacy Protection Agency, not by private plaintiffs. A demand-letter business cannot run on a statute it has no standing to sue under. CIPA is the opposite: a private right of action, a fixed per-violation dollar figure, and a growing line of cases that do not require proof of harm. That is why the letters cite wiretapping and CIPA, not the privacy law you already addressed.

Why the letters cite CIPA, not CCPACCPAthe privacy law you already addressedNo general private right of actionEnforced by the state, not private suitsSatisfied by disclosure and an opt-outA private firm has no standing to sue youunder it.CIPAa 1967 wiretapping statute, repurposedPrivate right of action$5,000 per violation, stackedNo proof of harm requiredTargets the pre-consent tag fireThe statute the demand letters actuallyrun on.A fully CCPA-compliant site and a CIPA-exposed site can be the same site.

How a fully compliant site is still exposed

This is the part that trips people up. CCPA compliance answers one question: did you disclose your tracking and offer an opt-out? The CIPA pen-register theory asks a different one: did you intercept the visitor's communication without prior consent? A site can pass the first test and still fail the second.

The exposure is timing. If your analytics and advertising tags fire the moment the page loads, before the visitor has agreed to anything, the data has already left their browser. Privacy practitioners have started calling it the "millisecond problem". An opt-out model, where tags run by default until someone turns them off, is precisely the pattern these claims target, because the interception has already happened by the time the opt-out is even on screen. A fully CCPA-compliant site and a CIPA-exposed site can be the same site.

BEFORE CONSENT, THE DATA HAS ALREADY LEFTa visitor loads your pageTags that fire on page load:AnalyticsMeta PixelTikTokAds tagsCookie banner:AcceptRejecttoo latedata leaves the browserThird-partytrackersIP address, page URL,referrer, device andsession identifiersThe CIPA "pen register" theoryargues that capture, before any consent, is an unlawful intercept.A privacy policy and an opt-out answer a different question.

How to remediate

The fix is a real consent gate, not a cosmetic banner. The goal is simple to state and easy to get wrong: non-essential third-party tags should not fire until the visitor affirmatively opts in. In practice that means:

  • Use a consent platform that actually blocks the scripts. Many banners only record a choice while the tags fire anyway. The consent management platform has to hold the tags until the visitor consents, not just log the click after the fact.
  • Move from opt-out to prior, opt-in consent for California visitors. The default state should be no non-essential tracking. Tags turn on when the visitor says yes, not off when they say no.
  • Wire Google Consent Mode v2, but do not stop there. Consent Mode helps, but its "basic" setting still sends some pings, so pair it with the "advanced" setting and a consent platform that genuinely gates the tags. Consent Mode is part of the answer, not the whole answer.
  • Consider server-side tagging, configured to honor consent. Server-side tagging gives you cleaner, more durable measurement, but it does not respect consent automatically; you have to build that logic in. It pairs well with a serious first-party data strategy.
  • Test what actually fires, before and after opt-out. Load the site as a California visitor, watch the network tab, click reject, and confirm the tags really stop. The gap between what a banner claims and what the browser does is exactly what the scanners look for.
The fix: hold tags until the visitor opts inOpt-out: exposedOpt-in: protected1Page loads, tags fire at once2Data leaves the browserIP, URL, referrer, device IDs3Reject appears, but too latethe intercept already happened1Page loads, tags heldconsent platform blocks them2Visitor clicks accept3Only now do the tags firenothing left before consentConsent Mode v2 helps, but only a platform that truly blocks the scripts closes the gap.Then test what actually fires before and after the choice.

The tradeoff nobody warns you about

Here is the part the compliance write-ups skip. The first time you gate tags behind genuine opt-in consent, your analytics numbers drop, sometimes sharply, because a real share of visitors never click accept. In the consent work we have done, that drop is the moment a brand panics and assumes its traffic fell off a cliff. It did not. The traffic is the same; you are simply measuring less of it.

Plan for that gap instead of being surprised by it. Set a new measurement baseline the day consent goes live, lean on server-side tracking and first-party data to recover the signal you can recover, and do not mistake a reporting change for a business change. This is one more reason the brands that invest early in first-party data and clean measurement, the same groundwork we cover in our Google Analytics 4 primer, come out of a consent change in far better shape than the ones scrambling to react to a letter.

What to do now

The short version: if a letter shows up, do not ignore it, and do not answer it on your own, loop in counsel. Separately, and regardless of whether a letter has arrived yet, get your site's consent setup genuinely right, because the scanners are indiscriminate and the cheapest time to fix this is before you are named. A banner that looks compliant but lets tags fire on load is the worst of both worlds: it signals you knew, without protecting you.

If you want help auditing what fires on your site and building a consent setup that holds up, book a call. We will look at your tags, your banner, and what actually happens when a visitor says no. And once more, because it matters: this is practical guidance, not legal advice, so bring a qualified attorney in on the legal exposure.

Keep Reading

What Vectorizing Our Entire Website Showed Us About SEO SEO What Vectorizing Our Entire Website Showed Us About SEO Read On How to Add Conversational Attributes to Your Google Merchant Center Feed Paid Media How to Add Conversational Attributes to Your Google Merchant Center Feed Read On Google's New Merchant Center Fields for Agentic Commerce Paid Media Google's New Merchant Center Fields for Agentic Commerce Read On

Ready to grow your brand?

Let's talk about how LimeLight can help you scale.

Book a Call