This article is adapted from The Privacy Filter podcast series, a Barnes & Thornburg briefing on data security and privacy. To subscribe to The Privacy Filter, click here.
The general counsel's phone rings on a Friday afternoon. Or the email arrives Saturday morning. Either way, the message is the same: “We have an arbitration demand. We have a lawsuit. Something about website tracking.”
If you haven't received one of these yet, there's a reasonable chance you will.
You might assume something went wrong: a breach, a rogue vendor, someone who didn't follow the rules. But that's usually not the story. In most cases, your marketing team did exactly what marketing teams do, using exactly the tools everyone uses, and a plaintiffs' firm noticed.
The California's Invasion of Privacy Act (CIPA) litigation wave is different from most privacy enforcement. The companies getting hit aren't bad actors. They're ordinary businesses with ordinary websites, and the gap between what they've done and what they're being accused of can feel bewildering. Understanding it requires starting not with the law, but with the tools.
The Digital Marketing Tools Everyone Uses
Spend ten minutes with any digital marketer, and you'll probably hear the same vocabulary: analytics, cookies, pixels, tags. These are the instruments of a modern website. They're not exotic or experimental, just standard infrastructure for understanding who visits, how your audience interacts with your online presence, and whether your marketing campaigns are working.
Cookies store small files in a user's browser — session data, preferences, identifiers that allow a site to remember you or serve you relevant advertising.
Pixels are code snippets that transmit data back to a third party when a user takes an action. The Meta Pixel is the most recognizable, but LinkedIn, Google, and dozens of other platforms have their own. They're how companies know whether an ad led to a purchase.
Tag managers like Google Tag Manager act as a central switchboard for deploying and managing multiple scripts across a site. Useful precisely because they make it easy to add new tools without touching the underlying code — which also means the full inventory of what's running can quietly grow beyond what anyone remembers approving.
Session replay tools record how users interact with a website — every click, scroll, and form entry — so product and UX teams can watch sessions back and understand where people get stuck or drop off.
Chat and chatbot tools handle real-time user interactions, often routing that data to a third-party platform in the process.
None of this is hidden or unusual. Walk into most marketing review and this is the stack being discussed. The question these tools raise isn't whether they work — it's what happens to the data they generate, and who receives it.
CIPA: When Modern Technology and Wiretapping Laws Collide
Here's where the situation can become counterintuitive. These lawsuits aren't being brought under modern privacy statutes designed for the internet. They're being brought under CIPA, a wiretapping law from the 1960s, when wiretapping meant someone physically splicing into a telephone line. The Federal Electronic Communications Privacy Act (ECPA) follows the same vintage logic.
Some plaintiffs' attorneys have spent years arguing, with increasing success in certain courts, that standard website tracking tools are the functional equivalent of wiretaps. The theory: a third-party vendor embedded on your website is "intercepting" a user's communication without consent. A second theory frames pixels and analytics scripts as "pen registers" — devices historically used to capture dialed phone numbers — because they collect routing and identifying information.
Both theories would have seemed like a stretch not long ago. Courts are still split. But after the Ninth Circuit's 2022 decision allowed these claims to proceed, the litigation expanded rapidly beyond its original focus on session replay tools. Today, essentially the full stack — pixels, analytics, SDKs, chat tools, cookies — is in scope.
The reason the damages exposure is so significant comes down to the statute's structure. Under CIPA, plaintiffs can seek $5,000 per violation, or three times actual damages, whichever is greater. In a class or mass arbitration setting, "per violation" compounds quickly. Plaintiffs' firms have built practices around this math, filing high volumes of demands knowing that individual settlements in the $10,000–$25,000 range are cheaper for defendants than litigation.
And the geography matters in ways companies often underestimate. CIPA doesn't require your company to be in California — it requires a California resident to have visited your website. ECPA has no geographic limit at all. A publicly accessible website means national exposure.
The Gap That Creates Liability
The litigation isn't really about whether these tools exist on a site. It's about a specific failure of alignment: the gap between what a company's privacy disclosures say and what the technology actually does.
Most privacy policies contain some version of "we use cookies and analytics to improve your experience." That's accurate as far as it goes. What it often doesn't capture is the specific third parties receiving data, what they receive, and — critically — when collection begins relative to user consent.
Plaintiffs' firms run technical audits before filing. They capture what's called a HAR file — a record of every script and network request that executes when someone loads and navigates a website. From that file, they can see exactly what fires, in what sequence, and whether any of it fires before a user has interacted with a consent mechanism. If pixels are transmitting to third parties before a consent banner has been acknowledged, or if declining cookies doesn't actually stop collection, the claim writes itself.
This is why consent mechanisms that marketing teams regard as friction are, legally, load-bearing. A cookie banner that doesn't functionally suppress third-party tracking isn't a defense — it's evidence that the disclosed practice and the actual practice diverge.
When the Demand Letter Arrives
The first instinct when one of these demands lands is often to assess whether to fight or settle. That's the wrong first question.
The right first question is whether the claim is actually supported by the facts. Plaintiffs' firms filing at volume don't always do thorough site-specific diligence. Screenshots get recycled. HAR files sometimes reflect a different version of the site, or a different company's site entirely. Demanding the HAR file and examining it carefully — understanding what was actually firing, when, on whose visit — has allowed clients to exit claims that shouldn't have been brought.
When the facts do hold up, the conversation shifts to two separate questions: resolving the current demand, and closing the underlying gap. Those need to be treated as distinct. Settling a claim doesn't prevent a different plaintiffs' firm from filing the same claim six months later based on the same technical reality. The settlement amount is a cost of the past; the remediation is an investment in not repeating it.
What Compliance Actually Looks Like
The operational reality of getting the website into alignment with its disclosures – and keeping it there as the stack evolves – requires a collaborative, durable approach.
Audit the tech stack, not the privacy policy. Privacy policies are written documents; websites are living systems. Tools get added, vendors get swapped, tag managers accumulate scripts. The question isn't what the policy says you use — it's what is actually running on the site today, firing in what sequence, transmitting to whom.
Run the same analysis plaintiffs' firms run. A HAR file audit surfaces what's actually happening before anyone else sees it. Map those findings against the privacy notice. The gaps are the risk.
Verify that consent mechanisms actually work. Consent infrastructure that doesn't functionally control what fires isn't neutral — it creates affirmative exposure. Test it. If declining cookies doesn't suppress third-party pixels, that's the first thing to fix.
Keep disclosures current. The combination of an accurate, updated privacy notice and a functioning consent mechanism is the closest thing to a durable defense this litigation environment offers.
The litigation wave in this space is broadening — more firms entering, more states with applicable statutes, no obvious slowdown. The companies most exposed are the ones where legal, marketing, and IT have never sat down together to walk through what the website actually does.
That conversation is worth having before the Friday phone call makes it urgent.
Watch the Full Episode
Watch the full episode for more insights and perspectives.
To subscribe to The Privacy Filter, click here.

/Passle/69f24146ca47f6fdcca7c8f2/SearchServiceImages/2026-05-18-17-23-55-189-6a0b4b2b863592e8ad8ca9ec.jpg)
/Passle/67337b9db95e96d83645bccf/SearchServiceImages/2026-04-30-17-16-38-542-69f38e76ce219d66900779cc.jpg)
/Passle/673b7187983090b59d166389/SearchServiceImages/2026-03-06-21-16-02-430-69ab4412fd648d554d7075e6.jpg)
/Passle/673b7187983090b59d166389/MediaLibrary/Images/2026-03-05-18-22-56-426-69a9ca00ed43be71de59e29d.jpg)