Building windows

Vivek Shah CIPA Demand Letters Against Business Websites: How to Respond

Litigation

Vivek Shah, a serial pro se litigant, has been sending pre-litigation demand letters and filing lawsuits against businesses across the country alleging violations of California’s Invasion of Privacy Act (CIPA), Cal. Penal Code § 631(a). These demands focus on website search bars or forms that allegedly transmit user-entered content (such as a name typed into a search field) to third-party analytics or advertising services like Google, Hubspot, Facebook/Meta, and others—without the user’s prior consent.

Vivek Shah claims this practice constitutes an intentional interception of a communication in transit, with the website owner aiding, agreeing with, employing, or conspiring with the third parties in the alleged wiretapping. He typically performs a test, running browser DevTools to capture network requests, and attaches screenshots showing the search term being sent to multiple external domains. Statutory damages of $5,000 per violation are demanded (with each third-party recipient potentially counting as a separate violation), along with declaratory and injunctive relief. The demands might reference an arbitration clause in the website’s Terms of Service and cite cases like Javier v. Assurance IQ, LLC (9th Cir. 2022) to argue that retroactive consent via a privacy policy or cookie banner is ineffective.

A representative example of one of Shah’s demand letters (titled “Explanation of Dispute”) is provided below. In it, Shah states he visited the site, typed “VIVEK” into the search bar with DevTools open, and observed the search terms being transmitted in real time to Google, Hubspot, Facebook, and others. He emphasizes there was no cookie banner, no notice, and no opportunity to consent before typing. The letter asserts that the website owner “aided and conspired” by installing the search functionality and failing to disclose or block the transmissions. Screenshots of the site and network tab are attached as evidence. The demand seeks informal resolution but warns of potential litigation if unresolved.

Picture1-251x300

These demands are not yet routinely resulting in filed lawsuits in every case, but the volume of letters is increasing, and some actions have been filed in state and federal courts. Shah’s approach mirrors the surge in CIPA “wiretapping” claims targeting common website tools like pixels, analytics scripts, chat widgets, and search functionality. 

CIPA Law Basics: 

California’s Invasion of Privacy Act (CIPA), enacted in 1967, was originally designed to protect against telephone wiretapping and eavesdropping. Section 631(a) prohibits the intentional interception of communications “in transit” without the consent of all parties.

California Penal Code § 637.2 allows a private right of action for statutory damages of $5,000 per violation (or three times actual damages, whichever is greater), plus injunctive relief. Because the statute was amended in 2017 to emphasize “per violation” damages, each third-party recipient can potentially trigger separate statutory awards.

As of early 2026, the application of CIPA to modern websites remains unsettled and contested. While some federal courts have narrowed liability — holding that data must actually be “read” while still “in transit” (see, e.g., Torres v. Prudential Financial and Doe v. Eating Recovery Center) — other cases have survived early dismissal. A 2025 legislative effort to modernize the statute and provide clearer exemptions for routine commercial tracking (SB 690) failed to pass. The result is continued uncertainty and significant financial exposure for businesses using common analytics and advertising tools. 

What California businesses should do if they receive a CIPA demand letter:

  1. Do not ignore it. These letters are designed to prompt quick responses. Ignoring them can lead to a lawsuit being filed in California state court (or removed to federal court), where CIPA carries significant statutory damages and attorney-fee exposure.
  1. Preserve evidence immediately. Take screenshots and save evidence of your website’s current configuration, note all third-party scripts (Google Analytics, Meta Pixel, Hubspot, etc.), and document any consent mechanisms (cookie banners, privacy policies, or terms of service). Do not alter the site in a way that could be viewed as spoliation without preserving evidence.
  1. Assess potential liability with experienced counsel.

Key issues include:

  • Whether the communications were “in transit” under § 631(a).
  • The applicability of the “party exception” or consent defenses.
  • Whether installing standard analytics scripts constitutes “aiding and conspiring.”
  • Retroactive consent arguments (courts have been skeptical in some cases).
  • Standing and other procedural defenses if a lawsuit is filed.
  1. Consider proactive compliance steps.

Many businesses are now implementing explicit, upfront consent flows for any data transmission to third parties (e.g., granular cookie consent managers that block non-essential scripts until consent is given). Updating privacy policies and terms alone may not be sufficient if consent is not obtained before the communication occurs. A website audit focused on CIPA risks can help identify and mitigate exposure.

  1. Evaluate settlement or defense strategy. If the claim has merit, early resolution can often be achieved on favorable terms with a full release and no admission of liability. If the claim lacks merit, a strong defense (or motion to dismiss if sued) may be appropriate. Experienced privacy or CIPA defense counsel can quickly evaluate the specific facts of your site.

If you or your business has received a CIPA demand letter from Vivek Shah (or any similar privacy claim involving website tracking technologies), contact Stuart Tubis at skt@jeffer.com or 415-984-9622.