California Privacy Demand Letters Are Hitting Regular Business Websites
If you own a business website and recently received a scary-looking privacy demand letter, you are not alone.
Over the past several months, businesses across the country have started receiving demand letters related to website tracking, Google Analytics, pixels, cookies, and other very normal tools that have been used on websites for years.
And yes, we mean regular business websites. Engineering firms. Contractors. Local service companies. Professional offices. Not giant tech companies. Not shady lead farms. Plain old WordPress sites with Google Analytics installed because everyone has had Google Analytics installed since approximately the invention of the wheel.
Welcome to the latest internet headache. It’s a fun one.
TL;DR
Businesses are receiving California privacy demand letters related to common website tools like Google Analytics, Google Tag Manager, pixels, chat widgets, and other third-party scripts.
The issue is not usually that the website is doing anything wild or intentionally shady. The issue is that some tracking tools may load automatically before a visitor gives consent.
If you received a CIPA demand letter from Vivek Shah or another privacy claimant, do not ignore it, but do not panic either. Save the letter, avoid admitting liability, talk to an attorney if needed, and audit your website to see what scripts are loading before consent.
At Edge Marketing + Design, we have built and are rolling out a custom consent solution that helps prevent analytics from firing before a visitor accepts it, while keeping the website experience as clean and usable as possible.
What Is This About?
A growing number of demand letters are citing the California Invasion of Privacy Act, often called CIPA.
CIPA is not new. It was originally written decades ago to deal with things like wiretapping and telephone privacy. The modern twist is that some plaintiffs are now arguing that common website tracking tools may violate that law when they load before a visitor gives consent.
The tools being questioned can include things like:
- Google Analytics
- Google Tag Manager
- Meta Pixel
- LinkedIn Insight Tag
- Hotjar
- Microsoft Clarity
- HubSpot tracking
- Chat widgets
- Session replay tools
- Embedded third-party scripts
- Some form tracking tools
The argument is usually that the website transmitted visitor information to a third party before the visitor had a chance to agree.
That does not mean every claim is valid. It does not mean every business did something intentionally wrong. It does mean this has become a very real nuisance for website owners.
Why Are Regular Business Websites Getting These Letters?
Because most websites use third-party tools.
For years, a normal website setup looked something like this:
- Build website.
- Install Google Analytics.
- Maybe add a Facebook pixel.
- Maybe add a form plugin, map, chat widget, video embed, or CRM script.
- Go on with your life like a reasonable person.
The problem is that many of these scripts load automatically as soon as someone lands on the website. They may collect technical information like page URL, browser type, device details, IP-related data, cookies, or other identifiers.
That used to feel like boring website plumbing.
Now, in some legal claims, that same plumbing is being framed as unauthorized tracking or interception.
The internet, as always, took something useful and somehow turned it into a paperwork fire.
Is This Only a California Problem?
Sort of. But also no. Helpful, right?
Many of these letters cite California law, and the person making the claim may say they visited the website from California. That matters.
But businesses outside California have also received letters. Even if your company is not located in California, someone may still claim that your website was accessible from California or directed activity toward California residents.
Whether that argument actually works depends on the facts. Where your business is located, who you serve, whether you sell or market to California customers, and what your website actually does can all matter.
This is one of the reasons businesses should not ignore these letters, but also should not panic and start admitting things.
What Are Businesses Choosing To Do About It?
Most businesses are looking at a few options.
Option 1: Ignore It
We do not recommend this.
Some letters may be opportunistic. Some may be mass-produced. Some may never turn into anything. But ignoring a legal demand letter is usually not the strongest move.
At minimum, save the letter, document what was received, and consider having an attorney review it.
Option 2: Remove Analytics Entirely
For some small business websites, this may actually be reasonable.
A lot of companies have Google Analytics installed and never look at it. If the data is not being used, removing unnecessary tracking can reduce risk and simplify the site.
Honestly, many brochure websites do not need a giant analytics setup just to know that twelve people looked at the About page.
Option 3: Switch to Privacy-Friendly Analytics
Some businesses are choosing analytics tools designed to be lighter and less invasive. Depending on the tool and setup, this may reduce the need for cookie consent or third-party tracking.
This can be a good option for smaller sites that only need basic traffic information.
Option 4: Add Consent Before Tracking Loads
This is the path many businesses are taking.
The basic idea is simple:
- The website still loads normally.
- Essential site functions still work.
- Non-essential tracking tools, like analytics or marketing pixels, do not load until the visitor accepts them.
- If the visitor rejects or ignores the notice, those tools stay off.
That last part is important. A cookie banner is not magic. If Google Analytics is still firing before the visitor clicks “Accept,” the banner is mostly decorative.
And decorative compliance is not really the goal here.
What We Have Chosen To Do
At Edge Marketing + Design, we have been actively working on a practical solution for our clients.
We did not want a giant ugly popup that blocks the entire website and makes visitors feel like they need to pass through airport security to read a homepage.
We also did not want to slap a banner on the site while the tracking scripts kept firing in the background. That helps no one, except maybe the person who enjoys sending demand letters.
So we built and are rolling out a custom consent setup that can be implemented across client websites.
Our approach is designed to:
- Prevent analytics from loading before consent
- Keep the website usable
- Allow visitors to accept or reject analytics
- Avoid unnecessary visual clutter
- Work across many of the sites we manage
- Make future updates easier
- Give clients a practical response to a very annoying problem
In plain English: if a visitor has not agreed to analytics, analytics should not fire.
That sounds simple. On the modern internet, naturally, it is not.
Why This Matters Even If You Have a “Simple” Website
A lot of business owners assume this only applies to large companies, ecommerce stores, healthcare sites, or businesses collecting sensitive information.
But many of the sites receiving these letters are not complicated.
A simple WordPress website may still have:
- Google Analytics
- Google Tag Manager
- reCAPTCHA
- Embedded Google Maps
- YouTube videos
- Social media pixels
- CRM forms
- Call tracking
- Chat tools
- Plugins that add scripts without making it obvious
You may not think of those as “tracking tools,” but legally and technically, they may matter.
That is why the first step is not panic. The first step is an audit.
What Website Owners Should Do Now
1. Find Out What Is Loading
You need to know what third-party scripts are on your site.
That includes analytics, pixels, tag managers, chat tools, form tools, heatmaps, session recording, advertising scripts, and embedded widgets.
2. Remove What You Do Not Need
If you are not using a tracking tool, remove it.
Old code has a way of living forever inside websites. Sometimes the scariest script on a site is something no one has looked at since 2018.
3. Make Analytics Consent-Based
If you want to keep analytics, load it only after consent.
This is the part that actually matters. A banner alone is not enough if the script fires before the visitor makes a choice.
4. Update Your Privacy Policy
Your privacy policy should accurately explain what tools you use and why.
Do not copy some 4,000-word monster from the internet and call it a day. Make sure it reflects what is actually happening on your website.
5. Save Evidence of Changes
If your business received a letter, document what you changed and when.
Save screenshots, plugin settings, analytics settings, and testing results. This is boring. Boring is useful.
6. Talk to an Attorney If You Receive a Demand Letter
We can help with the website side. We cannot provide legal advice.
If you receive a demand letter, especially one threatening litigation, have a qualified attorney review it before responding.
Do All Websites Need Cookie Banners Now?
Not necessarily.
But all websites should know what they are loading.
There is a big difference between:
- A site with no third-party tracking
- A site with privacy-friendly analytics
- A site with Google Analytics behind consent
- A site with five marketing pixels firing before the page even finishes loading
The goal is not to make the internet uglier. We have all suffered enough.
The goal is to make tracking intentional, limited, and consent-based where appropriate.
Website Privacy Demand Letter FAQ
A CIPA demand letter is a legal demand letter that references the California Invasion of Privacy Act. Recently, some of these letters have focused on business websites that use tools like Google Analytics, tracking pixels, chat widgets, or other third-party scripts.
The claim is usually that the website sent visitor information to a third party before the visitor gave consent.
Do not ignore it, but do not panic.
Start by saving the letter and any envelope or email it came with. Do not respond with an admission, explanation, or apology. If possible, have an attorney review it.
On the website side, audit your site to see what third-party tools are loading, especially analytics, pixels, tag managers, chat tools, and form tracking scripts. If those tools are loading before consent, you may want to update your setup.
Not necessarily.
Many of these claims reference California law, and the person making the claim may say they visited the website from California. Businesses outside California have also received letters.
Whether California law applies to a specific business depends on the facts, including where the business is located, who it serves, whether it targets California customers, and how the website works.
No. Having Google Analytics does not automatically mean your website is illegal.
The concern is usually about whether Google Analytics or similar tools load before the visitor has given consent, and what information is being sent when those tools fire.
Many businesses are choosing to keep analytics, but only load it after the visitor accepts analytics cookies or tracking.
Not by itself.
A cookie banner only helps if it actually controls the scripts on the website. If Google Analytics, Google Tag Manager, Meta Pixel, or other tracking tools load before the visitor clicks “Accept,” then the banner is mostly cosmetic.
The important question is: are non-essential tracking tools blocked until consent?
It might, and that can be normal.
If analytics only loads after a visitor accepts tracking, then visitors who reject the notice or never make a choice may not appear in Google Analytics or similar reporting tools. That means your reported traffic can look lower even if your actual website visits have not dropped.
After switching to consent-based analytics, compare reports carefully and make a note of the date the change went live. It can also help to look at other signals, like Search Console data, form submissions, calls, sales, and server-level traffic patterns.
Common tools to review include:
- Google Analytics
- Google Tag Manager
- Meta Pixel
- LinkedIn Insight Tag
- Microsoft Clarity
- Hotjar
- HubSpot tracking
- Chat widgets
- Session replay tools
- Call tracking scripts
- Embedded forms
- reCAPTCHA
- Marketing automation scripts
- Old plugins that may inject tracking code
Even a simple WordPress site can have several of these installed without the business owner realizing it.
Then it may be worth removing analytics entirely.
A lot of small business websites have Google Analytics installed because it has always been part of the standard website setup. If no one is using the data, removing unnecessary tracking can reduce clutter, improve privacy, and simplify compliance.
Yes. Some businesses are switching to lighter analytics tools that collect less information and avoid cookies or personal identifiers.
That may be a good fit for brochure websites, local service businesses, and companies that only need basic traffic information.
It does not have to.
There are plenty of terrible cookie popups out there, and we are not fans of turning every website visit into a legal obstacle course. Our goal is to keep the consent experience clear, minimal, and as unobtrusive as possible while still preventing analytics from loading before consent.
We built and are rolling out a custom consent solution that can be implemented across client websites.
Our setup is designed to prevent analytics from loading before consent, keep the website usable, allow visitors to accept or reject analytics, and make future updates easier across the sites we manage.
We can help with the website side: auditing what scripts are loading, cleaning up unnecessary tracking, and implementing a consent-based analytics setup.
We cannot provide legal advice or respond to a legal demand letter for you. If you receive one, especially one threatening litigation, it is smart to have an attorney review it.
We Can Help
If you are worried about your website, we can audit it for third-party tracking tools and help implement a consent-based analytics setup.
We can check whether Google Analytics, Google Tag Manager, Meta Pixel, chat widgets, or other scripts are loading before consent. We can also help clean up old tracking code, simplify your analytics setup, and put a more thoughtful consent process in place.
This is exactly the kind of thing most business owners should not have to figure out on their own.
You have a company to run. You should not need to become an amateur privacy-law detective because your website has a contact form and Google Analytics.
Unfortunately, here we are.
The good news: this is fixable.
Worried about your website tracking setup? Contact us for a website privacy and analytics audit.