Received a website tracking demand letter? Start here.
Pre-litigation letters about Google Analytics, advertising pixels, session replay, chat widgets, and similar tools are now common. This guide explains what the letter usually means, what to do in the first 48 hours, and how your company and defense counsel can verify whether the technical allegations match what your site actually did. This is not legal advice. Contact experienced privacy defense counsel before you respond or settle.
Counsel first
Notify defense counsel or your insurer before you change tags
Preserve evidence
GTM, CMP, and logs as they existed during the alleged period
Verify technically
HAR review and network scans before you settle on faith
Quick answer
A website tracking demand letter is a pre-litigation notice claiming that tools on your site (such as Google Analytics, Meta Pixel, session replay, or chat software) illegally intercepted or disclosed visitor data under statutes like California's CIPA or the federal Video Privacy Protection Act. The letter usually names a specific tool, cites statutory damages, and demands a response within 20 to 30 days. CCPA or cookie-banner compliance does not automatically protect you from wiretap or VPPA theories. Preserve your tag manager and consent configuration, notify defense counsel or your insurer immediately, and verify the technical claim with network-level evidence before deciding how to respond.
Letter basics
What a demand letter usually contains
Most letters follow a similar template because a small number of plaintiffs' firms generate them at scale with automated website scans.
Expect the letter to identify your company and website, name one or more tracking technologies (for example Google Analytics 4, Meta Pixel, Google Tag Manager, Hotjar, FullStory, Microsoft Clarity, LinkedIn Insight Tag, or TikTok Pixel), describe what data allegedly moved to a third party, cite a statute such as California Penal Code Section 631 (CIPA) or the Video Privacy Protection Act, project statutory damages (CIPA often references $5,000 per violation on paper), and set a deadline to respond or settle, commonly 20 to 30 days. Some letters include a HAR file or similar network capture as exhibit material. Treat the deadline as real, but do not assume every factual allegation is accurate. Many letters are built for volume, not precision.
Trend
Why these letters are surging
State and federal wiretapping statutes written for telephone-era privacy are being applied to routine marketing and analytics stacks.
Law firms and industry alerts report a sharp rise in class actions and pre-litigation demands targeting standard website technologies, including analytics, advertising pixels, session replay, and chatbots. Plaintiffs' counsel often argue that sharing visitor data with vendors such as Google or Meta constitutes unlawful interception or disclosure. Statutory damages can look enormous on paper even for moderate traffic sites, which creates pressure to settle quickly. Courts have reached mixed results on similar facts, so outcomes depend on jurisdiction, the specific tool, and what your site actually transmitted. A cookie consent program aligned with CCPA does not, by itself, answer a CIPA wiretap theory or a VPPA video-disclosure theory.
Named in letters
Tools plaintiffs cite most often
Letters usually name one vendor product. Use the topic guides below to understand how each tool behaves on the network and where consent gaps appear.
Google Analytics 4
Alleged transmission of page views, identifiers, or events to Google servers without proper consent.
Google Tag Manager
Container that may load analytics or advertising tags before consent is captured.
Meta Pixel
Advertising pixel sending behavioral or conversion data to Meta for retargeting and attribution.
TikTok Pixel
Event data sent to TikTok for ads; often cited alongside other social advertising pixels.
LinkedIn Insight Tag
B2B retargeting and conversion tracking; common in demand letters against corporate sites.
Hotjar
Session replay and heatmaps; frequently framed as intercepting keystrokes or form input.
FullStory
Session replay with deep DOM capture; CIPA theories often focus on real-time transmission to a vendor.
Microsoft Clarity
Free session replay and analytics; cited in wiretap-style claims similar to other replay tools.
LogRocket
Engineering-oriented replay that may capture API payloads and application state.
Intercom
Chat and messaging widgets; claims that conversation content is shared with a third party in real time.
Drift
Live chat and conversational marketing; similar interception theories as other chat platforms.
Statute map
Which law might your letter be invoking?
| Statute | When it applies | Tools often named |
|---|---|---|
| CIPA | California wiretap theories when session replay, chat, form capture, or similar tools allegedly transmit user input or communications to a third party without all-party consent. | Hotjar, FullStory, Clarity, LogRocket, Intercom, Drift, some analytics configurations |
| VPPA | Federal video privacy claims when embedded video pages also run advertising or analytics pixels that allegedly disclose viewing behavior. | Meta Pixel, Google Tag Manager, GA4 on pages with video players |
| HIPAA | Healthcare-covered entities or business associates when marketing pixels or analytics on patient-facing properties allegedly disclose PHI. | Meta Pixel, GA4, session replay on appointment or portal flows |
| MHMDA | Washington consumer health data rules when health-related pages collect or share data without affirmative consent. | Pixels and trackers on condition-specific or wellness content |
| CCPA/CPRA | Separate consumer privacy theories (sell/share, notice, opt-out). Important, but not a substitute defense to wiretap or VPPA claims. | Any third-party sharing of personal information; often overlaps factually with pixel cases |
First 48 hours
Immediate steps for your company
- 1
Notify defense counsel or your insurer
Engage privacy litigation counsel or your cyber liability carrier's panel counsel immediately. How you respond is a legal strategy decision. Lokker supports counsel with technical evidence; we do not provide legal advice or plaintiff-side services.
- 2
Preserve evidence before you change anything
Do not delete tags, rewrite your tag manager container, purge server logs, or swap your consent management platform until counsel confirms a preservation plan. The configuration as it existed during the period cited in the letter is often central to both sides.
- 3
Identify the named tool and time window
Extract the exact product, pages, and dates alleged. Ask your web team whether that tool is still live, who installed it, and whether it fires on every page or only specific templates.
- 4
Verify the technical claim independently
Run your own scan or HAR capture in accept, reject, and no-interaction states. Compare results to the letter's exhibit. Plaintiffs' scans are sometimes wrong or incomplete.
- 5
Assess scope across properties
If you operate multiple domains or brands, determine whether the same tag appears portfolio-wide. One letter about a single URL may understate broader exposure.
Evidence preservation
Do not destroy or alter tag manager exports, CMP configuration history, consent logs, or hosting analytics until counsel directs otherwise. Spoliation risk attaches early in these matters.
Response paths
Demand letter, settlement talks, and litigation
The right path depends on facts, jurisdiction, and counsel's judgment. Technical clarity changes the negotiation either way.
Many matters begin as a demand letter and may resolve through negotiated settlement before a complaint is filed. Others proceed directly to federal or state court as class actions. Settling quickly is sometimes reasonable; paying without verifying the allegation is not. Counsel often wants to know whether the tool fired as described, whether any consent mechanism was in place, and whether damages theories are plausible on your traffic and configuration. Lokker helps answer those technical questions with network-layer documentation so you are not negotiating blind. We can also rescan after remediation to show that behavior changed. Lokker does not recommend settlement amounts or litigation tactics.
Technical verification
How to verify what your site was actually doing
The decisive question is often factual: did the transmission happen, when, and under what consent state?
Plaintiffs' firms frequently rely on HAR (HTTP Archive) files that record network requests during a browser session. Your team should be able to reproduce and interpret the same evidence. Check whether the named tag loaded on the cited pages, whether it sent data before any consent interaction, and whether reject or Global Privacy Control states stopped the request. Consent management platform dashboards alone are not enough: they show configuration intent, not guaranteed network behavior. Privacy Edge scans distill live requests into evidence-grade reports. Consent Validator tests accept, reject, and GPC paths automatically. Historical scan retention supports claims about past periods when configurations differed from today.
Portfolio scope
Is this only on one page or across your estate?
Demand letters usually cite one visit, but exposure may be wider.
Marketing teams add pixels for campaigns. Agencies install containers. Acquired brands bring legacy tags. A single URL in a letter may be the tip of a portfolio problem. Scanning all material web properties surfaces shadow tags, duplicate pixels, and tools that bypass your CMP categories. That portfolio view helps counsel assess class size theories and prioritize remediation before the next letter arrives.
Lokker role
How Lokker works with your defense team
We document what the site did at the network layer so counsel can set strategy on facts.
Lokker is engaged through enterprises, insurers, and defense counsel handling website privacy litigation. We provide forensic scans, consent-state validation, historical configuration records, and rescans after remediation. We work on defense matters only, not plaintiff-side claims. If you need counsel, we can connect you with law firms that handle CIPA, VPPA, HIPAA pixel, and related website tracking cases regularly. Contact us to discuss scope and timing.
Frequently asked questions
Common questions after a demand letter arrives
I received a demand letter about Google Analytics. What should I do first?
Contact defense counsel or your cyber insurer's panel counsel immediately. Preserve your Google Tag Manager container, GA4 configuration, consent banner settings, and relevant logs. Do not remove the tag until counsel approves a preservation plan. Then verify whether GA4 actually fired on the pages and dates alleged, including before any consent interaction.
Does having a cookie banner protect us from a CIPA demand letter?
Not necessarily. CCPA-oriented cookie consent and CIPA wiretap theories are different legal claims. A banner that does not block the challenged tool at the network layer, or that allows tags to fire before the visitor can meaningfully respond, may still be cited against you. Technical proof of what fired and when matters more than policy language alone.
What is a CIPA demand letter?
It is a pre-litigation notice alleging that website technologies intercepted electronic communications without consent under the California Invasion of Privacy Act. Letters often name session replay, chat, or analytics tools and cite statutory damages of $5,000 per violation. See our CIPA statute page for law-specific detail.
How much do these demand letters cost to settle?
Settlement ranges vary widely by firm, alleged violations, traffic, and defenses available. The letter's damages math is often theoretical. Counsel evaluates nuisance value, litigation cost, and technical strength of the claim. Lokker does not negotiate settlements or recommend payment amounts.
Should we pay the demand letter to make it go away?
That is a legal and business decision for counsel and leadership. Paying without verifying whether the technical allegation is accurate can invite repeat demands. Many firms send letters in bulk hoping for quick settlements. Independent scans and HAR review inform whether the claim is credible.
What is a HAR file and why is it in the letter?
A HAR (HTTP Archive) file logs network requests made by a browser during a site visit. Plaintiffs use it to show which third-party domains received data. Your team should be able to analyze the same file type to confirm or challenge the narrative.
Can we just remove the pixel and ignore the letter?
Removing the tool after the letter does not erase past conduct that claims are based on, and hasty changes can complicate evidence preservation. Follow counsel's direction on remediation timing. Document before-and-after behavior if you do make changes.
We are a B2B company. Can we still get these letters?
Yes. B2B sites use LinkedIn Insight Tags, GA4, chat widgets, and session replay like consumer brands. Statutes referenced in the letter determine scope, not whether you sell to businesses.
How does Lokker help if we already have counsel?
Counsel engages Lokker for network-layer scans, consent-state testing, historical records, and rescans after remediation. Outputs support discovery, settlement discussions, and expert workflows. See Litigation and discovery for the full evidence lifecycle.
Which privacy law page should I read next?
Use the statute named in your letter: CIPA for wiretap/session replay/chat claims, VPPA for video plus pixel claims, HIPAA or Washington MHMDA for health-related sites, CCPA/CPRA for separate consumer privacy theories. This guide links to each.
Will website tracking demand letters stop soon?
Legislative reforms have been proposed but are uncertain and often prospective only. Plaintiffs' firms still have incentives to file before any safe harbor takes effect. Proactive scanning and defensible consent behavior remain the practical risk controls.
Does Lokker work with plaintiff attorneys?
No. Lokker supports organizations and their defense counsel, insurers, and compliance teams. We do not assist firms bringing claims against website operators.
This page is general information for website operators and their advisors. It is not legal advice and does not create an attorney-client relationship with Lokker. Statutes, court rulings, and enforcement posture change quickly. Consult licensed privacy litigation counsel in your jurisdiction before responding to a demand letter, settling, or changing site configurations in a way that could affect evidence preservation.
Defense counsel network
Need technical evidence for your response?
Lokker works with defense counsel on website tracking demand letters and related litigation. We document what your site did at the network layer and can connect you with firms that handle these cases regularly.