Free scan
CIPA demand letter

You got a CIPA demand letter. Here's what to do.

Take a breath — this is common, and it is fixable. But the clock matters: every day the flagged trackers keep running can add more visitor sessions to the claim.

What this letter usually is

A CIPA demand letter typically comes from a plaintiff's law firm and alleges that your website used session-recording, analytics, chat, or ad-pixel tools to capture what visitors did before they consented — which the firm frames as unlawful interception under California Penal Code § 631. It usually cites statutory damages (up to $5,000 per violation) and proposes a settlement to make it go away.

The single most useful thing you can do right now is find out exactly what is firing on your site before consent — because that is what the claim rests on.

See what a plaintiff firm's scanner would find on your site — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

What to do this week

1. Don't ignore it — and preserve everything
Keep the letter and note the date. Don't rashly delete data in a way that looks like spoliation. If a lawsuit has actually been filed (not just a demand), talk to a qualified attorney before responding.
2. Pin down what's being alleged
Demand letters often name the specific tools (Hotjar, FullStory, Microsoft Clarity, the Meta Pixel, a chat widget). Scan your site to confirm which trackers actually fire before consent and capture the evidence — you need to know your real exposure, not their characterization of it.
3. Remediate immediately
Gate or remove the flagged trackers so nothing loads or transmits before a visitor opts in. This is the step that stops the meter — every day of continued firing is argued as more sessions.
4. Document the fix with timestamps
Dated evidence that you identified and corrected the issue is your good-faith story. A clean re-scan after remediation is exactly the kind of proof that helps.
5. Set up monitoring so it doesn't reopen
Scripts get re-added constantly — a new marketing tag, a plugin update, a chat widget. Continuous monitoring alerts you the moment a new tracker appears, so a fix today doesn't quietly become a new claim next quarter.

How RegSentry helps

RegSentry runs the same kind of automated detection a plaintiff firm's scanner runs — except for you. It shows precisely which trackers fire before consent, captures the evidence, gives you the fix for each one, and then watches the site continuously so you can prove you stayed clean.

See if trackers fire on your site before visitors consent — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Set up monitoring ($99/mo) Estimate my exposure