California Invasion of Privacy Act demand letters over Meta Pixel, session-replay scripts, and third-party tracking tags are landing in thousands of business inboxes. Here is what you are looking at, what your defenses are, and how to triage it in the first 30 days.
These demand letters are not random. They follow a template, and the legal theory is narrow enough to understand in a few paragraphs.
Section 638.51 prohibits installing or using a "pen register" or "trap and trace device" on someone's line or device without consent. Plaintiff firms argue that Meta Pixel captures routing and signaling information from a user's browser (URLs visited, button clicks, form fields, device identifiers) and transmits that data to Meta's servers in real time. They call that a pen register. Statutory damages: $2,500 per violation.
Section 631 prohibits reading or learning the contents of any message "in transit" without consent. The argument: Meta Pixel intercepts the user's communication with your website and reads it before it arrives. Statutory damages: $5,000 per violation.
Why the demand is a "pre-arbitration" letter: Most e-commerce and SaaS sites have an AAA arbitration clause in their Terms of Service. Plaintiff firms draft these letters as the contractually required pre-dispute notice before filing an AAA arbitration demand. The letter is not a lawsuit. Whether the claimant can actually enforce the arbitration clause, and which AAA rules apply, are the first questions to resolve.
| Factor | What it means for your matter |
|---|---|
| Pixel on site without disclosure | If your privacy policy does not mention Meta Pixel (or Facebook Pixel) by name, you have no disclosure defense. This is the single most common gap. Review your privacy policy before anything else. |
| No cookie consent banner | Absence of a consent mechanism means you cannot argue the user affirmatively consented. California law does not require opt-in for all tracking, but lack of notice compounds the disclosure gap. |
| Arbitration clause in your TOS | An AAA clause with a class action waiver may require individual arbitration and forecloses class proceedings. Whether the claimant is bound by your TOS (did they agree to it?) is the threshold question. |
| Commercial vs. Consumer AAA Rules | If your service is B2B, the TOS likely routes disputes to AAA Commercial Rules rather than Consumer Rules. Commercial filing fees are substantially higher for claimants, which changes the economics of the demand. |
| Who sent the demand | Some plaintiff firms send mass identical demands and settle at a low number per claimant. Others pursue cases on the merits. The firm name matters for understanding the realistic settlement range. |
| Single claim vs. coordinated batch | If the same firm has sent identical demands to your company or to peer companies, this is a coordinated campaign. The AAA Mass Arbitration Supplementary Rules apply once 25+ demands are filed, which changes the procedural landscape significantly. |
If you can bind the claimant to your TOS arbitration clause, the matter goes to individual AAA arbitration. Class action is waived. Whether the claimant agreed to your TOS — a mere footer link (browsewrap) versus a required checkbox at account creation or purchase (clickwrap) — is the first question. Clickwrap is much easier to enforce.
B2B services frequently route to AAA Commercial Rules, not Consumer Rules. Commercial Rules carry filing fees that are significantly higher for the claimant. On a $2,500 statutory-damages demand, the filing fee economics often make individual arbitration uneconomical to pursue. This is leverage.
Section 631 contains an exception for "communication service providers." Meta is the one operating the Pixel infrastructure. Whether that exception extends to the business that installs the Pixel tag is contested, but courts have applied it in some contexts. Worth evaluating on the specific facts.
If your TOS designates a non-California governing law and forum, there is a threshold argument about which state's law governs the claim. Courts have not been consistent on whether a TOS choice-of-law clause defeats a CIPA claim brought by a California resident accessing the site. Do not rely on this defense alone.
Post-TransUnion, statutory-damages-only CIPA claims face a standing question in federal court. In AAA arbitration, the standing framework is different — but the argument is worth preserving if the matter escalates to litigation.
The honest picture: if Meta Pixel fires on your site, your privacy policy does not disclose it, and you have no consent banner, your substantive defenses are real but limited. The procedural and economic leverage from your arbitration clause is often more practically useful than the merits defenses, at least in the triage phase.
$240 written consultation fee credited toward the $575 response service if you proceed.
If this is a mass-arbitration campaign or the demand amount is substantial, the response scope and fee may need to be quoted separately. Email me with the demand letter and I will assess within 24 hours.
The demand's claimed statutory damages drive your worst-case exposure. At $2,500 per violation under § 638.51, a single claimant's demand is often in the $2,500-$10,000 range. AAA arbitration costs (arbitrator fees, administrative fees) are additional. An attorney evaluation before you respond is almost always cost-effective relative to the downside of responding poorly.
Remediation reduces future exposure but does not extinguish the existing claim. The demand covers past tracking, not future tracking. Remediation is still worth doing immediately — it demonstrates good faith, it limits ongoing exposure, and it removes the basis for any follow-on demands. But it does not substitute for a response to the existing demand.
The 30-day window stated in most pre-arbitration letters is the window before the firm files with AAA. Missing it does not automatically lose you rights, but it typically triggers the AAA filing, which starts the formal arbitration clock and generates AAA administrative fees. Respond within the stated window if possible.
CIPA applies to California residents whose devices are accessed. If any California resident visited your site, CIPA potentially applies regardless of your business model. However, your TOS may route the dispute to AAA Commercial Rules rather than Consumer Rules, which has practical consequences for the demand economics.