Privacy Litigation Defense · Memo

Vivek Shah CIPA Search-Bar Demand Letters: What They Allege and How to Respond

Since 2024, a pro se litigant named Vivek Shah has sent hundreds of demand letters to California and out-of-state businesses alleging that their website search bars violate the California Invasion of Privacy Act. I cover the legal theory, the typical demand, the reported outcomes so far, the defense playbook, and a CIPA reform bill that was amended in the Assembly this week.

The letters follow a consistent pattern. Shah visits the target's website, opens the browser's developer tools, types a name (often his own) into the site's search bar or a similar form field, and captures the network requests that fire as he types. Where the search term is transmitted in real time to a third-party analytics or advertising platform, such as Google, Meta, HubSpot, or a similar vendor, before the user submits the search and before any consent banner has been accepted, Shah frames that transmission as an unlawful interception of a communication "in transit," in violation of Penal Code section 631(a). The letter typically states there was no cookie banner, no notice, and no opportunity to consent before the first keystroke, and demands statutory damages, commonly totaling somewhere in the range of fifty thousand dollars once every third-party recipient is counted as a separate violation.

I am Sergei Tokmakov, a California attorney (CA Bar #279869). I defend businesses on the receiving end of pixel-tracking and wiretapping demand letters, including the CIPA and AAA-arbitration wave I cover in more depth on the CIPA / Meta Pixel defense hub. This memo is the companion piece specific to the Vivek Shah search-bar campaign, which runs on a related but distinct theory from the session-replay and Meta Pixel cases: the alleged "content" here is the literal text a visitor typed, not just behavioral or device metadata.

Who Vivek Shah is

Shah is not a licensed attorney; he sends and litigates these demands pro se. Public reporting on his litigation history (Illinois copyright claims against news outlets over celebrity photos, dismissed in 2023 and affirmed by the Seventh Circuit in 2024; a housing-discrimination suit against an apartment company dismissed for lack of jurisdiction, affirmed by the Ninth Circuit in 2025) predates the CIPA campaign, which appears to have begun in 2024 and has generated coverage from multiple defense-side firms describing it as a systematic, high-volume operation. I have not independently verified every detail of Shah's personal history and treat the secondary reporting on it as background context, not as a substitute for verifying the specific claim made against any particular recipient.

That background is still relevant to strategy. A demand sent by a serial pro se claimant behaves differently, procedurally and economically, than one sent by plaintiff's counsel representing a single injured consumer. It affects how a recipient should weigh early settlement against testing the claim's technical accuracy and legal merits.

The legal theory: Penal Code 631(a) and "contents in transit"

Penal Code section 631(a) prohibits, among other things, willfully and without the consent of all parties reading or attempting to read the contents of a communication while it is in transit, and using or attempting to use any information so obtained. The statute does not require proof of actual damages: section 637.2 allows an injured person to recover the greater of $5,000 per violation or three times actual damages, and expressly states that suffering or being threatened with actual damages is not a prerequisite to suit.

The theory behind the search-bar wave draws on Heerde v. Learfield Communications, LLC (C.D. Cal. 2024), in which the court held that search terms typed into a website search bar can constitute the "contents" of a communication, and that a company's sharing of those terms with a third party such as Meta, via a tracking pixel, can support a CIPA claim. That ruling is widely credited with triggering the current wave of search-bar demand letters, because it gave plaintiffs a federal-court hook for treating ordinary analytics integrations as content interception rather than mere metadata collection. Separately, cases in the broader CIPA wave (including Javier v. Assurance IQ, LLC) have rejected the argument that a privacy policy or cookie banner can retroactively authorize tracking that already occurred before the visitor saw it.

What the letters typically demand

Shah's letters generally: (1) identify the specific search bar or form field and the exact third-party domains the network request was sent to; (2) assert there was no consent mechanism in place before the transmission; (3) demand $5,000 per violation, counting each third-party recipient separately, for a total commonly cited around $50,000; and (4) set a response deadline before threatening to file in state or federal court. I have not reviewed any specific letter for this memo and recommend against assuming any particular letter matches this pattern exactly; the actual document controls.

How courts have handled the claims so far

The reported record is mixed, which matters for calibrating a response. According to public reporting: a claim against Mondelez reportedly settled with dismissal with prejudice; a claim against Harvard Drug Group reportedly resulted in a granted motion to dismiss and judgment against Shah; a claim against Card Delivery LLC was reportedly voluntarily dismissed. More broadly, California state courts, particularly in Los Angeles County, have been dismissing CIPA pen-register and search-bar theories with some consistency over roughly the past eighteen months, while federal courts have shown more willingness to let similar claims survive at the pleading stage. I have not independently reviewed the underlying dockets in these matters and treat this as a directional trend from secondary reporting, not a verified case-by-case account; the live procedural posture of Shah's currently pending matters should be confirmed before relying on any of it.

The defense playbook

Four workstreams typically run in parallel on a matter like this:

  1. Technical verification. Confirm, independently, what the site's search bar or form actually does. Does it transmit typed characters to a third party in real time before submission, or only after submission (which is a materially different legal posture)? Is the "third party" actually an independent recipient, or a processor acting under contract for the site's own analytics? The DevTools evidence in the letter should be reproduced and checked, not assumed accurate.
  2. Consent and notice posture. When did the tracking script load relative to any consent banner? A banner that appears after tracking has already started does not cure the claim; a properly sequenced, logged consent flow is the strongest defense.
  3. Claimant-specific and procedural posture. A serial pro se plaintiff's demand is evaluated differently than counsel-driven litigation: settlement value, the plaintiff's litigation history and win/loss record, forum, and whether the site's own Terms of Service include an arbitration clause and class-action waiver that could be invoked to move an individual dispute out of court, are all relevant. I would confirm the actual clause language before relying on any arbitration-based strategy; default administrator rules do not control if the contract says otherwise.
  4. Compliance remediation. Independent of how the current demand resolves, fixing the underlying data flow (gating third-party tags behind consent, auditing form and search-bar integrations) reduces exposure to the next letter, since Shah's campaign and similar copycat filings target unremediated sites repeatedly.

Legislative watch: SB 690

California SB 690, which stalled in the Assembly in 2025 after passing the Senate 35-0, is back in play as a two-year bill in the 2026 session and was most recently amended on July 2, 2026. As currently drafted, it would add a "commercial business purpose" exemption to Penal Code sections 631, 632, and 632.7, tied to the CCPA's definition of a business purpose and to processing subject to a consumer's CCPA opt-out rights. The current draft also includes a retroactivity provision applying to claims pending within two years before the bill's operative date. None of this is law yet, and the bill stalled once already after consumer-advocate opposition; a recipient of a current demand should not assume the bill will pass, or that it will pass in its current retroactive form, but the pending legislation is a real factor in timing a response, since a claim resolved by settlement today forecloses an argument that a change in the underlying statute might otherwise have mooted.

What I would not assume

Ignoring one of these letters is not a neutral option: the recipients who ignore them risk a filed complaint in a forum of the claimant's choosing, and the deadline stated in the letter is usually real. At the same time, the mixed track record on the merits, the SB 690 legislative uncertainty, and the claimant-specific posture mean this is not automatically a case to pay to make go away. The right first step is an independent technical and consent-flow read of the actual site, not a reflexive settlement based on the dollar figure in the letter.

Received a Vivek Shah letter, or a similar CIPA search-bar demand?

I can run a paid technical-and-legal read of the actual letter and your site's search bar or form integrations and recommend a response. Email owner@terms.law with the letter and a link to the page in question.

Sergei Tokmakov, Esq., CA Bar #279869. This memo is attorney commentary on California legal questions and is not legal advice. Reading it does not create an attorney-client relationship. Public reporting on Vivek Shah's litigation history and on specific case outcomes has not been independently verified against court dockets by me and is presented here as background, not as a certified case record. SB 690 is pending legislation, not current law, and its final text and enactment are not guaranteed. Verify the operative statutory text and any bill's current status before relying on this memo. I represent clients in California only.