To Our Clients and Community,
We are writing to alert you to a significant and growing wave of demand letters and threatened lawsuits targeting businesses, including cannabis dispensaries, delivery services, e-commerce operators, and psychedelic wellness platforms, under California's Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 638.50–638.51.
Our firm has reviewed multiple such letters, including several recently sent to East Coast cannabis operators. If you operate a website accessible to California customers, regardless of whether you do business in California, you may already be a target, or you may be one soon. This is true even if your business is incorporated and operates entirely outside California. You should not ignore these letters.
What is CIPA, and why are plaintiffs using it?
CIPA was originally designed to prevent wiretapping and unauthorized electronic surveillance. A small group of plaintiff attorneys has recently weaponized an obscure provision — "pen register" prohibition — against ordinary business websites.
Certain plaintiff attorneys theorize that standard third-party tools embedded in nearly every commercial website (analytics tags, advertising pixels, session-recording scripts, and similar trackers) constitute unlawful "pen registers" because they capture IP addresses and device identifiers. Plaintiffs argue that loading these tools without prior, affirmative user consent violates Cal. Penal Code § 638.51(a). The statute allows for statutory damages of up to $2,500 per violation, and plaintiffs' counsel typically assert that each page visit, or each tracker, is a separate violation.
These cases are typically filed by a handful of repeat plaintiff attorneys in California, often as part of a mass-filing campaign against dozens of businesses simultaneously. The demand letters are frequently sent before filing, offering to resolve the matter informally, but the attached "complaint" is ready to file.
Does CIPA apply to your business even if you are not in California?
This is the question we hear most often, and the answer, in many cases, is yes.
CIPA follows the visitor, not the business
CIPA's pen-register prohibition does not require the defendant to be located in California, to be incorporated there, or to have a physical presence there. The statute protects California residents whose communications are intercepted. Plaintiffs' counsel therefore files suit in California state court against out-of-state, and even foreign, businesses, arguing that the unlawful interception occurred when the California-based visitor loaded the defendant's website while located in California. Under this theory, any business with a website accessible to California residents is a potential defendant.
California courts assert personal jurisdiction based on website accessibility
For a California court to hear a case against an out-of-state defendant, it must have personal jurisdiction.
In these CIPA cases, plaintiffs typically argue that the defendant purposefully directed its website and commercial activities toward California residents by accepting California orders, geolocating California users, running targeted advertising into California, or simply operating a nationally accessible e-commerce site. Courts have generally been receptive to this argument for businesses that actively solicit California customers.
Obviously, many companies operating in highly regulated industries, like cannabis, operate purely intrastate. However, that can be expensive to establish in court, and these demands are typically low enough to make payment the more attractive option.
Moreover, as scheduling changes develop, cannabis and psychedelics operators can expect to be targeted more often, as age-gated websites with a national reach make for easy targets.
Arbitration clauses in your terms of service may help — but have limits
Some out-of-state businesses have attempted to compel arbitration based on terms of service containing arbitration clauses and California choice-of-law provisions, or alternatively to invoke forum-selection clauses designating their home state. These arguments have had mixed results.
Courts will examine whether the plaintiff actually assented to the terms (a clickwrap agreement is stronger than a browsewrap), whether the arbitration clause covers statutory privacy claims, and whether enforcing the clause would be unconscionable.
If your website has a terms-of-service agreement with an arbitration clause, you should have counsel review whether it is structured to provide meaningful protection in this context. Many are not.
A Practical illustration
Consider a psychedelic wellness operator incorporated in Colorado, with servers in Texas, whose website accepts inquiries and bookings from customers nationwide. When a Los Angeles resident visits that website and the site's embedded Wix analytics scripts fire on page load — transmitting the visitor's IP address to third-party servers before the visitor can interact with any consent banner, plaintiffs' counsel argues that a CIPA violation occurred in California, and files suit in Los Angeles Superior Court. The Colorado operator is now a California defendant.
Why cannabis and psychedelic businesses are especially exposed
Businesses in our space face heightened risk for several reasons:
Age verification banners create a timing problem
Many cannabis and psychedelic wellness sites display an age-gate before visitors can access content. Plaintiffs' counsel has argued that third-party tracker scripts fire automatically on page load, before the user can interact with the age-gate banner.
This pre-consent firing is central to the claimed violation, and the screenshots plaintiffs attach to their complaints often show developer tools capturing network requests to analytics endpoints firing simultaneously with the age-gate display.
Wix, Shopify, and other turnkey platforms
Many operators use hosted website builders that automatically load analytics and advertising infrastructure.
Operators often do not know which third-party domains are receiving their visitors' data, and the platform provider, not the operator, controls when those scripts fire.
Regulatory scrutiny creates settlement pressure
Cannabis and psychedelic businesses are often reluctant to invite litigation or regulatory attention, making them attractive settlement targets even when the legal claims are contestable.
Out-of-state operators face additional pressure from the prospect of litigating in a distant jurisdiction.
What you should do right now
If you have received a demand letter: Do not ignore it, and do not respond without speaking to counsel first. Contact our office promptly.
If you have not yet received a letter: Take these steps proactively, regardless of where your business is located:
Audit your website's third-party scripts. Use browser developer tools or a privacy scanner to identify every domain your site contacts on page load, before any user action.
Implement a true consent management platform (CMP). A passive cookie banner is not enough. No analytics, advertising, or non-essential tracking scripts should execute until a user affirmatively opts in.
Coordinate your age-gate and consent flow. Ensure that no third-party network requests fire until after the user has passed through your age verification wall and affirmatively consented to tracking.
Review your terms of service and arbitration clause. If you do not have a mandatory arbitration clause, consider adding one with appropriate California-specific provisions. If you do have one, have counsel verify it is structured to be enforceable against CIPA claims and that your clickwrap implementation creates adequate assent.
Update your privacy policy to accurately disclose all third-party data processors and the categories of data shared, and ensure your disclosures satisfy both CIPA and the CCPA.
What this litigation looks like in practice
The demand letters we have reviewed follow a template. They are brief (typically one page) and allege that the plaintiff visited the defendant's website and that, on page load, the browser automatically transmitted IP address and device identifier data to multiple third-party domains without consent. A draft complaint, ready to file, is attached. The plaintiff seeks statutory damages under Cal. Penal Code § 637.2(a)(1) plus injunctive relief.
The legal theories in these cases are contested. Courts have not uniformly accepted the argument that standard web analytics tools are "pen registers" within the meaning of CIPA, and several defenses, including consent, lack of standing, jurisdictional challenges for out-of-state defendants, and the scope of the statute, remain viable. That said, the cost of defending even a weak case can be significant, and some defendants have settled for five-figure sums to avoid litigation exposure.
We are monitoring this litigation trend closely and can advise on proactive compliance measures, terms of service structure, and defense strategy if you receive a demand.
If you have received a demand letter or would like a website compliance review, please reach out to Rudick Law Group. We are available to assist promptly given the short response windows these letters often carry.
— RLG
Get this news direct to your inbox 🪄
Did someone forward this to you? Stay in touch with the Rudick Law Group.
Need legal help that doesn’t kill the vibe? Visit our website contact page here.
To stop receiving our emails, unsubscribe at any time using the link below.
