Library Website Foundations Auto Shop Privacy Lawsuits Guide

The Auto Shop Owner's Guide
to Website Privacy Lawsuits

A wave of demand letters is hitting small businesses over common website tools. Here's what's actually happening, why it matters beyond California, and what to do about it.

7 min read Website Foundations
This guide is for general information only. It is not legal advice. Privacy law changes fast, and every shop's situation is different. Please talk to a lawyer about your specific case before making changes based on this article.

If you run an auto repair shop, you probably think about brakes, oil changes, and keeping customers happy. You probably don't think much about your website's privacy settings. But right now, a wave of lawsuits is targeting small businesses just like yours, and the reason is something most shop owners have never heard of.

It's called CIPA.

The Short Version

Law firms are using an old California wiretapping law called CIPA to send demand letters to small businesses over common tools like Google Analytics and the Meta pixel. California isn't the only state with a privacy law either. Twenty states already have one in effect, with three more on the way. The fix is the same everywhere: know what's tracking your visitors, keep your privacy policy current, and give visitors a way to consent.

What Is CIPA, and Why Should a Shop Owner Care?

CIPA stands for the California Invasion of Privacy Act. It's a law from 1967. Back then, it was written to stop illegal wiretapping, like someone secretly recording a phone call.

Today, some lawyers are using CIPA in a new way. They argue that common website tools, like Google Analytics or the Meta pixel (the tool that tracks visitors from Facebook and Instagram ads), count as a kind of wiretapping. Their argument is that these tools collect information about visitors without clear permission.

Whether that argument holds up in court is still being tested. But that hasn't stopped a growing number of law firms from sending demand letters to small businesses, including auto shops, asking for a quick settlement.

Why Auto Shops Are a Target

Most auto shop websites use the same handful of tools. Things like Google Analytics to see how many people visit the site, or a Facebook pixel to track ad performance. These tools are common, useful, and almost every small business uses them without a second thought.

That's exactly why shops get targeted. Law firms use automated bots to scan thousands of websites at once, looking for these tools. When a bot finds one, it flags the site for a demand letter. Auto shops fit the pattern perfectly: local, small, and busy running a business rather than watching for legal trends.

According to Karen Nalven, President and CEO of the Better Business Bureau serving West Florida, this pattern is becoming common enough that the BBB has started warning small businesses directly.

Why the Threats Feel So Big

CIPA allows for statutory damages of up to $5,000 per violation. That number is designed to grab attention, and it works. A shop owner who gets a letter demanding thousands of dollars often assumes the safest move is to settle quickly rather than fight it in court.

Many shops do settle, even when the underlying legal claim is weak, simply because going to court costs more time and money than most small businesses have to spare.

This Isn't Just a California Problem

CIPA gets the most attention because California is the only state where a regular person can sue a business directly over a privacy violation. That's called a private right of action, and it's the reason those $5,000-per-visitor demand letters exist in the first place.

But California is not the only state with a privacy law on the books. As of mid-2026, 20 states have comprehensive consumer privacy laws already in effect. Three more, Oklahoma, Alabama, and Louisiana, have been signed into law and are set to take effect over the next year. That brings the total to 22 states with a privacy law on the books, and more are expected to follow.

StateLawSignedTakes Effect
CaliforniaCCPA (amended by CPRA)2018 (CPRA 2020)Jan 1, 2020
VirginiaVCDPAMarch 2021Jan 1, 2023
ColoradoCPAJuly 2021July 1, 2023
ConnecticutCTDPAMay 2022July 1, 2023
UtahUCPAMarch 2022Dec 31, 2023
TexasTDPSAJune 2023July 1, 2024
FloridaFDBRJune 2023July 1, 2024
OregonOCPAJuly 2023July 1, 2024
MontanaMCDPAMay 2023Oct 1, 2024
IowaICDPAMarch 2023Jan 1, 2025
DelawareDPDPASept 2023Jan 1, 2025
New HampshireNHDPAMarch 2024Jan 1, 2025
NebraskaNDPAApril 2024Jan 1, 2025
New JerseyNJDPAJan 2024Jan 15, 2025
TennesseeTIPAMay 2023July 1, 2025
MinnesotaMNDPAMay 2024July 31, 2025
MarylandMODPAMay 2024Oct 1, 2025
IndianaINCDPAMay 2023Jan 1, 2026
KentuckyKCDPAApril 2024Jan 1, 2026
Rhode IslandRIDTPPAJune 2024Jan 1, 2026
OklahomaOCDPAMarch 2026Jan 1, 2027
LouisianaLDPAMay 2026Jan 1, 2027
AlabamaAPDPAApril 2026May 1, 2027

Table current as of mid-2026. Privacy law is changing quickly, so double check the current status of any state law before relying on it.

What This Actually Means for Your Risk

Here is the part most articles miss, and it actually makes the picture clearer, not scarier.

California is different from the other 21 states on this list because it lets individual people sue directly. That's why the demand letters exist there. Nobody needs a government agency involved. A visitor, or a law firm on a visitor's behalf, can sue on their own.

Every other state on the list works differently. Those laws are enforced by the state Attorney General, not by individual lawsuits. A customer in Texas or Colorado generally cannot sue your shop directly under their state's privacy law. Instead, the state's Attorney General investigates and enforces the law against businesses.

That does not mean the risk outside California is small. Attorney General enforcement is picking up speed. Texas, for example, secured a $1.375 billion settlement from Google in 2025 over the company's tracking and biometric data practices. That case relied on other Texas consumer protection laws rather than the state's newer privacy statute, but it shows state Attorneys General are willing to pursue large cases when they see a pattern worth pursuing, and that willingness is only growing as more states pass their own privacy laws.

  • If your shop has California visitors or customers, you face direct lawsuit risk. This is the type of demand letter most shops are seeing right now.
  • If your shop operates outside California, your main risk is state Attorney General enforcement rather than a lawsuit from an individual customer. It's less common today, but it's growing, and the fines involved can be significant.

Either way, the fix is the same. Know what tracking tools are running on your site, keep your privacy policy current, and give visitors a clear way to consent to being tracked.

What You Can Do About It

You can't control who sends a demand letter. But you can lower your risk, and make your shop a much less appealing target. Here are three steps that many shop owners find helpful.

The 3-Step Privacy Checklist

  • Audit your website's tracking tools. Know exactly what's running behind the scenes, including Google Analytics, the Meta pixel, chat widgets, and anything else that tracks visitor behavior.
  • Update your privacy policy. It should clearly explain what tools your site uses and what information they collect. Outdated or copied policies are a red flag.
  • Add a consent mechanism. Give visitors a clear way to agree to being tracked, such as a simple cookie banner, before tracking happens.

1. Audit Your Website's Tracking Tools

Take a look at everything running on your site behind the scenes. This usually includes Google Analytics, the Meta pixel, chat widgets, and any tool that tracks visitor behavior.

A web developer or marketing agency can usually do this audit quickly. The goal is simply to know what's running on your site, since you can't fix a risk you don't know about.

2. Update Your Privacy Policy

Your privacy policy should clearly explain what tools your site uses and what information they collect. A privacy policy that's outdated, missing, or copied from another business years ago is a red flag.

This is one of the easier fixes on this list, and one worth prioritizing.

3. Add a Consent Mechanism

A consent mechanism is simply a way for visitors to agree to being tracked before it happens. You've probably seen this on other websites as a small banner that says something like "This site uses cookies" with an option to accept or decline.

Adding one of these to your site can significantly reduce your exposure, since much of the legal argument behind these lawsuits centers on tracking happening without a visitor's knowledge or consent.

A Word of Caution

None of these steps come with a guarantee. No article, tool, or checklist can promise that a shop will never receive a demand letter. What these steps can do is lower your risk and put you in a stronger position if something does happen. If you receive a demand letter, don't respond on your own. Talk to an attorney first.

Where to Start

If this all feels like a lot to take on between oil changes and brake jobs, you're not alone. Most shop owners aren't website or legal experts, and they shouldn't have to be.

A good starting point is having your website's tracking reviewed and your privacy policy brought up to date. That's exactly what our free Privacy Policy Intake Tool is built for. You answer a few questions about your site and how it's used, we review what's running on it, and we send you a draft privacy policy you can take to your own attorney for final review before it goes live.

That last step matters. The draft is a starting point, not a finished legal document, and your attorney should always be the one to sign off before anything goes on your site.

Get a Free Privacy Policy Review

Answer a few quick questions about your site. We'll send you a draft privacy policy to take to your attorney before it goes live.

Start My Free Privacy Review

Takes a few minutes. Not legal advice. Your attorney signs off before anything publishes.