A wave of demand letters is hitting small businesses over common website tools. Here's what's actually happening, why it matters beyond California, and what to do about it.
If you run an auto repair shop, you probably think about brakes, oil changes, and keeping customers happy. You probably don't think much about your website's privacy settings. But right now, a wave of lawsuits is targeting small businesses just like yours, and the reason is something most shop owners have never heard of.
It's called CIPA.
Law firms are using an old California wiretapping law called CIPA to send demand letters to small businesses over common tools like Google Analytics and the Meta pixel. California isn't the only state with a privacy law either. Twenty states already have one in effect, with three more on the way. The fix is the same everywhere: know what's tracking your visitors, keep your privacy policy current, and give visitors a way to consent.
CIPA stands for the California Invasion of Privacy Act. It's a law from 1967. Back then, it was written to stop illegal wiretapping, like someone secretly recording a phone call.
Today, some lawyers are using CIPA in a new way. They argue that common website tools, like Google Analytics or the Meta pixel (the tool that tracks visitors from Facebook and Instagram ads), count as a kind of wiretapping. Their argument is that these tools collect information about visitors without clear permission.
Whether that argument holds up in court is still being tested. But that hasn't stopped a growing number of law firms from sending demand letters to small businesses, including auto shops, asking for a quick settlement.
Most auto shop websites use the same handful of tools. Things like Google Analytics to see how many people visit the site, or a Facebook pixel to track ad performance. These tools are common, useful, and almost every small business uses them without a second thought.
That's exactly why shops get targeted. Law firms use automated bots to scan thousands of websites at once, looking for these tools. When a bot finds one, it flags the site for a demand letter. Auto shops fit the pattern perfectly: local, small, and busy running a business rather than watching for legal trends.
According to Karen Nalven, President and CEO of the Better Business Bureau serving West Florida, this pattern is becoming common enough that the BBB has started warning small businesses directly.
CIPA allows for statutory damages of up to $5,000 per violation. That number is designed to grab attention, and it works. A shop owner who gets a letter demanding thousands of dollars often assumes the safest move is to settle quickly rather than fight it in court.
Many shops do settle, even when the underlying legal claim is weak, simply because going to court costs more time and money than most small businesses have to spare.
CIPA gets the most attention because California is the only state where a regular person can sue a business directly over a privacy violation. That's called a private right of action, and it's the reason those $5,000-per-visitor demand letters exist in the first place.
But California is not the only state with a privacy law on the books. As of mid-2026, 20 states have comprehensive consumer privacy laws already in effect. Three more, Oklahoma, Alabama, and Louisiana, have been signed into law and are set to take effect over the next year. That brings the total to 22 states with a privacy law on the books, and more are expected to follow.
| State | Law | Signed | Takes Effect |
|---|---|---|---|
| California | CCPA (amended by CPRA) | 2018 (CPRA 2020) | Jan 1, 2020 |
| Virginia | VCDPA | March 2021 | Jan 1, 2023 |
| Colorado | CPA | July 2021 | July 1, 2023 |
| Connecticut | CTDPA | May 2022 | July 1, 2023 |
| Utah | UCPA | March 2022 | Dec 31, 2023 |
| Texas | TDPSA | June 2023 | July 1, 2024 |
| Florida | FDBR | June 2023 | July 1, 2024 |
| Oregon | OCPA | July 2023 | July 1, 2024 |
| Montana | MCDPA | May 2023 | Oct 1, 2024 |
| Iowa | ICDPA | March 2023 | Jan 1, 2025 |
| Delaware | DPDPA | Sept 2023 | Jan 1, 2025 |
| New Hampshire | NHDPA | March 2024 | Jan 1, 2025 |
| Nebraska | NDPA | April 2024 | Jan 1, 2025 |
| New Jersey | NJDPA | Jan 2024 | Jan 15, 2025 |
| Tennessee | TIPA | May 2023 | July 1, 2025 |
| Minnesota | MNDPA | May 2024 | July 31, 2025 |
| Maryland | MODPA | May 2024 | Oct 1, 2025 |
| Indiana | INCDPA | May 2023 | Jan 1, 2026 |
| Kentucky | KCDPA | April 2024 | Jan 1, 2026 |
| Rhode Island | RIDTPPA | June 2024 | Jan 1, 2026 |
| Oklahoma | OCDPA | March 2026 | Jan 1, 2027 |
| Louisiana | LDPA | May 2026 | Jan 1, 2027 |
| Alabama | APDPA | April 2026 | May 1, 2027 |
Table current as of mid-2026. Privacy law is changing quickly, so double check the current status of any state law before relying on it.
Here is the part most articles miss, and it actually makes the picture clearer, not scarier.
California is different from the other 21 states on this list because it lets individual people sue directly. That's why the demand letters exist there. Nobody needs a government agency involved. A visitor, or a law firm on a visitor's behalf, can sue on their own.
Every other state on the list works differently. Those laws are enforced by the state Attorney General, not by individual lawsuits. A customer in Texas or Colorado generally cannot sue your shop directly under their state's privacy law. Instead, the state's Attorney General investigates and enforces the law against businesses.
That does not mean the risk outside California is small. Attorney General enforcement is picking up speed. Texas, for example, secured a $1.375 billion settlement from Google in 2025 over the company's tracking and biometric data practices. That case relied on other Texas consumer protection laws rather than the state's newer privacy statute, but it shows state Attorneys General are willing to pursue large cases when they see a pattern worth pursuing, and that willingness is only growing as more states pass their own privacy laws.
Either way, the fix is the same. Know what tracking tools are running on your site, keep your privacy policy current, and give visitors a clear way to consent to being tracked.
You can't control who sends a demand letter. But you can lower your risk, and make your shop a much less appealing target. Here are three steps that many shop owners find helpful.
Take a look at everything running on your site behind the scenes. This usually includes Google Analytics, the Meta pixel, chat widgets, and any tool that tracks visitor behavior.
A web developer or marketing agency can usually do this audit quickly. The goal is simply to know what's running on your site, since you can't fix a risk you don't know about.
Your privacy policy should clearly explain what tools your site uses and what information they collect. A privacy policy that's outdated, missing, or copied from another business years ago is a red flag.
This is one of the easier fixes on this list, and one worth prioritizing.
A consent mechanism is simply a way for visitors to agree to being tracked before it happens. You've probably seen this on other websites as a small banner that says something like "This site uses cookies" with an option to accept or decline.
Adding one of these to your site can significantly reduce your exposure, since much of the legal argument behind these lawsuits centers on tracking happening without a visitor's knowledge or consent.
None of these steps come with a guarantee. No article, tool, or checklist can promise that a shop will never receive a demand letter. What these steps can do is lower your risk and put you in a stronger position if something does happen. If you receive a demand letter, don't respond on your own. Talk to an attorney first.
If this all feels like a lot to take on between oil changes and brake jobs, you're not alone. Most shop owners aren't website or legal experts, and they shouldn't have to be.
A good starting point is having your website's tracking reviewed and your privacy policy brought up to date. That's exactly what our free Privacy Policy Intake Tool is built for. You answer a few questions about your site and how it's used, we review what's running on it, and we send you a draft privacy policy you can take to your own attorney for final review before it goes live.
That last step matters. The draft is a starting point, not a finished legal document, and your attorney should always be the one to sign off before anything goes on your site.
Answer a few quick questions about your site. We'll send you a draft privacy policy to take to your attorney before it goes live.
Start My Free Privacy ReviewTakes a few minutes. Not legal advice. Your attorney signs off before anything publishes.