Why Your Website Needs an “Accept or Reject” Cookie Gate
By Robert M. Gavin, Esq.
If your business operates a website that serves California visitors, you may already be on a target list. Over the past two years, a small group of serial plaintiffs have built a high-volume operation around the California Invasion of Privacy Act (CIPA), and the technology on your site may be all the ammunition they need.
1) What these claims actually allege
The newest wave of CIPA activity centers on Penal Code § 638.51(a), which prohibits installing or using a “pen register” or “trap and trace device” without a court order. The statute was written in the 1960s for telephone surveillance, but plaintiffs now argue that common website tools like cookies, pixels (Meta, TikTok, Google), analytics scripts, and session-replay software function as modern pen registers because they capture and transmit a visitor’s IP address and device data to third parties.
The theory is attractive to claimants for a simple reason: CIPA’s civil enforcement provision (§ 637.2) allows statutory damages of $5,000 per violation, with no requirement to prove any actual harm. Plaintiffs typically argue that every visit is a separate violation, which lets them project enormous theoretical exposure on paper.
2) How the operation works
These cases almost always begin not with a lawsuit but with a demand letter. The claimant runs an automated scan of your site in a fresh browser session and records every outbound request to a third-party domain that fires on page load. If a tracking pixel sends data to Facebook, Google, or an ad network before the visitor has agreed to anything, that timestamped network log becomes the “evidence.” A letter follows, citing § 638.51 (often stacked with § 631 wiretapping claims), a damages calculation, and a settlement deadline of roughly 20 to 30 days.
The economics are deliberately lopsided. Demands are frequently set low enough that fighting costs more than paying, which pressures businesses into quick nuisance settlements. Pro se litigants amplify this. Without attorney overhead, they can send letters in volume and still find the math worthwhile.
3) What to fix
Here is the technical heart of nearly every one of these claims: a tracker fired before the visitor had a chance to consent.
Your site should require each visitor to affirmatively accept or reject cookies and tracking before any non-essential script loads or sends data. A passive banner that merely announces “we use cookies” while pixels are already running does not solve the problem, and neither does a privacy policy buried in the footer. The 9th Circuit’s reasoning in Javier v. Assurance IQ established that consent obtained after tracking has begun generally isn’t valid consent at all.
Concretely, that means deploying a consent-management platform configured to:
- Block non-essential trackers by default – nothing fires until the visitor chooses.
- Present a genuine choice – clear “Accept” and “Reject” options, with no dark patterns that nudge users toward acceptance.
- Actually honor a rejection – when a user declines, the tags must truly stop. Courts treat a banner that promises one thing and does another as its own form of misrepresentation.
- Keep a timestamped consent log – demonstrate, visitor by visitor, that data collection followed (not preceded) consent.
Some operators are also adding a short buffer between when notice appears and when collection could begin, on the theory that users need a real moment to decide. Reviewing your privacy policy to accurately list the tracking tools you use and how visitors can opt out remains essential as well.
4) The law is murky
The legal landscape is genuinely unsettled. California state courts have increasingly rejected the pen-register theory. Several 2026 superior court rulings dismissed these claims with prejudice, reasoning that § 638.51 was meant for telephones, not commercial websites. Federal courts in California, by contrast, have more often let the claims survive early motions. Two California Courts of Appeal are now reviewing the question, and their decisions may finally bring clarity.
That uncertainty is precisely why prevention matters. You cannot control which way a given court will rule, but you can control whether an automated scan of your site finds a tracker firing before consent. Remediating your setup does not erase liability for past conduct, but it eliminates future exposure, signals good faith and it removes the very fact pattern these letters are built on.
This article is for general information only and is not legal advice. The application of CIPA to your website technology is evolving and fact-specific. If you have received a demand letter, or want to assess your site’s exposure, consult an experienced privacy attorney before responding.
