What Should Businesses Know About California Demand Letters?

Article Summary

As California demand letters tied to privacy, accessibility, and warning-label laws increase, small or disputed compliance gaps can create costly risks. CIPA, Unruh, ADA, and Prop 65 claims may target website tools, accessibility barriers, product labels, or records, making proactive reviews, documentation, and insurance evaluation critical.

Imagine opening your company’s mail and finding a formal legal demand letter, complete with a ready-to-file court complaint, claiming your business violated California privacy, accessibility, or consumer protection law. Maybe your company has never operated in California. Maybe your customers are not based there. Still, the letter threatens a lawsuit unless you respond or settle.

This is not hypothetical. Businesses across the country are receiving demand letters tied to California privacy, accessibility, and warning-label laws, often citing the California Invasion of Privacy Act (CIPA), the Unruh Civil Rights Act, or Proposition 65.

At a high level, a California demand letter is a formal notice alleging that a business violated California law and may face a lawsuit if it does not respond, remediate, or settle. These letters have become more common because they can be sent quickly, often rely on repeatable allegations, and create enough defense-cost pressure that businesses may feel compelled to settle before a court ever reviews the claim.

The laws behind these letters were created for important reasons: to protect privacy, improve access for people with disabilities, and help consumers understand potential chemical exposures. The challenge is that aggressive private enforcement can turn technical compliance gaps into expensive legal threats.

 

The California Invasion of Privacy Act (CIPA) Pen Register Provisions

Why Are Businesses Receiving CIPA Website Tracking Claims?

California Penal Code Section 638.51 was originally enacted to prevent government and law enforcement overreach, specifically the secret surveillance of communications metadata without judicial oversight.

A pen register, in the traditional sense, was a physical device used by law enforcement to record phone numbers dialed from a target line. The law required a court order before any such device could be used.

Now, attorneys and litigants argue that routine third-party tracking tools embedded in everyday business websites, including analytics platforms, marketing tools, ad pixels, and session-tracking technology, may qualify as illegal pen registers under this decades-old statute. Each page load, they argue, can be treated as a separate violation. When statutory damages are layered on top, the theoretical exposure becomes enormous.

Quick checklist: Audit third-party scripts, pixels, tags, and tracking tools; map what data is collected, shared, and when it fires; use a consent platform that blocks non-essential scripts until consent; confirm the banner works as advertised; review search bars, forms, chat tools, login portals, health-related pages, and employment applications; and preserve network logs, privacy versions, banner settings, and vendor contracts.

 

The Unruh Civil Rights Act and the Americans with Disabilities Act (ADA)

How Do ADA and Unruh Accessibility Claims Work?

California’s Unruh Civil Rights Act was meant to guarantee all people full and equal access to business establishments. It was designed as a landmark protection against discrimination. Through California law, an ADA violation can also become a state-law claim with added statutory damages, making California a common venue for accessibility litigation.

The original intent was clear: ensure that people with disabilities have meaningful access to physical spaces and, increasingly, digital services.

Some serial filers and testers visit websites or physical locations primarily to identify accessibility issues and convert them into settlement demands. Claims can be filed for physical barriers at a location or website issues such as missing alt text, poor color contrast, inaccessible forms, missing captions, unclear heading structure, or features that do not work with keyboard navigation. This can leave businesses facing costly legal pressure over technical or fixable issues, even when there was no intent to exclude or discriminate.

Quick checklist: Audit the website against WCAG 2.1 Level AA using automated and manual testing; fix color contrast, alt text, captions, forms, keyboard navigation, and headings; publish an accessibility statement; re-test after meaningful website releases; and keep audit, remediation, and before-and-after records. For physical locations, review parking, routes, entrances, counters, restrooms, and signage, and consider a California Certified Access Specialist inspection.

 

Proposition 65: The Safe Drinking Water and Toxic Enforcement Act

What Is Prop 65 and Why Does It Matter?

Proposition 65 was passed to protect Californians from exposure to chemicals known to cause cancer or reproductive harm. It requires businesses to provide clear warnings before knowingly exposing individuals to any of hundreds of listed chemicals. The law was designed to empower the public by allowing private parties to help enforce it.

Claimants and their attorneys may pursue Prop 65 claims based on technical or debatable compliance issues rather than clear evidence of consumer harm. These claims often focus on product labels, packaging, e-commerce product pages, supplier records, or chemical testing. For businesses that sell into California, even small compliance gaps can create costly risk.

Quick checklist: Confirm whether products are sold into California or premises create California exposures; audit products, packaging, raw materials, and premises against the current chemical list; assess safe-harbor thresholds; provide clear warnings before exposure, including on e-commerce pages when needed; add testing and certification duties to supplier contracts; and retain lab reports, exposure assessments, label approvals, and legal review records.

 

What Should You Do If You Receive a Demand Letter?

  • Do not ignore the letter and do not respond without legal counsel.
  • Immediately institute a legal hold on relevant records, including website code, tracking configurations, labels, product samples, and audit materials.
  • Capture the as-is state before changes are made: screenshots, network logs, photographs, and measurements.
  • Review insurance coverage and any landlord, supplier, or vendor indemnity obligations.
  • Evaluate both procedural and substantive defenses before choosing to settle, remediate, or litigate.
  • Remediate thoughtfully; fast changes without evidence preservation can weaken your position.
  • Avoid one-off fixes that invite copycat claims; build a sustained compliance program instead.

 

Compliance Now Beats Litigation Later

California privacy, accessibility, and Prop 65 demand letters are no longer niche issues. They are practical business risks for organizations across the country, especially those with public websites, e-commerce activity, or physical locations.
The strongest position is built before a letter arrives. Businesses should understand what their websites, products, vendors, and physical locations are doing, fix the gaps they can identify, document their efforts, and create a clear response plan. A practical compliance review now can reduce disruption later and help the business respond with more confidence if a claim comes in.

Reform may be coming, but waiting for lawmakers to solve the problem is not a risk strategy. Businesses that delay compliance work remain exposed now. Connect with your OneDigital insurance advisor to review your risk profile, discuss potential coverage considerations, and identify next steps before a demand letter arrives.

 

Disclaimer: This content is for informational purposes only and should not be considered legal advice. Businesses that receive a demand letter should consult qualified legal counsel.

Publish Date:Jul 15, 2026Categories:Business Insurance & Risk Management, Property & Casualty, Cyber Risk