Over the past several months, a wave of demand letters citing the California Invasion of Privacy Act (CIPA) has been landing in the inboxes of home services businesses across the country. A small number of our own customers have received them. In each of those cases, the customer had chosen to install third-party tools on their site that sit outside our enterprise toolset and are not compliant with it. That distinction matters, and it is the reason we want you to understand exactly what you are looking at, where you actually stand, and how the platform you already run, the PredictiveSales digital marketing platform now called Site to Profits, is built to reduce this kind of exposure.
First, the honest headline: for most of you, this is far less of a problem than the letter wants you to believe.
What These Letters Actually Are
These are pre-suit demand letters, most of them generated in volume by a handful of serial filers. The mechanism they rely on is worth understanding, because it is broader than most people assume. The claim targets any website that reaches out to a third party. If your site has anything installed on it that pings, loads, or connects to an outside service without first receiving the visitor's permission, whether that is a tracking pixel, an analytics tag, a chat widget, an ad platform, or a form-verification tool, the letters allege that connection captures a visitor's routing and addressing data, such as their IP address and device identifiers, and therefore functions as an unlawful "pen register" under California Penal Code §638.51.
Here is why that matters to you specifically. Some businesses reach for third-party tools out of habit. In most cases you do not need to. The Site to Profits platform already includes a massive, comprehensive set of tools that handle just about everything you want to do, from tracking and analytics to lead capture, advertising, and visitor engagement, all built to run in compliance from the start. The right first move is to use the tools that are already inside the platform rather than bolting on outside services. Under the theory these letters push, it is the presence of those outside connections that gets pointed to, which is exactly why the customers who received letters were the ones who had installed third-party tools outside our enterprise toolset, or who had chosen not to turn on the cookie consent technology built into the PredictiveSales AI platform. To be clear, the pen-register theory itself is the plaintiff's argument, not a settled rule of law. It is a claim, and as you will see below, it is a claim that is steadily losing ground.
The business model here is settlement pressure, not the merits. The letters typically wave around a statutory damages figure of $5,000 per visit and push for a fast payment before you have time to think it through. That is exactly why it pays to understand your position before you react.
The Single Most Important Fact: This Is a California Statute
CIPA is a California law. It reaches businesses that operate in California, market to California, or direct their website content at California consumers. If your company does not do business in California, and your website is not marketing to California, your exposure to this specific claim is materially lower. For the large majority of our customers, that is the whole story.
If you do have a California footprint, this deserves more attention, and you should take it seriously. But even there, the ground is shifting in your favor.
The Legal Tide Is Turning, Even Inside California
Two developments are worth knowing:
In May 2026, a Los Angeles Superior Court held that the pen register and trap-and-trace provision these letters rely on (§638.51) applies only to telephone communications and does not extend to commercial websites at all. That is a favorable ruling from the same court system where much of this litigation lives. It is a trial-court decision rather than a final statewide precedent, and appeals on this question are still working through the courts, but the direction is encouraging.
At the state capitol, amended Senate Bill 690 advanced through the Assembly's Privacy and Consumer Protection Committee on July 1, 2026. As amended, it would eliminate the private right of action for exactly these §638.51 claims, and it is written to apply retroactively to claims filed within the two years before it takes effect. It is not law yet, and it still has to clear the full legislature, but the momentum is clearly running against the people sending these letters.
Put simply: this theory is being pruned back by both the courts and the legislature at the same time.
Why Your Platform Is Built for This
This is where running on the PredictiveSales platform, now Site to Profits, matters. You are protected on two fronts, not one.
First, on the web side, your platform includes a cookie consent banner. This is the tool that gates those third-party connections until a visitor agrees, which goes directly to the mechanism these letters target. If it is not currently enabled on your site, we can turn it on for you. There is one honest tradeoff to weigh: because a consent banner holds back certain tracking until a visitor consents, it can reduce some of the analytics, ad-performance, and lead-attribution data you rely on. That is a real business decision, which is why we leave the switch in your hands rather than flipping it automatically. If you want it on, all we need is your go-ahead.
Second, on the outbound side, your platform includes built-in TCPA compliance protection that runs before every outbound call and text. Consent is checked automatically at the point of contact, so you are covered on the phone and messaging side as well as the web side. This is the same category of exposure, just a different channel, and the platform handles both.
Both protections are native to Site to Profits. They are not add-ons or upsells. They are part of how the platform is engineered to protect you while it generates and works your leads. The exposure we have seen has come from third-party tools installed outside that enterprise toolset, not from the platform itself.
In Summary, Here Is What You Can Do to Best Protect Yourself
Two things. First, turn on the cookie consent banner we have available in the platform. You can log in and do it yourself in a few minutes, or you can give written permission to your Client Services team member and we will turn it on for you. Worth knowing before you do: turning the banner on does come with a tradeoff. Because it holds back certain tracking until a visitor consents, it will limit some of your ability to track visitors and source and attribute leads, which can soften your marketing visibility. That is a real cost, so it is worth weighing rather than a decision to make on autopilot. Second, use our tools. The platform already does just about everything you need, so there is no reason to install third-party tools on your site.
If a Letter Shows Up
Do not panic, and do not respond to the sender directly. Turn the letter over to your own attorney, who is the right person to handle it, and let us know. We will support your counsel with the facts about your platform and your site, and if you would like your consent banner enabled, just ask.
You built your business on this platform because it is engineered to protect you while it grows your pipeline. This is one more example of that working exactly as intended.
A note: we are not attorneys and this is not legal advice. The points above are general information about a developing area of law. Any specific letter should be handled by your own counsel.
Subscribe to Predictive Sales AI, LLC's Blog
Comments