This week I was shocked to experience every business owner’s nightmare: a lawyer’s Compliance Remediation Demand letter that alleged I was in violation of a law regarding an “estimated statutory exposure” which could make me liable for potential damages of $15,000 (or more).
I had received a first notice earlier but ignored it, presuming it was just spam. But this one declared “This is your second and final warning,” so I first went to Google and put in the name of the law firm and “spam” and holy smokes, it is actually a real law firm that specializes in threatening businesses about ADA compliance and website privacy tracking violations.
So, then I went to AI for advice from my cyber Guardian Angel, Super GROK. Oh dear. Oh dear. They are a listed law firm, and they specialize in ADA and violations related to website tracking pixels, cookies, and Google Analytics. It is a grift, going after small businesses to frighten them into paying to end the threat.
And what if I continue to ignore it?
GROK says they often follow through with a lawsuit in California Superior Court. So, if you do go to court, even if you win or it is dismissed, you’re on the hook for defense costs, and service of process. If you “lose” they can hit you with multiple statutory damages, as they claim CIPA violations at $5,000 each plus attorney fees, costs, and injunctive relief. It is a process; some cases settle or fizzle after remediation, others pay the demanded amount to remove the threat of worse. Like a plea-bargain, which is how so many court cases are resolved.
Well, that took my breath away. Ignoring it is not an option, and there is a California law firm that advertises that they specialize in responding to this firm. The last thing I want to do is get involved in anything legal. It might escalate and now is not the time to hit my business with a fine of any amount. So, GROK gently suggested the compliant approach: remediation and polite outreach to state I have fixed any issues and I’m a one-person small business so please accept my voluntary remediation and acknowledge my good-faith efforts.
I was in fact ignorant that all websites must sport a banner that lets you opt out of cookies and tracking. I have seen that, of course, and clicked “deny all” and never thought twice about it.
California “Invasion of Privacy Act” Pending
California bill SB690 specifically limiting this sort of predatory privacy lawsuits passed out of the Assembly’s Committee on Privacy and Consumer Protection on 7/1/26 with a vote of 14-0. The statistics quoted say that in the past four years 3,700 CIPA (California Invasion of Privacy Act) shakedowns have been filed in California, with tens of thousands more estimated demand letters sent. At the last minute it was amended, and critics say it is the poster child for abusive lawsuits but now does not go far enough. “This closes one avenue for abusive legislation, however additional major pathways for frivolous lawsuits remain intact, leaving businesses across every industry vulnerable to predatory litigation.” SB690 aims to curb these exact CIPA/website tracking suits, yet we await it becoming law.
A version of SB690 passed the state senate last year, so our state representatives are well aware of the problem. Yet this law firm persists, and in response, there is a law firm known for specializing in responding to the threats.
All of us have heard the Urban Legend of the bitter guy in a wheelchair who rolls into the small family restaurant and extorts a free meal by saying if they don’t feed him, he will file an ADA complaint against them. I used to know an LA restaurant inspector and he told me he saw little Mexican restaurants that had pitiful signs in their windows saying “Please Señor Wheelchair don’t give us trouble.”
Because of knowing that guy really exists and is a danger to any business, I even wrote a stipulation into my business lease about being required to make changes to make the unit more ADA compliant. But it never occurred to me, until this week, that a firm specializing in threatening website owners might come after me.
So now I know this is just part of a large wave of CIPA-based demand letters and lawsuits. Critics call it “privacy trolling” and while it feels like a shakedown it is a technically legal activity, not illegal extortion. They send thousands of intimidating letters hoping for quick settlements, playing the percentages. The applicable privacy laws are often so old and broad – pre-dating the internet in some cases – that courts are still sorting out how far these claims can go. For there to be enough of them that a specific California litigation attorney can make a living actively defending businesses targeted by this specific company is a tragedy and a distortion of justice.
I contemplated whether writing about it for SB Current would be a jinx, but two days have gone by since I made the changes in my websites and sent my response letter back to them. I can only hope that I never do hear any more from them, that my tiny one-person tattoo studio is not a target they can expect to extort enough from to be worth the bother. Meanwhile, I couldn’t stop thinking about it, so I decided to do the journalistic catharsis of documenting the experience.
Paid Advertisement:
Community Calendar:
Got a Santa Barbara event for our community calendar? Fenkner@sbcurrent.com






