The letter shows up from a law firm you've never heard of. It says your website is collecting personal information without consent. It mentions the California Consumer Privacy Act, maybe the California Invasion of Privacy Act. It lists specific tracking technologies. It demands you pay to make it go away.
You didn't install a tracker. You don't collect data. You run a small business and your web person set up the site two years ago. You have no idea what's actually running on it.
That's exactly the situation these demand letters are designed for. They count on you not knowing and paying rather than finding out.
Here's how to find out.
What the claims usually look like
Most of these letters follow the same pattern. They argue that third-party scripts on your website constitute unauthorized data collection under California law. The scripts they're talking about aren't ones you wrote. They're things that came with your site: Google Analytics, a chat widget, embedded fonts from Google, a Facebook pixel your marketing person added two years ago, a cookie consent banner that ironically sets its own cookies.
The legal theory is that these scripts collect visitor data (IP addresses, browsing behavior, device fingerprints) and transmit it to third parties without the visitor's informed consent. Under CCPA and CIPA, that can be framed as a privacy violation.
The good news: most of these claims fall apart once someone actually reviews what's on the site versus what's being alleged. The bad news: if you can't articulate what's on your site, you can't push back on what's claimed.
So let's figure out what's there.
Step 1: Identify every third-party script on your site
Before anything else, you need a complete list of what's loading when someone visits your site. Not what you think is there. What's actually there.
Run the Third-Party Data Leakage Audit on your homepage. It scans for 22 known trackers and classifies each one by PII risk level:
- Tier 1 (highest risk): Session replay and DOM capture tools like FullStory, Hotjar, and Microsoft Clarity. These record everything a visitor does on your page.
- Tier 2: Identity-graph ad trackers like Facebook Pixel, TikTok Pixel, and Google Ads remarketing. These tie your visitor's session to an advertising profile.
- Tier 3: Analytics and behavior tracking like Google Analytics 4, Mixpanel, and Amplitude.
- Tier 4 (lowest risk): CDN and utility scripts like Google Fonts, jQuery from a CDN, or reCAPTCHA.
Write down what shows up. This is your inventory. If the demand letter claims you're running a specific tracker and it's not actually on your site, that's your first line of defense.
Then run the Third-Party Script Cost Audit on the same page. This one lists every external script by domain and shows you the transfer size and performance impact. It catches things the leakage audit might not have names for because it works at the network level rather than matching known tracker signatures.
Step 2: Check what fires before consent
This is where most legitimate complaints have teeth. If your site loads tracking scripts before a visitor has a chance to accept or reject cookies, that's a real problem under both CCPA and GDPR.
Run the Cookie + Storage Drift Audit on your site. It checks for:
document.cookiewrites that happen on initial page load (before any consent interaction)localStoragewrites in the initial HTML- Scripts that fire and set tracking data before your consent banner even renders
If this audit finds pre-consent cookies or storage writes from third-party domains, those are the findings you need to fix first. They're the strongest basis for any tracking complaint.
Step 3: Audit your consent management
If you have a cookie consent banner, you need to know whether it actually does what it claims to do. A banner that says "we respect your privacy" but doesn't block any scripts until you click Accept is worse than having no banner at all. It creates the appearance of consent while not actually obtaining it.
Run the CMP Compliance Audit. It checks for:
- Whether a recognized consent management platform is installed (Cookiebot, OneTrust, CookieYes, Osano, Termly, iubenda, Didomi, TrustArc)
- IAB TCF v2.2 compliance
- Whether a CCPA-specific "Do Not Sell My Personal Information" opt-out link exists
- Whether your site respects the Global Privacy Control (GPC) browser signal
If you're a California business or serve California visitors, the CCPA opt-out link isn't optional. It needs to be on your site. The GPC signal is also legally significant in California since the Attorney General's office has stated that businesses must honor it.
Step 4: Check your analytics configuration
Google Analytics is on almost every small business website. The question isn't whether you have it. The question is whether it's configured to minimize data collection.
Run the GA4 / GTM Configuration Audit. It checks:
- Whether Consent Mode v2 is wired up (this tells GA4 to wait for consent before setting cookies)
- IP anonymization settings
- Whether you have duplicate measurement IDs (common mistake that doubles your data collection footprint)
- GTM preview-auth token leaks (a debug token that shouldn't be in production)
If your GA4 is firing without Consent Mode v2, it's setting cookies on every visitor regardless of their consent status. That's fixable in about 15 minutes with a GTM update, and it removes one of the most common claims in these demand letters.
Step 5: Verify your legal pages exist and say the right things
Run the Legal Pages Audit. It checks for:
- Privacy Policy (and whether it mentions CCPA rights specifically)
- Cookie Policy
- Terms of Service
- Whether governing law and jurisdiction are specified
- Whether GDPR/CCPA data subject rights sections exist
A missing privacy policy is a freebie for any plaintiff's attorney. Having one that mentions CCPA by name and describes what data you collect, why, and how users can opt out gives you a documented position to point to.
What to do with the results
After running all five audits, you'll have a clear picture of what's actually on your site. From here:
If the demand letter claims trackers that aren't on your site: You now have documentation showing they're wrong. Share the audit results with your attorney. Most of these claims are filed in bulk using automated scanning tools. They get things wrong regularly.
If you do have pre-consent trackers firing: Fix them. Either configure your CMP to block scripts until consent is given, remove the trackers you don't actually need, or switch to privacy-friendly alternatives (Plausible or Fathom instead of GA4, for example). Then re-run the audits to confirm the fix.
If you don't have a CMP at all: Install one. Cookiebot and CookieYes both have free tiers for small sites. The CMP needs to actually block scripts until consent is given, not just show a banner.
If your privacy policy is missing or thin: Update it with CCPA-specific language. Include what data you collect, what third parties receive it, and how California residents can opt out. If you're using a template, make sure it actually reflects what's on your site. A privacy policy that says "we don't use cookies" while your site sets 14 of them is worse than no policy.
The bigger picture
These demand letters aren't going away. California's privacy enforcement is expanding, not contracting. Other states (Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware) now have their own consumer privacy laws with varying requirements.
But the core question is always the same: what's actually running on your site, and did visitors consent to it? If you can answer that clearly and show that you've taken reasonable steps to get consent right, most of these claims lose their leverage.
The five audits above take about ten minutes total. That's ten minutes to know exactly where you stand instead of guessing.
Related tools
- Third-Party Data Leakage Audit - Identify all trackers and their PII risk tier
- Third-Party Script Cost Audit - Full inventory of external scripts by domain
- Cookie + Storage Drift Audit - Pre-consent cookie and storage violations
- CMP Compliance Audit - Consent management platform checks
- GA4 / GTM Configuration Audit - Analytics consent mode and configuration
- Legal Pages Audit - Privacy policy, cookie policy, CCPA language
- Mega Analyzer - Runs all of the above in a single scan
This post is informational, not legal advice. If you've received a demand letter, consult an attorney licensed in your jurisdiction. Privacy laws vary by state and change frequently. The audits described here help you understand what's on your site so you can have an informed conversation with your legal counsel. Mentions of specific platforms and tools are nominative fair use. No affiliation is implied.
Fact-check notes and sources
- CCPA (California Consumer Privacy Act) requires businesses to disclose data collection practices and provide opt-out mechanisms. Amended by CPRA effective January 1, 2023. California Attorney General CCPA page.
- California Attorney General's office confirmed businesses must honor the Global Privacy Control (GPC) signal as a valid opt-out request under CCPA. AG enforcement advisory, January 2024.
- CIPA (California Invasion of Privacy Act) is the basis for wiretapping-theory tracking claims. Plaintiffs argue third-party scripts constitute unauthorized interception of communications.
- States with comprehensive consumer privacy laws as of 2026: California, Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, and others. IAPP US State Privacy Legislation Tracker.
- IAB TCF v2.2 (Transparency and Consent Framework) is the industry standard for programmatic consent management. IAB TCF documentation.
