You need to know this is happening. Over the past few weeks, several local Alaska businesses have received formal, aggressive legal demand letters with prepared lawsuits attached. At first glance, these notices look like a typical phishing email or internet scam. They are not. They are part of a growing, predatory practice—and your website could easily be a target.
A handful of opportunistic filers are using automated software to crawl the web for ordinary business sites that run standard marketing and tracking tools. When they find a site that collects visitor data without an explicit user-consent step, they mail the business owner a demand letter accompanied by a ready-to-file complaint.
This is not just an Alaska problem; it is a nationwide trend that has quickly become one of the largest litigation volumes in the country. By recent legal counts, more than 4,700 of these website wiretap lawsuits have been filed over the last two years, on top of tens of thousands of out-of-court demand letters.
The practice keeps spreading because there is almost no downside for the filer. A letter costs next to nothing to send, and it usually ends one of two ways: the business pays a quick settlement to make it go away, or the filer pushes for a court judgment. Either outcome pays, so the letters keep coming. It does not matter what state you are operating in. Plenty of states have their own versions of these old wiretapping laws, and there is a federal statute on top of them, meaning a filer can target a business almost anywhere in the country.
The Alaska businesses that received these letters were not individually singled out. They were simply caught in a massive, automated nationwide sweep. Here is how the practice works, what the filers are actually claiming, and how to keep your website off their list.
The Anatomy of the Demand
These notices aren’t mailed at random. They are generated after automated bots crawl the web looking for common tracking codes like Google Analytics, Meta (Facebook) Pixels, or Google Ads tags.
Here is a representative excerpt from a complaint recently sent to an Alaska business, with identifying details removed:
“This action is about unlawful internet surveillance. Defendant operates and profits from a public-facing website… When California visitors open the Website, Defendant causes third-party tracking code to execute in the visitor’s browser and transmit … the visitor’s internet protocol (‘IP’) address and related device/browser identifiers … to third parties for marketing, analytics, attribution, and profiling.”
The complaint usually includes a developer screenshot with technical logs and timestamps showing data being sent to third-party servers the exact millisecond the page loads. The filer then alleges a violation of California’s Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 638.51(a), claiming the business installed and used an illegal “pen register” on its website without prior consent.
Almost no business owner has any idea what a “pen register” is, and that confusion is part of the intimidation strategy. It is an old piece of surveillance jargon for a physical device that secretly records the routing and dialing information of a communication—the kind of tool law enforcement once clipped onto a physical phone line. Stripped of the complex legalese, the claim amounts to this: they are accusing your everyday website analytics code of being a hidden, criminal wiretap, secretly spying on visitors without their permission.
Is It a Scam, or Is It Real?
At first glance, the natural reaction is, “I run a local shop in Alaska. How could I possibly be wiretapping anyone, let alone someone sitting in another state? Of course this doesn’t apply to me.”
To confirm what these filings are actually arguing: they are not suing under modern consumer-privacy laws like Europe’s GDPR or the California Consumer Privacy Act (CCPA). Instead, they reach back to that outdated 1967 wiretapping law (CIPA), written when the primary concern was physical telephone eavesdropping.
The argument they make is that an analytics script behaves like a wiretap because it captures a visitor’s IP address and routing data the moment a page loads. CIPA carries statutory damages of $5,000 per violation, and filers argue that “per violation” means per visitor. Here is the catch that makes it dangerous: under this specific framework, they do not have to prove your website caused them any actual financial or personal harm. The dollar figure is written directly into the statute.
Are these legal theories actually valid? The courts cannot agree, and that judicial confusion is the whole engine fueling these letters.
- Courts rejecting the claims: Several judges have aggressively thrown these cases out, ruling that a surveillance law written for rotary telephones cannot be stretched to cover ordinary website code. In Rodriguez v. Ink America (December 2025) and Blaker v. NetScout Systems (May 2026), California superior courts dismissed the pen register theory outright, denying the plaintiffs any leave to refile. Furthermore, the Massachusetts Supreme Judicial Court held in Vita v. New England Baptist Hospital that standard tools like Meta Pixels and Google Analytics are absolutely not wiretaps.
- Courts allowing the claims: Conversely, other judges have let these claims move forward. A federal ruling in Greenley v. Kochava (July 2023) first opened the floodgates by suggesting that an embedded data tracking tool could qualify as a pen register. More recently, federal court rulings in 2026 (including the Crypto.com and CNN litigation) concluded that the broad phrasing of the old pen register provisions could technically apply to internet tracking software.
Because the litigation environment is genuinely unsettled, it is not a guaranteed win for either side. That is exactly why the demand letters work. The trap is financial, not legal. To get even a completely junk case dismissed in an out-of-state court, a business owner has to hire an attorney to file formal motions, which quickly runs into thousands of dollars. The filers are betting you will look at that legal bill and choose to pay their smaller settlement demand, usually a few hundred dollars, just to buy your peace of mind.
The Jurisdictional Loophole
The reason this matters to a business in Fairbanks or Homer is that filers have figured out how to reach past state borders.
1. The Filer Is the Visitor
You might wonder how a California law can reach an Alaskan business with no operations or customers on the West Coast. The loophole is that the claimant doesn’t need to be your customer—they simply have to visit your website. By clicking your link from their browser, they claim their personal data was intercepted by your tracking scripts without permission, arguing that the violation occurred right there on their device.
2. The Federal Hook
These complaints increasingly supplement state claims with the federal Electronic Communications Privacy Act (ECPA)—the federal wiretap statute. Because it is a federal law, it can be filed in courts anywhere in the country, and its statutory penalties run even higher, up to $10,000 per violation. Layering a federal claim on top of a state one is how an out-of-state filer puts intense pressure on a business with zero geographic ties to their home state.
3. Copycat States
Plaintiffs’ lawyers outside California have seen how lucrative this model is and have started running the exact same play. Florida now trails only California in the volume of these website suits, utilizing the Florida Security of Communications Act. Pennsylvania (under its own Wiretap Act) and Illinois are seeing a parallel rise in activity. These tend to be “all-party consent” states, where the legal theory states that if a script tracks data silently, one party to the communication never agreed to the recording.
The window for this behavior is open for now as filers race to send out letters before legislatures permanently patch the loophole. California’s own legislature tried to pass Senate Bill 690 to explicitly carve routine commercial website analytics out of the wiretapping act; it passed the state Senate unanimously but stalled in committee, meaning a legislative fix is delayed.
Interestingly, Alaska is actually ahead of the curve. Our state, along with Tennessee and New Hampshire, has already amended its internal wiretapping laws to specifically exclude website cookies and tracking pixels. No one can use an Alaska statute to bring one of these claims against you. The catch is that these predatory demand letters rely entirely on the filer’s home state laws or federal statutes, over which Alaska’s legislature has no authority.
One Industry That Must Pay Attention: Alaska Tourism
Separate from this specific lawsuit trend, tourism and hospitality businesses have separate, strict compliance reasons to get their website tracking sorted out.
If you run a lodge, a tour company, a fishing charter, or any business marketing to an international audience, you frequently handle web traffic from international travelers. The second a traveler from the European Union browses your site to research an excursion, your digital presence falls under Europe’s strict General Data Protection Regulation (GDPR). For businesses operating in a global market, transparent user data control isn’t just about avoiding a junk lawsuit—it is a baseline operational requirement.
What to Do If You Receive a Notice
If you receive or have already received one of these demand letters, try not to panic. We are web development experts and not attorneys, so this should be treated as general educational information, but here are the three avenues businesses typically navigate:
- Push Back: Have an attorney send a firm, formal response letter pointing out their total lack of realistic jurisdiction. Because these filers are scanning for completely unprotected, easy targets, a display of organized legal resistance often prompts them to drop the matter and move on.
- Settle: Offer a minor, token settlement payment strictly conditional on a global, permanent written release of all claims, closing the issue permanently and cheaply.
- Ignore It: Some business owners choose to gamble and ignore the letter entirely, betting that the predator is bluffing and won’t actually spend the out-of-pocket court filing fees to pursue a business thousands of miles away. This carries the highest risk, as a portion of these draft complaints do eventually get formally filed in court.
Why Don’t Most Websites Have Consent Banners Already?
It is a perfectly fair question: If this is so important, why wasn’t my website built with this framework from the very beginning?
The honest answer is that standard, everyday websites historically never needed aggressive cookie consent banners or multi-page legal privacy policies. They simply weren’t required, and the vast majority of websites across the globe still run smoothly without them.
However, the legal landscape surrounding internet data has transformed rapidly. Evolving state statutes and global frameworks have shifted data transparency from an optional, technical “nice-to-have” feature into a standard industry expectation. Giving your visitors clear transparency and baseline control over how their data is handled is simply a normal part of running a professional business website.
There is a technical wrinkle worth knowing, too. Some websites do feature a basic consent banner, often installed to satisfy a standard notice framework like California’s CCPA. However, many of those standard banners are configured to allow analytics and tracking pixels to fire automatically the moment the page loads, merely offering a link for the user to “opt-out” afterward.
While that satisfies basic consumer notice rules, it leaves you completely exposed to the wiretapping loophole, because the “pen register” claim is triggered by that very first automated data packet sent before the visitor ever had a chance to click a button. The only setup that completely closes the door is a framework that halts all tracking code until an explicit choice is made.
What Your Website Actually Needs to Stay Compliant
Two distinct pieces handle the vast majority of your digital compliance risk:
1. A True Prior-Consent Banner
You are likely familiar with standard “Accept” or “Decline” cookie pop-ups. A truly compliant framework is not just a cosmetic notice on the screen. It is an active script gatekeeper that completely blocks tracking codes, Facebook pixels, and analytics platforms from sending a single bit of data back to third-party servers until the visitor explicitly clicks a button to accept them. That structural detail is what takes your site completely off the automated scanning lists.
2. A Dedicated Privacy Policy Page
Your website must feature a clear, up-to-date Privacy Policy page conspicuously linked in your footer. This page explicitly discloses what data your site gathers (such as cookies or IP addresses), why you collect it, and exactly who it is shared with (like Google or your hosting provider). Having this policy posted is also a strict contractual requirement mandated by Google’s own standard Terms of Service.
Moving Forward Responsibly
At Web 907, we maintain a strict standard of professionalism, and we believe in proactively taking care of our clients’ long-term business health. Because clear data transparency and user control is simply the right way to operate and is the expected professional standard for a modern business, we are continuously upping our level of service.
Moving forward, our new baseline technical architecture ensures that comprehensive user consent platforms and legal privacy documentation are natively built into every single new website we design and launch. We believe this should be the default configuration for doing business on the web.
For our existing portfolio of long-term clients, we are actively recommending a quick compliance update to retroactively fortify older websites up to this same modern standard.
It is undoubtedly a frustrating reality that predatory individuals spend their time exploiting decades-old legal loopholes to pressure hardworking local businesses. However, the most durable response to that pressure is absolute, professional compliance. Our guiding policy has always been that it is significantly better to build things right the first time, protecting our business community proactively, rather than having to scramble and deal with the frustrating consequences of a legal headache down the road.