I Received a Demand Letter About Privacy Violations — What Now?

Q: What to Do Now

Start with these immediate actions: hours: Read the demand carefully, identify the specific violations alleged, gather your website analytics and privacy documentation, and check your insurance policy. week: Call a privacy attorney (initial consultation), notify your insurance company, have your dev

A demand letter for tracking violations is a shock. Here's what it means, whether it's real, and what your actual options are.

Is This Legitimate?

Yes. These demand letters are real. Law firms pursue them, state attorneys general file them, private attorneys bundle them into class actions. The FTC brought actions against Amazon, Microsoft, and Vonage for privacy violations in 2022-2023. This is happening.

How to check if your demand is real:

The sender should be a law firm, a state attorney general's office, or a private attorney. Search the law firm online. Most have websites, case histories, court records. Do they appear to exist?

The letter should specify which trackers were found. "Facebook Pixel was loaded at facebook.com/tr without consent on pages X, Y, Z." Vague letters are less credible.

The letter should cite specific laws--CCPA, GDPR, FTC Act Section 5, state privacy statutes. It should name a time period. "November 2023 through April 2026" not just "unauthorized tracking."

If you're unsure, a quick call to a privacy attorney costs $300-500 and confirms legitimacy. Worth the peace of mind.

What Are My Options?

Three paths exist after a demand letter.

Path 1: Settle. The plaintiff proposes a number. Typically $5,000 to $100,000 depending on site traffic and how long violations ran. You pay it. You agree to remove trackers and update your privacy policy. Done in 4-8 weeks.

Pros: certainty, speed, ends the dispute, total cost is lower than litigation. Cons: you pay money, settlement may be public, it may feel like admitting fault even though it isn't.

Path 2: Negotiate. You respond with a counter-offer. Maybe the plaintiff claimed 100,000 monthly visitors and your analytics show 50,000. Maybe you already remediated and they haven't accounted for that. Maybe a third-party vendor deployed the tracker, not your company.

Common negotiation moves: challenge the visitor count, show that remediation is underway, dispute who deployed the tracker, offer third-party audit proof of compliance.

Pros: might reduce the number, shows good faith, you're in control. Cons: no guarantee they'll negotiate, timeline stretches to 3-6 months, negotiating alone is risky.

Timeline: 4-12 weeks. Settlement reduced by 20-40% if successful.

Path 3: Defend the Claim. You tell them no and you'll fight in court. Plaintiff sues you. Discovery happens. Documents exchange. Depositions. Maybe expert reports. Possibly trial.

Pros: you maintain legal control, weak claims might get dismissed, settlement sometimes improves during litigation once both sides understand real costs. Cons: expensive. $50,000-$150,000 in legal fees just through the discovery phase. Long. 2-4 years typical. You pay your own fees even if you win. Risky. Judgment could exceed the demand.

Cost breakdown: pleadings and motions $10,000-$20,000. Discovery $25,000-$75,000. Expert reports $15,000-$40,000. Trial $25,000-$100,000+. Total: $75,000-$250,000+.

This path makes sense only if the demand is huge ($150,000+) and your defense is genuinely strong (they sued the wrong company, no jurisdiction, something concrete). It doesn't make sense if the demand is reasonable and violations are obvious.

What Happens If I Ignore It?

Don't. Ignoring a demand escalates everything.

Week 1-2: They send a follow-up letter.

Week 3-4: They file a lawsuit in federal or state court. You get served.

Week 5-6: Case is assigned a number. It's public record now. You have 21-30 days to respond or they get a default judgment against you automatically.

Week 7-8: If you still don't respond, judgment enters. Amount may exceed the original demand. It's enforceable by garnishment or asset seizure.

Ignoring is the worst path. It costs the most and helps you the least.

Can I Just Fix It and Make This Go Away?

No. Removing trackers stops future violations, not past ones. The demand covers a period. January 2023 to December 2025 is violations that already happened. Removing trackers in April 2026 proves you're taking it seriously, but the three-year period of violations still exist.

What remediation does do: it shows good faith, reduces your legal exposure slightly, can be used to negotiate the settlement down.

So remediate. And settle. Don't use remediation as an excuse to delay or ignore the letter.

Should I Contact My Insurance Company?

Yes, today. Check your general liability and cyber liability policies. Look for privacy liability or network security liability clauses. Call your broker. Tell them what happened. Provide a copy of the demand.

Insurance might cover legal defense costs, settlement payments, damages. But not all policies do. Some exclude regulatory violations or contractual liability. Cyber policies often have low limits. And your insurer picks the attorney, not you.

Insurance company has 10-20 days to confirm coverage or deny. Your deductible applies ($2,500-$10,000 typical).

Even with insurance coverage, hire your own attorney. Insurance counsel protects the insurer's interests. An independent attorney protects yours.

Should I Hire an Attorney?

Depends on the size of the demand and your comfort level.

Hire an attorney if: demand exceeds $25,000, the allegations are complex or technical, you want to negotiate, you're considering litigation.

You might skip it if: demand is under $5,000, allegations are clear and you understand them, you plan to pay it without negotiation.

Costs: initial consultation $500-$1,500. Response letter $1,500-$5,000. Negotiation $5,000-$15,000 over 4-8 weeks. Litigation through discovery $50,000-$150,000.

The math: if they demand $20,000 and your attorney negotiates it down to $10,000 for $5,000 in attorney fees, you pocket $5,000. If you miss a deadline or waive a right trying to self-represent, costs multiply.

Find a privacy attorney in your state. Ask for flat fees for specific tasks. Interview a few. Consultation is $300-500.

Who Pays Legal Fees?

You do. In privacy cases, each side pays their own attorneys. Technically some states allow prevailing defendants to recover fees, but in practice this rarely happens. Even if you win the lawsuit, you don't recover defense costs.

This matters. A $25,000 demand costs $20,000-$50,000 in legal fees to defend. Settling for $25,000 is cheaper than fighting for free.

Math:

Settle for $20,000: costs $20,000 total
Defend in litigation: costs $50,000-$150,000 in attorney fees plus risk of a $20,000-$100,000 judgment
Most businesses choose settlement

How Are Damages Calculated?

Plaintiffs use a few damage models.

Per-user statutory damages: The CCPA allows $100-750 per consumer per violation. They calculate: monthly visitors × damage per violation × number of months. 50,000 visitors × $100 = potential $5M, though typically claimed as $5,000-$100,000.

User harm or unjust enrichment: What value did users lose by having their data collected without consent? Typically $100-500 per person.

Restitution: Return the profits you made from the data collection. If the data generated ad revenue, return some of it. Usually smaller damages.

Plaintiffs narrow the number by using actual traffic, focusing on clear violations, and accounting for reasonableness. Defendants narrow it by challenging the visitor count with actual analytics, showing that many visitors were bots, proving you remediated, or arguing damages are speculative.

Common Misconceptions

"Only big companies get sued." False. Small businesses, local service providers, SaaS companies, ecommerce stores, nonprofits all get demands.

"Settling means I admit guilt." No. Settlements typically include "no admission of liability." It's a business decision, not a legal concession.

"The attorney general will come after me." Unlikely unless you're huge. The FTC focuses on platform companies. Private lawsuits are common for small-medium businesses.

"If I fix the violations, the liability disappears." No. The violations already happened. Fixing them reduces exposure but doesn't erase the past.

"This is a scam." It's not. The FTC filed actions against Amazon, Microsoft, Vonage between 2023-2026. Privacy enforcement is real and accelerating.

What to Do Now

Start with these immediate actions:

48 hours: Read the demand carefully, identify the specific violations alleged, gather your website analytics and privacy documentation, and check your insurance policy.

1 week: Call a privacy attorney (initial consultation), notify your insurance company, have your development team audit whether the violations are real, and don't respond to the demand yet.

2-3 weeks: Decide whether to settle, negotiate, or litigate, and get attorney involved in your choice.

4-6 weeks: Fix the violations (remove trackers, implement consent management, update privacy policy), respond to the demand through your attorney, and begin settlement discussions.

Most of these resolve in 4-8 weeks for $5,000-$50,000. Acting fast and getting an attorney in the first week makes a real difference in the outcome. Ignoring it makes everything worse and more expensive.

References