Pre-Suit Privacy and Consumer Law Demand Letters Surge in 2025 — How Businesses Can Stay Ahead

Across industries, companies are seeing a surge of coordinated demand letters threatening to bring privacy and other consumer protection lawsuits. Plaintiffs’ firms are testing decades-old laws against modern data flows, demanding class action damages and threatening litigation that can quickly become costly.

But many theories remain unsettled and defensible, including at early pre-litigation demand stages. In this alert, we summarize recent trends in plaintiff demands and provide practical pointers for responding to and minimizing exposure arising from claims.

Key Claims Driving 2025 Demand Letters

A notable trend in 2025 is that plaintiffs are stacking their demands, combining statutory claims to amplify perceived exposure. In practice, many counts overlap or fail for lack of standing, intent, or a qualifying disclosure. Some of the claims being bundled include:

California “Shine the Light” Law

New demands allege that businesses disclosed California consumers’ personal information to third parties for those parties’ own direct marketing purposes, without providing a “Shine the Light” request mechanism—i.e., a way for consumers to learn which third parties received their information and how to contact them— in violation of Cal. Civ. Code § 1798.83.

These letters typically assert claims for statutory damages, injunctive relief, and changes to disclosures. “Shine the Light” demands are often coupled with California’s Unfair Competition Law (UCL) and include theories under the California Consumer Privacy Act (CCPA).

State UDAP statutes (e.g., Massachusetts 93A, California UCL)

Massachusetts’ consumer protection statute, Chapter 93A, requires a 30-day period to respond to a demand letter prior to filing a claim in court, and a recipient’s failure to respond may trigger multiple damages and attorneys’ fees if no “reasonable tender” of settlement is made.

Claims focus on alleged “unfair” sharing of user data through adtech, cookies, and pixels. In addition, more recent Chapter 93A demands focus on “junk fees” following a new regulation under 940 CMR 38.00, effective September 2, 2025, that directs that a failure to disclose the total cost of a product or service (including all fees) will be per se “unfair” or “deceptive” under Chapter 93A. California UCL letters also include parallel Shine the Light or wiretap theories.

Statutory wiretap and session replay claims

Federal Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA) and Massachusetts Wiretap Act claims are frequently invoked based on website and application analytics, chat integrations, or pixels allegedly “intercepting” user communications. Courts are increasingly requiring proof that a non-party intentionally intercepted communications, while also recognizing defenses based on service-provider status and user consent. Still, forum shopping and nuisance demands continue.

Video Privacy Protection Act (VPPA)

VPPA demand letters target websites that feature or embed videos and that use pixels or packaged software development tools said to disclose viewer identity and content to third parties. Plaintiffs assert that various non-media company websites and site analytics can be construed to fit into the VPAA’s definitions of “video service provider,” “subscriber,” or “PII” definitions.

Telemarketing/TSR-style allegations

Some demand letters cite the Telemarketing and Consumer Fraud and Abuse Prevention Act or state equivalents, including claims about publishing or sharing cell phone numbers without consent. Emerging plaintiff theories target data brokers and directories.

Tactical Responses: Limiting Exposure Before Litigation Begins

Triage quickly

Businesses that receive a demand letter, particularly one that asserts claims under Massachusetts Chapter 93A, should promptly notify counsel and calendar any applicable statutory timeline for a response (e.g. 30 days for Chapter 93A). It is also important to immediately preserve relevant site configurations, vendor contracts, tag manager exports, disclosure screenshots, and consent artifacts.

Audit technology, vendors, and data flows

Identify what pixels, software development kits, session replay, or chat tools were deployed, when, and what data they sent. Confirm vendor service-provider roles and identify key personnel who may have relevant information.

Evaluate defenses early and craft a strategic response

Each category of plaintiff consumer demand raises unique—and often decisive—defenses. Across all categories, an initial assessment should include whether the asserted claims can be maintained as a class action. Companies should consider whether there are applicable pre-suit mediation requirements or arbitration provisions with class action waivers and whether the demand is susceptible to a mass arbitration campaign. Below is an overview of some of the strategies a business can consider when facing a new demand:

• Privacy-related claims: Notifications, disclosures, and consent procedures constitute important records that can support a consent-based defense.

• Wiretapping claims: The contracts establishing the status of service providers, whether there was contemporaneous interception or encryption, and any written restrictions on vendor data use and deletion obligations, will be the foundation of a powerful response. In responding to these demands, businesses can explain consent flows to dispute a viable claim.

• State UDAP claims: Explain why the challenged practice does not meet the state’s definition of an unfair or deceptive act. In addition, showing that any alleged issues have been remedied—and that the claims are therefore moot—can strengthen a business’s response.

• VPPA demands: Responses should highlight ways in which the alleged facts cannot fit within the statutory definitions of “video service provider,” “subscriber,” or “PII.” Allegations may also be insufficient to show a link to identity.

In all cases, but especially for Chapter 93A, a response strategy should consider arguments related to jurisdiction and standing, as non-resident plaintiffs and out-of-state businesses raise key questions about statutory reach. Under Chapter 93A, a timely, fact-driven response with a strategic offer can limit multiple damages and fees—even while disputing liability.

Reducing Future Exposure

Businesses can reduce their risk of future exposure by starting with a focus on governance and transparency. Maintaining a live map of tools, data captured, and flows will empower swift and persuasive responses. Refreshing notices, updating disclosures, and strengthening consent management—and maintaining documentation of those steps—also arm businesses with a strong defense.

If a business uses cookies, pixels, or similar technologies on its website or apps, and relies on technical tools to obtain user consent or provide opt-outs, it should regularly audit those tools to confirm they are functioning properly—including any vendor-provided mechanisms. Companies can strengthen compliance by reviewing vendor agreements to confirm service provider status, clarify data-use and deletion terms, and reduce external data sharing. For VPAA and telemarketing purposes, businesses should separately assess compliance steps and maintain records of consent.

Key Takeaways

• Plaintiffs are leveraging statutory damages and procedural rules (especially under Massachusetts Chapter 93A) to make aggressive and time-sensitive monetary demands.

• Many statutory theories and definitions remain unsettled, but strong recordkeeping and well-drafted contracts can often defeat such claims. Early technical diligence, disciplined vendor management, and visible consent/transparency controls reduce both the frequency of demand letters and settlement pressure.

If you receive a demand letter or want a privacy risk checkup, our team can help assess exposure, prepare responses, and harden your data flows and disclosures against the next wave of plaintiff demands. If you have questions on this topic, or any other concern related to privacy compliance in your organization, please contact Melanie Conroy, Vivek Rao, Kathleen Hamann, or Ariel Pardee.