Lofty Sues Vivek Shah First in a New Test of California CIPA Website Claims

Table of Contents

Most companies that receive a California Invasion of Privacy Act demand letter are placed in a defensive position.

They can pay the requested settlement, reject the demand and wait to see whether a lawsuit follows, negotiate through counsel, or attempt to correct the website issues while preparing for litigation.

Lofty Inc. chose a different strategy.

After receiving a CIPA demand letter from frequent self-represented claimant Vivek Shah, the real estate technology company filed its own federal lawsuit and asked a judge to determine whether the legal theory behind the threatened claim has merit.

The case, Lofty Inc. v. Vivek Shah, was filed July 8, 2026, in the U.S. District Court for the Central District of California. Rather than waiting for Shah to select the timing, allegations, and forum of a lawsuit, Lofty is seeking declaratory relief establishing that its website platform and use of standard analytics technologies do not violate CIPA.

The lawsuit is notable because it turns a private demand-letter dispute into a potential test case involving one of the most unsettled questions in website privacy litigation:

Can ordinary website analytics technology constitute an illegal pen register under a California surveillance law originally developed for telephone communications?

The answer could affect far more than Lofty.

What Happened Between Lofty and Vivek Shah?

According to Lofty’s complaint and subsequent reports about the case, Shah sent the company a demand letter on June 13, 2026.

The letter reportedly included a draft complaint that Shah said was ready to be filed if the dispute was not resolved.

The threatened claim alleged that a website operating on Lofty’s platform caused third-party tracking code to execute in a visitor’s browser. According to the draft complaint, the technology transmitted the visitor’s IP address and related device or browser identifiers to outside companies for purposes including analytics, marketing, attribution, and profiling.

Shah characterized that activity as unlawful internet surveillance under California Penal Code Section 638.51.

That provision generally prohibits installing or using a pen register or trap-and-trace device without a court order, subject to statutory exceptions. A pen register is defined broadly as a device or process that records dialing, routing, addressing, or signaling information without capturing the contents of a communication.

The terminology originated in the telephone era. A traditional pen register recorded numbers dialed from a telephone line, while a trap-and-trace device captured information identifying incoming calls.

Modern plaintiffs argue that tracking technologies collecting IP addresses, device identifiers, URLs, and similar digital information perform the same functional role on websites.

Businesses respond that standard analytics software is not the kind of targeted surveillance technology the California Legislature intended to regulate and that applying Section 638.51 to normal web operations could make basic internet infrastructure unlawful.

Courts have not reached one consistent answer.

Why Lofty Filed First

Lofty did not wait to see whether Shah would follow through on the threatened complaint.

It filed a declaratory judgment action.

The federal Declaratory Judgment Act permits a court to declare the legal rights of parties when an actual controversy exists. In this case, Lofty argues that Shah’s demand letter, attached draft complaint, and refusal to withdraw his allegations created a concrete dispute requiring judicial resolution.

Lofty says it needs certainty not only for itself but also for its employees and customers.

That position is understandable given the scale of its platform.

Lofty, formerly known as Chime Technologies, provides an integrated real estate platform that combines customer relationship management, lead generation, IDX websites, marketing, communications, and AI-based automation. The company says its technology supports more than 30,000 websites used by more than 91,000 agents and brokerages across the United States.

If the technologies involved in Shah’s demand were found to violate CIPA, Lofty alleges it could be required to redesign major portions of its platform.

The complaint says that process could require months of employee work, the purchase of new technology, and implementation changes across thousands of customer deployments.

That makes the dispute structurally different from a claim against a business operating one website.

Lofty is not only defending one implementation. It is trying to establish the legality of technology distributed across an entire commercial platform.

What Lofty Is Asking the Court to Decide

Lofty seeks a declaration that the operation of its commercial website platform, including its use of standard and widely deployed analytics tools, does not violate CIPA.

It also challenges whether Shah has standing to assert the threatened claim.

Lofty’s complaint reportedly characterizes Shah as a “litigation investigator” who visited a Lofty-powered website to document and preserve a possible legal claim rather than because he had a genuine interest in the services offered through the site.

This distinction may become important.

Federal courts require a plaintiff to show a concrete injury before pursuing statutory claims. A technical statutory violation does not automatically establish Article III standing if the information allegedly disclosed did not implicate a legally protected privacy interest.

Lofty is effectively arguing that Shah deliberately interacted with the site to manufacture evidence, knew analytics technologies might be present, and did not suffer the type of privacy injury that CIPA is intended to redress.

Shah has not yet had his threatened CIPA claim adjudicated in the Lofty case, and Lofty’s allegations remain allegations. The court will need to evaluate the actual facts, the information transmitted, the technology involved, and the governing precedent.

The TalentBridge Ruling Gives Lofty a Starting Point

Lofty’s standing argument arrives shortly after Shah suffered a significant dismissal in another Central District of California case.

In Shah v. TalentBridge Inc., Shah alleged that a job-search website transmitted terms such as “felony-friendly jobs” and “jobs no background check” to third-party services, including Google Analytics.

On May 28, 2026, U.S. District Judge Anne Hwang dismissed the case without leave to amend.

The court concluded that Shah had not shown a concrete privacy injury. Generic search terms did not necessarily reveal anything specific about Shah himself because a researcher, employer, teacher, or other visitor might enter the same phrases. The combination of those searches with an IP address and basic metadata did not automatically create sufficiently private identifying information.

The court also found problems with Shah’s effort to establish the amount in controversy required for federal diversity jurisdiction.

Shah appealed the dismissal to the U.S. Court of Appeals for the Ninth Circuit on June 1. The appeal remains significant because a Ninth Circuit decision could provide appellate guidance that is currently missing from much of the CIPA website-tracking debate.

Lofty will almost certainly point to TalentBridge as evidence that deliberate testing involving generic website information does not create standing.

But TalentBridge does not automatically decide the Lofty case.

Why Lofty Is Not Guaranteed to Win

The legal theory threatened against Lofty is not identical to the claim dismissed in TalentBridge.

TalentBridge involved Section 631, CIPA’s traditional wiretapping provision, and focused heavily on the alleged interception of website search terms.

The Lofty demand reportedly invokes Section 638.51, which concerns pen registers and trap-and-trace devices. Shah’s threatened complaint focuses on IP addresses and device or browser signals rather than solely on search-box content.

Courts have divided sharply over how Section 638.51 applies to the internet.

Some have found that collecting an IP address necessary to operate a website does not state a viable claim. Courts have also dismissed cases for lack of a concrete privacy injury or because the plaintiff consented to the relevant transmission.

Other courts have concluded that the statute’s reference to a “device or process” and to “routing, addressing, or signaling information” is broad enough to encompass website tracking software.

In Fregosa v. Mashable, for example, a Northern District of California court rejected the argument that Section 638.51 is limited to person-to-person telephone or email communications. The court concluded that the defendant’s narrow interpretation lacked support in the text and developing case law.

A Southern District of California decision in Nelson v. Reddit similarly observed that a growing body of courts has recognized that website-based trackers can plausibly qualify as pen registers when they capture IP addresses and related metadata.

Other decisions have taken a narrower approach, particularly when the alleged collection involved only an IP address or information technically necessary to establish the website connection.

The result is an unstable legal landscape rather than a settled rule.

The Outcome May Depend on Exactly What the Trackers Collected

Broad descriptions such as “analytics,” “tracking,” or “device information” will not resolve the case.

The court may need to examine the actual network requests generated during Shah’s visit.

Relevant questions could include:

  • Which scripts executed?
  • Which companies received requests?
  • Was the IP address transmitted automatically as part of the internet connection?
  • Were persistent identifiers also transmitted?
  • Did the request include a full page URL?
  • Were search terms or form entries included?
  • Did the tools create a cross-site advertising profile?
  • Were the requests necessary for website functionality?
  • Did Lofty or its customer install and control the relevant technology?
  • What disclosures were visible before the transmission occurred?
  • Did Shah make a consent choice?
  • Was tracking blocked or altered after rejection?
  • Could the third-party recipient connect the data to an identifiable person?

Those facts matter because courts have often distinguished ordinary IP transmission from more extensive digital fingerprinting, behavioral profiling, or collection of information beyond what the website needs to function.

A ruling describing “standard analytics” in general terms would be less useful than a decision explaining which exact data flows are—or are not—covered by the statute.

Shah’s Purpose for Visiting the Website May Matter

Lofty’s portrayal of Shah as a litigation investigator raises another unresolved question.

Does a person suffer a privacy injury when the person visits a website for the purpose of testing its tracking technologies and documenting a potential lawsuit?

Businesses argue that testers who knowingly initiate interactions to generate claims are not experiencing the same surprise, loss of control, or unwanted intrusion as ordinary consumers.

Plaintiffs respond that civil rights, consumer protection, accessibility, and privacy laws have long been enforced by testers who deliberately investigate compliance. A person’s motive for visiting does not necessarily authorize conduct that would otherwise violate the statute.

The answer may differ depending on the legal issue.

Tester status may not categorically eliminate a statutory cause of action. But it can affect whether the plaintiff had a reasonable expectation of privacy, whether the alleged disclosure caused a concrete injury, whether consent existed, and whether the plaintiff’s account of the transaction is credible.

The Ninth Circuit’s eventual treatment of TalentBridge may influence how courts analyze those questions.

Lofty Has Also Launched a CIPA Defense Program

The lawsuit is only one part of Lofty’s response.

On July 9, the company announced a CIPA Defense Program for qualifying customers targeted over analytics tools operating on Lofty-hosted websites.

According to the company, the program provides a review and written assessment of the demand, a substantive response to the claimant, legal coordination if a complaint is filed, and ongoing case updates.

Lofty says its objective is dismissal rather than pressuring customers to pay settlements it considers unsupported.

The program applies to CIPA demands or litigation connected to Lofty’s standard analytics implementation. Lofty has also said that businesses using competing real estate platforms may become eligible if they migrate to Lofty after receiving a demand.

That is an aggressive commercial and legal response.

Rather than leaving individual agents and brokerages to defend similar claims independently, Lofty is attempting to centralize the technical analysis and legal strategy around its platform.

Why a Platform-Level Case Could Change the Economics

Demand-letter campaigns often depend on an imbalance between settlement cost and defense cost.

A company may believe a claim is weak but still conclude that paying several thousand dollars is less expensive than retaining counsel, preserving technical evidence, briefing a motion to dismiss, and facing the uncertainty of litigation.

That calculation changes when one platform supports the defense for many customers.

A technology vendor can centralize:

  • Technical documentation
  • Network testing
  • Vendor contracts
  • Consent records
  • Platform architecture
  • Expert analysis
  • Legal theories
  • Prior responses
  • Relevant court decisions

Instead of hundreds of businesses separately investigating the same platform configuration, one coordinated defense can develop the evidence once and apply it repeatedly.

A favorable declaratory ruling could also reduce the settlement value of future demands involving the same technology.

That is why the Lofty case is potentially more consequential than an ordinary defendant obtaining dismissal after being sued.

Lofty is seeking a ruling capable of protecting an entire product architecture.

The Strategy Also Creates Risk for Lofty

Going on offense is not risk-free.

By filing the case, Lofty may place its analytics architecture, consent mechanisms, customer implementation practices, and vendor relationships into discovery.

Shah could seek records showing which tools operate across Lofty websites, what data fields they collect, how customer configurations differ, and whether tracking occurs before consent.

The litigation could reveal that the phrase “standard analytics” covers several technologies with materially different behavior.

An adverse decision could also have platform-wide consequences.

If the court concludes that a particular Lofty technology constitutes a pen register and no statutory exception or valid consent applies, the decision could provide a roadmap for additional demands against Lofty customers.

The company therefore has more to gain than a typical website operator—but also more to lose.

The court may additionally confront threshold questions before reaching the merits. Shah could challenge whether the declaratory action presents an appropriate federal controversy, attempt to withdraw the threat, promise not to sue, or argue that the court should decline discretionary declaratory jurisdiction.

None of those outcomes is assured.

Lofty Is Not the Only Business Suing Shah

Lofty’s action is part of a wider shift in how businesses are responding to Shah’s demands.

Fisher Phillips reported that a Florida personal injury firm, Ovadia Law Group, also sued Shah after receiving a Section 638.51 demand. Ovadia seeks a declaration that CIPA does not apply extraterritorially to a Florida business with no California office, employees, or clients, and also asserted an abuse-of-process claim.

Shah has also encountered resistance in arbitration.

An arbitrator dismissed his CIPA and federal Electronic Communications Privacy Act claims against Pashion Footwear in May 2026. Shah has asked a federal court to vacate that award.

These proceedings do not establish that every Shah demand is invalid.

They do show that businesses increasingly view litigation, arbitration, and declaratory relief as viable alternatives to automatic settlement.

What Businesses Should Learn From the Lofty Case

The Lofty lawsuit is not a reason to ignore a CIPA demand letter.

It is also not a strategy every recipient should copy automatically.

A business receiving a demand should first preserve the relevant evidence.

Website technology changes quickly. Tags are added and removed, consent settings change, vendor configurations are updated, and pages behave differently based on region, browser, device, or referral source.

The company should document:

  • The website configuration on the alleged date
  • Every tracking technology operating on the relevant page
  • The data transmitted before consent
  • The behavior after acceptance or rejection
  • The privacy and cookie notices then in effect
  • Consent logs
  • Tag-manager history
  • Vendor contracts
  • Screenshots and network captures
  • Any subsequent remediation

The company should then work with counsel to evaluate the specific statute and theory asserted.

A Section 631 search-bar claim is not necessarily the same as a Section 638.51 pen-register claim. A case involving only an automatically transmitted IP address is not the same as one involving medical search terms, chat messages, form submissions, or persistent cross-site identifiers.

The strength of the response depends on the facts.

Compliance Still Matters Even When the Claim Is Weak

A business can have a strong defense to a particular demand and still have a deficient privacy program.

CIPA litigation is only one source of website risk.

The same tracker may implicate the California Consumer Privacy Act, other state privacy statutes, health-data laws, the Video Privacy Protection Act, sector-specific confidentiality rules, consumer protection laws, contractual promises, or common-law privacy claims.

Companies should therefore avoid framing the issue as a choice between paying Shah and doing nothing.

A defensible response has two components:

  1. Challenge unsupported legal theories through qualified counsel.
  2. Correct genuine tracking, consent, disclosure, and data-governance weaknesses.

Removing or blocking unnecessary trackers may reduce future legal exposure even when the current claimant lacks standing.

The Captain Compliance Perspective

Lofty’s lawsuit may become one of the most important cases arising from the Vivek Shah demand-letter campaign.

It creates a direct vehicle for a federal court to evaluate whether a large commercial website platform’s analytics architecture violates CIPA and whether a deliberate tester can establish a concrete privacy injury.

But the case should not be portrayed as already decided.

Lofty has filed a complaint. Shah’s threatened allegations have not been proven. Lofty’s defenses have not been accepted. Courts remain divided over Section 638.51, and the Ninth Circuit has not yet resolved Shah’s TalentBridge appeal.

What Lofty has accomplished is to change the posture of the dispute.

Instead of allowing repeated demand letters to be evaluated privately, one company has placed the legal theory before a federal judge and asked for a ruling that could affect thousands of websites.

Captain Compliance helps businesses prepare for this environment by identifying active trackers, blocking nonessential technologies before consent, mapping vendor data flows, preserving consent records, maintaining dynamic cookie disclosures, and documenting remediation.

Privacy software cannot replace litigation counsel, and a consent banner cannot guarantee that every CIPA claim will disappear.

But companies are in a materially stronger position when they can show exactly what their websites collect, when each technology activates, what the visitor selected, and whether that choice was technically enforced.

Lofty is now asking a court to determine whether its platform crossed the line.

Every other business should examine its own website before a demand letter forces the same question.

Frequently Asked Questions

What is the Lofty v. Vivek Shah case?

It is a federal declaratory judgment lawsuit filed by Lofty Inc. after Shah sent the company a CIPA demand letter and threatened complaint involving website analytics technology.

When was the Lofty lawsuit filed?

Lofty filed the case on July 8, 2026, in the U.S. District Court for the Central District of California.

What does Lofty want the court to declare?

Lofty wants a declaration that its commercial website platform and standard analytics tools do not violate CIPA and that Shah lacks standing to pursue the threatened claim.

What did Shah allege against Lofty?

According to Lofty’s complaint, Shah alleged that third-party tracking code transmitted an IP address and related device or browser identifiers for analytics, marketing, attribution, and profiling without lawful consent.

What section of CIPA is involved?

The threatened claim reportedly relies on California Penal Code Section 638.51, which regulates the installation or use of pen registers and trap-and-trace devices.

Has Lofty won the case?

No. The case is newly filed, and no court has ruled on the merits of Lofty’s claims or Shah’s threatened allegations.

Why is the TalentBridge decision relevant?

A federal court dismissed Shah’s separate CIPA case against TalentBridge after finding that generic website searches did not create a concrete privacy injury. Shah has appealed that ruling.

Does TalentBridge guarantee Lofty will win?

No. TalentBridge involved a different CIPA provision and different alleged data. Section 638.51 case law remains divided.

Can normal website analytics violate CIPA?

Courts disagree. The outcome may depend on the information collected, the technology used, the parties receiving it, whether the collection was necessary, and whether valid consent existed.

What should a company do after receiving a CIPA demand letter?

The company should preserve evidence, avoid responding without counsel, investigate its website data flows, determine what happened during the claimant’s visit, evaluate standing and statutory defenses, and correct any genuine consent or tracking problems.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.