There has been a huge rise in privacy lawsuits that are very creative in the way that they are worded and the claims they make. The latest is Data Broker Software Development Kits privacy lawsuits that we can help protect against and make it so you no longer receive demand letters for non-compliance when using Captain Compliance software solutions.
The Rising Tide of Privacy Lawsuits Using Data Broker SDKs in California
This new wave of lawsuits is not neccessarily going after data brokers although there was just a CPPA fine over an unregistered data broker. At the heart of this legal storm are Data Broker Software Development Kits (DBSDKs)—sophisticated tools embedded in websites to capture user data without explicit consent or disclosure. These kits, often provided by third-party data brokers like 6Sense or Kochava, function as digital spies, correlating visitor behaviors with external records to build detailed profiles. But in California, such practices are increasingly seen as violations of the state’s stringent privacy laws, leading to a surge in class-action lawsuits. Law firms like Tauler Smith LLP are leading the charge, wielding the California Invasion of Privacy Act (CIPA) and the Unfair Competition Law (UCL) as powerful weapons against companies that deploy these technologies.
The Anatomy of a DBSDK Privacy Violation
DBSDKs are essentially code snippets integrated into websites to track user interactions in real-time. They capture “electronic impulses” such as IP addresses, device IDs, browsing history, and even keystrokes, transmitting this data to data brokers who aggregate it into comprehensive consumer dossiers. These dossiers fuel targeted advertising, credit scoring, and other commercial activities, often without users’ knowledge or approval. Under CIPA’s Section 638.51, known as the “California Trap and Trace Law,” any software that acts as a “trap and trace device”—defined as a tool that records incoming electronic signals to identify users—is illegal without consent or a court order. Plaintiffs argue that DBSDKs fit this definition perfectly, turning everyday websites into unauthorized surveillance hubs.
A recent demand letter from a plaintiff’s firm exemplifies this. The letter accuses defendants of deploying DBSDKs on their website that “track and correlate visitors by capturing electronic impulses designed to identify them.” Specifically, it highlights the use of tools from data brokers like 6Sense, which create detailed profiles by linking anonymous data to personal identities. The result? Alleged violations of CIPA, with each data capture event potentially triggering $5,000 in statutory damages per violation. The letter also invokes California’s UCL (Business and Professions Code §17200), which prohibits unlawful, unfair, or fraudulent business practices, allowing for disgorgement of profits and injunctions against future data collection.
This isn’t an isolated incident. In cases like Greenley v. Kochava, plaintiffs targeted a data broker for providing SDKs to app developers, claiming these tools violated CIPA by collecting data without consent. Similarly, in Hughes v. Sentry Insurance Company, the defendant was sued for installing DBSDKs that deanonymized visitors and relayed data to third parties. These lawsuits paint DBSDKs not just as marketing aids, but as enablers of mass corporate surveillance, where data brokers profit from pooling information from multiple sources to intensify consumer profiling.
Tauler Smith LLP: Pioneers in the Privacy Litigation Boom
Enter Tauler Smith LLP, a Los Angeles-based firm that has become synonymous with this burgeoning field of privacy litigation. Specializing in consumer protection and class actions, Tauler Smith has filed numerous lawsuits under CIPA, framing common website tools like tracking pixels, cookies, and beacons as illegal trap-and-trace devices. Their approach is aggressive and systematic: investigations reveal unauthorized data collection, demand letters follow, and if unresolved, class actions ensue seeking massive damages.
For instance, Tauler Smith sued Taylor Farms for allegedly using trap-and-trace software on its website, violating CIPA by monitoring visitors without consent. In another case involving an e-bike company, they alleged the use of TikTok tracking code to deanonymize users, tying it to broader UCL claims for unfair business practices. The firm’s website even dedicates sections to explaining the California Trap and Trace Law, educating potential plaintiffs on how websites acquire customer data unlawfully.
What makes Tauler Smith’s strategy compelling is its scalability. By classifying DBSDKs as pen registers or trap-and-trace devices under CIPA, they open the door to per-violation penalties that can quickly escalate into multimillion-dollar liabilities. Coupled with UCL, which allows for remedies like profit disgorgement and injunctions, these lawsuits force companies to rethink their data practices. As one legal analysis notes, this “tsunami of CIPA class actions” is storming California businesses, with hundreds of filings targeting everything from e-commerce sites to data brokers themselves.
Firms like Tauler Smith aren’t alone; they’re part of a broader trend where plaintiff attorneys exploit CIPA’s broad language—originally aimed at telephone wiretapping—to address modern digital privacy harms. Recent cases have shifted from traditional wiretap theories to pen-register claims, arguing that tools like session replay software and chatbots constitute violations. This evolution has led to enforcement actions beyond lawsuits, such as the California Privacy Protection Agency’s $46,000 fine against a Florida data broker in 2025 for similar practices.
What To Do To Protect Against a Tauler Smith Data Broker Claim?
Our team can help with an incident response plan. The first thing is to setup one of our Cookie Consent Banners, Update your Privacy Notice with our software, and install our Automated Data Subject Request tool. We can even help once remediated with a response on how your website is now compliant and thus you should be able to avoid any future privacy claims.
The implications of these lawsuits are profound. Websites face not just serious financial risks and penalties but statutory damages, data disgorgement, and halted practices—but brand damage in an increasingly privacy-conscious world. As courts in California routinely recognize unauthorized data capture as predicate acts for UCL liability, the bar for compliance is rising.
Yet, this litigation boom isn’t without controversy. Critics argue that applying a 1960s-era law like CIPA to modern web technologies leads to “absurd results,” potentially criminalizing standard online activities. In response, California lawmakers introduced bills like SB 690 in 2025 to curb “abusive lawsuits” targeting cookies and similar tools. Despite this, the trend shows no signs of slowing, with plaintiffs’ firms like Tauler Smith continuing to file claims that highlight real privacy harms in the ad-tech ecosystem.
For businesses, the message is clear: Obtain explicit consent for data tracking, audit third-party SDKs, and prepare for legal challenges. In the demand letter you might have received the plaintiffs demand letter most likely will offer pre-litigation settlement by a specified date which is a common tactic that underscores how these suits often aim for quick resolutions. As data becomes the new oil, law firms like Tauler Smith are ensuring that extracting it without permission comes at a steep price, reshaping the digital landscape one lawsuit at a time and one of the best defenses is the superhero team here at Captain Compliance.
Contact us today if you’ve received a demand letter for a DBSDK Privacy Lawsuit.
