If your business has received a certified letter from an individual named Robert Bell citing violations of California Penal Code §§ 631(a) and 638.51, you are not alone, and you are not the target of a random accusation. You are looking at a fact pattern that has become one of the most common — and most expensive — compliance traps in ecommerce today: the California Invasion of Privacy Act (“CIPA”) wiretapping demand letter of which there are numerous other plaintiffs out there like Vivek Shah who are finding violations and the team here at Captain Compliance has become the go to resolution to get your website compliant and avoid these expensive privacy lawsuits.
Schedule a 15-minute Demo with a Data Privacy Expert
This post breaks down who Robert Bell appears to be, the legal theory behind his letters, the technical evidence he collects, and what your business should do both if you’ve already received a letter and to make sure you never do.

What These Letters Say
A recent letter reviewed by our team was sent by Robert Bell of Santa Monica, California, to the owner of an ecommerce website built on Shopify. The letter followed a consistent, almost templated structure that privacy counsel around the country have come to recognize:
- A site visit with developer tools open. Bell states that he visited the website, opened his browser’s network inspector, and documented every outbound request fired during his session.
- A list of third-party recipients. In the example letter, multiple scripts were named as having received data from his browsing activity before he interacted with the site’s cookie consent banner and will list a series of tools running on your site if you have any of these on your website you may be a target: Facebooks Meta-Pixel, Klaviyo for marketing automation emails, an advertising conversion pixel (Google Ads Pixel via Google Tag Manager), a predictive-analytics/personalization tool (Blackcrow AI), an affiliate tracking network (ShareASale), and a referral tracking script (Social Snowball).
- A claim that consent was never given. Bell depending on the demand letter may assert that there is no consent management platform live and that it does not give him the ability to opt-out. In other demand letters he may assert that a cookie consent banner was present on the page but that he never clicked “Accept,” “Reject,” or otherwise made a selection — and that all five third parties fired anyway.
- Preserved evidence. The demand letters for a CIPA violation from Bell may also reference a saved HAR (HTTP Archive) file — a browser-generated log of every network request, its timestamp, and its payload — offered “upon request” and described as an exhibit to be used in any future filing. Screenshots of the network panel, timestamped down to the millisecond, are attached.
- A dollar figure and a deadline. The letters as we show end up with demands for a settlement payment and gives the recipient 30 days to respond before Bell says he will “pursue all available remedies without further notice.”
If this sounds oddly procedural for a private citizen, that’s because it is. This is not a one-off complaint from an upset customer — it is a repeatable methodology, and the letter itself reads like a form document with the merchant’s name and the specific scripts swapped in for each new target.
The Legal Theory: CIPA Isn’t Just About Phone Calls Anymore
CIPA was enacted in 1967, long before cookies, pixels, or software-as-a-service marketing platforms existed. It was written to stop wiretapping and eavesdropping on telephone communications. Over the last several years, plaintiffs’ firms have successfully argued that the statute’s language is broad enough to cover website tracking technology, and courts — particularly in California’s federal district courts — have allowed a growing number of these claims to survive motions to dismiss.
Letters like Bell’s typically invoke two specific provisions:
- Penal Code § 631(a) prohibits willfully reading, or attempting to read, the contents of a communication in transit without the consent of all parties, and separately prohibits aiding, agreeing with, or conspiring with another party to do so. The theory applied to websites is that when a site owner embeds a third-party script (an analytics tool, an ad pixel, a chat widget, a session-replay tool) that transmits a visitor’s data to that third party in real time, the site owner has “aided” that third party in intercepting the visitor’s communication with the site.
- Penal Code § 638.51 prohibits installing or using a “pen register” or “trap and trace device” — technology historically used to capture the phone numbers a person dials or receives calls from — without a court order. Plaintiffs argue that tracking scripts which capture routing and identifying information about a visitor’s session function the same way.
Letters in this category almost always cite two decisions to support standing and viability: Javier v. Assurance IQ, LLC, No. 21-16351 (9th Cir. 2022), which allowed a CIPA wiretapping claim based on website chat/session-tracking software to move forward, and Greenley v. Kochava, Inc., No. 22-cv-1556 (S.D. Cal. 2023), which addressed the pen-register theory as applied to mobile and web tracking SDKs. Neither case is a final judgment on the merits against a specific ecommerce brand — but both are enough precedent for plaintiffs to argue the claims are colorable, which is exactly what a demand letter needs to create leverage.

Why the Math Gets Big, Fast
The reason these letters demand five and six figures instead of a few hundred dollars comes down to how CIPA’s private right of action is structured. Penal Code § 637.2 allows any person whose communications were intercepted to sue for the greater of $5,000 in statutory damages per violation, or three times actual damages — and critically, the statute does not require the plaintiff to prove any actual harm.
Plaintiffs like Bell maximize this by counting each third-party recipient as a separate violation. In the example letters, he may lay out ten distinct scripts that were each treated as an independent violation, producing a stated statutory-damages floor of $25,000 — before attorneys’ fees, costs, or injunctive relief are even factored in. The settlement figure demanded was $70,000, framed as covering statutory damages plus “anticipated litigation costs and remediation.”
The letter also does something else worth noting: it’s explicitly framed as a settlement communication “privileged” under California Civil Code § 47(b)/(c), meaning Bell is positioning it to be inadmissible if litigation follows and the parties dispute what was said during negotiation. That’s a sign of a letter drafted with real familiarity with California civil procedure, whether by Bell himself or with legal assistance.
Is This a Pattern, Not a One-Time Complaint?
Everything about the structure of this letter — the standardized legal citations, the HAR file methodology, the per-script damages calculation, the privileged-communication framing, and the tight 30-day settlement window — mirrors a wave of CIPA pixel and tag-based demand letters that has been hitting small and mid-sized ecommerce merchants (disproportionately those running Shopify, WooCommerce, and similar platforms) since 2022. Robert Bell’s letter fits squarely within that pattern, targeting exactly the kind of marketing stack — email automation, ad pixels, affiliate tracking, personalization tools — that nearly every growth-stage online retailer runs by default.
What To Do If You Receive a Letter Like This
- Don’t ignore it, and don’t rush to wire money either. These letters are designed to create urgency. Read the 30-day clock as a negotiating position, not an immovable deadline, and get in touch with the team here at Captain Compliance right away. We have great relationships with numerous privacy counsels who can get involved before you respond if you’d like and we know exactly how to counteract these claims to help reduce your liability and risk.
- Get the HAR file and verify the claims. Before assuming the allegations are accurate, replicate the test yourself: open a fresh incognito session, load your site with the network panel open, and watch what fires before you interact with your consent banner. If you want we can run a test with our tools free of charge for you.
- Audit your tag manager load order. In most cases like this, the root cause isn’t malicious intent — it’s a tag manager (often Google Tag Manager) configured to fire “Consent Mode” or category-based triggers incorrectly, so marketing and analytics tags load on page render instead of waiting for an affirmative opt-in signal.
- Check every third-party script, not just the obvious ones. Affiliate and referral trackers (like ShareASale and Social Snowball in this example) are frequently overlooked in privacy reviews because they’re seen as “back office” tools rather than tracking technology — but under CIPA theories, they count the same as an ad pixel.
- Fix the gap, then document the fix. Remediation matters both to prevent a repeat letter and to demonstrate good faith if litigation follows.
How Captain Compliance Helps
This exact fact pattern — a consent banner that’s present but not actually blocking scripts and respecting consent choices — is the single most common gap our team finds during compliance audits. Captain Compliance’s Cookie Consent Manager is built specifically to stop third-party scripts from firing until a visitor makes an affirmative choice, giving you a real technical and evidentiary answer to a letter like Bell’s rather than just a banner that looks compliant.
Beyond the platform, our team of privacy experts, DPOs, and compliance engineers can review your tag configuration, respond to an active demand letter, and put our Compliance Shield in place so the next one doesn’t turn into a five-figure settlement conversation.
If you’ve received a letter from Robert Bell — or anyone else citing CIPA §§ 631(a) and 638.51 — book a demo or reach out to our team before the response clock runs out.