Tami Goldsmith runs Folsom Lake Heating & Air with her husband. They started the HVAC business in May of last year, and business has had its ups and downs.
“Sometimes it’s like, ‘Oh my gosh, are we going bankrupt?’ And then sometimes it’s like, ‘Oh my gosh, are we buying that two-million dollar house?’” Goldsmith said. “It’s just so up and down. But that’s how it is with the weather and everything.”
In general, though, the business has gone well. Just six months into starting the business, Goldsmith was able to quit her job as a horse trainer to help support the business’s administrative needs full-time.
But, in February of this year, Goldsmith’s business was in what she called the “shoulder months”: weather that’s not too hot and not too cold, when heating and air conditioning systems aren’t used as much. Great weather, but bad for the HVAC business.
Then, Goldsmith got a call from her lawyer — who she used to ride horses with — who asked her if she was sitting down. Folsom Lake Heating & Air had just been served court summons for a lawsuit.
“Oh my god, did one of the systems blow up?” Goldsmith asked her lawyer. “She said, ‘No, it’s from your website.’”
Goldsmith’s business was being sued for violations of the California Invasion of Privacy Act, or CIPA. CIPA was originally passed in 1967 to criminalize wiretapping phone calls, but has since been expanded to cover privacy concerns in the digital age. It aims to protect Californians from a number of privacy invasions, including data collection from websites.
However, for Goldsmith, the law was cited in a lawsuit that sought to charge her a $5,000 fine per visit to the website.
To her knowledge, Goldsmith said she wasn’t collecting anything other than the standard analytics that most websites use to track ad performance on their websites.
“We’re not IT people. It’s totally out of our spectrum of things that we know about,” Goldsmith said.
In the suit against her, it names a service she uses on her website to book HVAC repair appointments, Housecall Pro. Goldsmith said she was able to contact Housecall Pro, and they were able to settle the suit.
However, Folsom Lake Heating & Air wasn’t the only recipient of a lawsuit dealing with CIPA violations in the region. Gytahnna Loffgren owns Element Electric, a company that installs residential solar panels and batteries, with her husband.
Loffgren said she found out about the lawsuit in May after a packet containing the lawsuit information was mailed to their house. She said they don't know how they’re going to handle a lawsuit of this magnitude.
“It’s insane because first, I’d have to hire an attorney,” Loffgren said. “The first one we spoke with let us know that the majority of attorneys are going to require $30,000 as their deposit.”
Loffgren said that they’ve had a website for their business for 20 years, and they’ve never had an issue like this before. She also said she found out that the same man who sued her sued three other businesses in Sonoma County for the same CIPA violations.
Legislation in the works
The California State Capitol building in downtown Sacramento on January 7th, 2026.Ruth Finch/CapRadio
According to Stop CIPA Shakedowns, a coalition that seeks to reform CIPA to protect businesses from CIPA-related lawsuits, 3,000 businesses have been sued using CIPA.
Jim Monegal said that his law firm, Mullen Coughlin, has represented upwards of 500 clients alone that are defendants in CIPA-related lawsuits.
“No one knows what [they’re] doing wrong, how to follow the law,” Monegal said of his clients. “We don’t even know what the law says in this regard of what we can and can’t do.”
Monegal is one of many attorneys, alongside media and business interests, that comprise Stop CIPA Shakedowns. They’re advocating for the California legislature to pass SB 690, a bill meant to keep CIPA from applying to any tracking that’s done with a “commercial business purpose.”
In 2018, the California legislature passed the California Consumer Privacy Act, or CCPA. This law also covers what companies can and can’t trace on the internet, and is the reason why, for example, most websites will show a pop-up asking if you want to opt-in for cookies. But, it doesn’t allow individuals to sue companies over its violation.
On the other hand, CIPA allows for individuals to sue for damages when it’s violated, due to its origins as a criminal wiretapping law.
Monegal said that law firms, and sometimes individuals representing themselves, have been exploiting CIPA. In these lawsuits, they’re claiming analytics tools, like those used by Google and Meta to track ad performance, are being used without the visitor's consent.
These tools are also used by smaller businesses, like Folsom Lake Heating & Air to track their own internal ad performance.
“There’s actually some claimants out there … that have leveraged AI and other means to send out thousands upon thousands of demand letters shaking these companies down on an individual basis,” Monegal said.
Monegal said that these cases really kicked off in 2022, and have been growing.
“It’s such a high return on such a minimal investment,” Monegal said. “All of the demand letters look exactly the same. All of it can almost be automated and auto-generated.”
However, privacy advocate groups like Oakland Privacy are worried about removing safeguards for all businesses to use tracking technology. Tracy Rosenberg, advocacy director of Oakland Privacy, said that, while the law was expanded "awkwardly", oftentimes lawsuits citing CIPA are the only way for individuals to get reparations for breaches of privacy.
Rosenberg said that one example was a lawsuit leveled against Flo, Meta and Google filed in 2021 that accused Flo, a menstrual cycle tracking app, of collecting and selling menstrual data of users without their consent. She also cited cases where Oracle was sued for surreptitious tracking.
“CIPA is the law that allowed women that were upset about this, and there were many, to file a class action lawsuit that said, ‘Hey, we should have been asked if this was okay with us because this was just a way for Flo to make money and for Meta to make money,” Rosenberg said.
Rosenberg said that she recognized the problem that small businesses are facing with these predatory lawsuits.
“There’s a handful of law firms that have come to the same conclusion, basically saying, well, every business collects analytics and IP addresses online, and in a lot of cases they don’t ask for consent,” Rosenberg said. “A lot of it is just kind of first party, and yes, they’re technically violating the law, but the consequences are not necessarily that profound.”
She said that exempting CIPA’s application from all business activity would be an overreach. According to Rosenberg, herself and other privacy advocate groups have proposed amendments that would apply the same thresholds for enforcement that the CCPA has, where businesses below a certain size would be protected from lawsuits.
“What we’re basically trying to do is separate Meta from [smaller businesses],” Rosenberg said. “The only reason not to accept it is because Meta and Google and Oracle are behind this effort, right?”
Meta declined to comment, but is a member of the Reform CIPA coalition to pass SB 690. A spokesperson from the Alliance for Legal Fairness, a member organization of the Stop CIPA Shakedowns, said that CIPA is a 1967 wiretapping law that does not apply to “any online activity.”
According to Rosenberg, the law has been cited in multiple internet privacy cases where big businesses like Google, Meta and Oracle were found liable. CIPA has been amended multiple times since 1967.
“Some years ago, it became clear to people that that kind of activity, what we used to call wiretap is kind of outdated,” Rosenberg said. “A lot of this is being done now by essentially tracking people’s online communications … so the bill was awkwardly expanded to include certain kinds of online tracking.”
Ultimately, Tami Goldsmith from Folsom Lake Heating & Air said that she’s wondering why she’s the one getting sued.
“I was looking at automatic kitty litter boxes, and I go on Amazon to see how much they are, and then all of a sudden my algorithm is just kitty litter boxes,” Goldsmith said. “They’re tracking me. They’re looking at what I’m looking at… They’re not getting sued, I’m getting sued.”
Follow us for more stories like this
CapRadio provides a trusted source of news because of you. As a nonprofit organization, donations from people like you sustain the journalism that allows us to discover stories that are important to our audience. If you believe in what we do and support our mission, please donate today.
Donate Today
