SAM Magazine—Lakewood, Colo., July 10, 2026—The National Ski Areas Association (NSAA) has sent an alert to its members regarding a recent influx of U.S. ski areas receiving pre-litigation demand letters alleging their website tracking technologies—such as cookies and pixels—violate the California Invasion of Privacy Act (CIPA), a 1967 law prohibiting telephone wiretapping without a court order. NSAA warned its members not to ignore the letters and to take appropriate action.
The letters appear to be sent by Vivek Shah, a serial plaintiff, especially in CIPA cases, and a convicted felon who was sentenced to more than seven years in federal prison for orchestrating an extortion scheme in 2013. He is not a lawyer and is currently acting pro se, blanketing thousands of businesses, not just ski areas, with similar demand letters in recent weeks.
According to NSAA, “Mr. Shah’s demand letters allege that some ski area websites illegally capture and share with third parties (e.g., advertising and analytics vendors like Meta and Google) internet protocol (IP) addresses, which can reveal location data, and related device / browser identifiers which arise from common website tracking technologies like cookies, pixels, and tags, without the consent of the individual visiting the website. Mr. Shah alleges that the websites automatically capture this information before the user affirmatively consents to the capture and sharing of such information, due to outdated cookie consent banners.”
NSAA said it is not aware that any of these claims have actually been filed in California state courts, nor have ski areas been served with actual complaints from Shah, only pre-litigation demand letters. The association is working with the Association of Ski Defense Attorneys (ASDA) to evaluate the true threat of Shah’s claims. Ski areas that receive one of these demand letters should engage with their local ASDA lawyer immediately.
Other actions NSAA recommends all ski areas take include:
- Have their website designer conduct a website audit and upgrade their consent mechanisms so that the website user has affirmatively consented to the use of tracking devices before tracking technologies capture and share information with third parties like Google Analytics.
- Check with their insurance provider—general liability and cyber insurance policies typically have specific exclusions for statutory violations.
- Explore working with a company such as Termly.io or Osano that provides the most current, state-specific legal consent language that websites can use as a capture banner. Annual updates based on current law cost less than $200 a year, according to NSAA.
- If needed, update their privacy policy and terms and conditions.
The association also warned that similar claims against ski areas are being raised by other, more legitimate plaintiffs’ law firms, all seeking quick settlements. The CIPA allows for statutory penalties of up to $5,000 per violation.
“Remember, settling one of these claims or lawsuits does not protect you from separate and future claims from other claimants—getting your websites audited and into consent compliance is the best defense against these claims,” NSAA said.
There are, however, many legal questions surrounding the use of a 1967 California statute intended to prevent unlawful telephone wiretapping and eavesdropping as the basis for website privacy claims, especially for businesses that don’t operate in California or draw significant revenue or visitation from the state. NSAA said that over the past two months, several California courts have ruled in other cases that CIPA only applies to telephone communications, not website tracking technologies like cookies and pixels. But the association also cautions that ongoing appeals and other court rulings may conflict with these favorable recent decisions.
“[T]his is a rapidly changing area of law, and other states are likely to adopt similar consumer privacy website laws,” NSAA said.
NSAA plans to host a webinar later in July with experts on website design and the specific legal issues involved with these allegations.
For more background and next steps: https://nxtconcepts.com/our-tools/journal/82-your-website-is-the-new-liability


