By: Derek DeVries
Walk through any brick-and-mortar store and you consent to surveillance the moment you step through the door. Security cameras, facial recognition, payment processing, loyalty program tracking. Nobody hands you a form, and nobody asks for your permission. Visit the same company’s website, though, and a growing number of plaintiffs’ attorneys argue you’re entitled to complete anonymity, including from the basic analytics tools businesses use to understand whether their marketing is working.
That legal argument is now showing up in a surge of threat letters hitting businesses across the country, and the tools in the crosshairs are the ones your marketing team almost certainly uses every day.
We’re not lawyers, and nothing here is legal advice. But we work with these analytics platforms every day. They’re the same ones that these suits target, and we’ve been following this closely.
What’s Happening
A small number of California-based law firms are threatening to file lawsuits against businesses based in the United States, arguing that their clients’ rights under various state privacy laws are being violated by some of the most basic (and commonly-used) digital marketing tools for understanding user behavior on websites. Adrian Hori at Captain Compliance has an excellent overview of the situation if you’re interested in more information.
These laws grew from the General Data Protection Regulation adopted by the European Union in 2016, which was an attempt to regulate privacy for European citizens. GDPR enforcement has been inconsistent, with a broad regulation and cross-border enforcement that is complicated, allowing smaller businesses to fly under the radar. GDPR however, did set the template for many to follow. State legislatures in California and elsewhere have followed the model, and unlike the EU, some U.S. attorneys have found it financially worthile to pursue smaller targets.
So far, most of these threat letters have not actually translated into lawsuits filed – so their intent seems to be more extortive: scare smaller businesses into paying plaintiffs. There are, however, other class action lawsuits aimed at high-profile corporations that could potentially be very expensive.
What Digital Tools Are Affected
The tools cited in the suits commonly include (but are not limited to):
- Google Analytics (GA4)
- The Meta/Facebook Pixel
- The TikTok Pixel
- The Bing/Microsoft Universal Event Tracker (UET)
- The LinkedIn Insight Tag and the LinkedIn SDK (not surprisingly the lawyers issuing the letters don’t seem to know the difference)
- Session recording tools like HotJar (now owned by ContentSquare)
Basically if it can be used to follow user behavior on a website – it’s a potential issue. It doesn’t even matter that analytics have long been largely anonymized (meaning that website owners don’t actually know who any of the users on their site are unless they voluntarily disclose information through a purchase or form submission).
The laws often cited in these lawsuit threat letters include the following:
- CCPA (The California Consumer Privacy Act): Established in 2020 and updated with CPRA requires that businesses who meet its qualifications (the most relevant threshold being if the business grossed over $26,625,000 in revenue – indexed to the CPI – in the past year). Penalties vary based on intent, with unintentional violations carrying lower fines than intentional ones. Violations involving consumers under 16 carry steeper penalties still.
- CPRA (The California Privacy Rights Act): Building on and amending the CCPA, it introduces “sensitive personal information” protections.
- CIPA (The California Invasion of Privacy Act, specifically Section 631): Established in 1967, this law was designed to prevent wiretapping but is now being used to argue clients’ privacy is being violated by many common digital technologies on websites (e.g. marketing/analytics pixels like Google Analytics). CIPA is particularly attractive to plaintiffs’ attorneys because it allows $5,000 in damages per instance with no requirement to prove actual harm. Unfortunately a recent federal court ruling in Camplisson v. Adidas found for the plaintiff (and rejected the findings of other recent cases regarding CIPA’s application to digital analytics tools).
As with many technologies, we’re in a period of uncertainty as the legal system struggles to keep up with the pace of business. The danger is in becoming a test case for a high court ruling (which nobody wants to be).
How to Ensure Compliance
Ideally, every site should have a consent management platform (CMP) in place that displays a banner to every new visitor that notifies them that the site uses digital traffic analysis tools and offers them the ability to opt out.
It’s not enough to display a banner or privacy policy warning – consent management actually needs to allow or prevent tracking cookies from firing in practice.
Not only that, but the site (and all technologies connected to the site) must also abide by the decision – so it might not be sufficient to implement consent management only on your content management system; it also needs to integrate with any analytics tools used by the site. Below are some examples of scenarios where simply installing a CMP on your website CMS might not be sufficient:
- Hardcoded Tracking Scripts: Over the lifetime of a website, it’s common for a lot of technical debt to accumulate in the form of scripts for tools that were implemented directly in the code of the website. In these cases, a CMP won’t automatically modify the scripts to change their behavior based on the consent settings (so they will need to be addressed individually).
- Google Tag Manager: GTM has become a popular way to organize and consolidate various tags in one place. However, it has its own consent settings (designed to use Google’s Consent Mode V2) and typically after a CMP is added to a site, it will also need to be configured separately with Google Tag Manager.
- Embedded Third-Party Content: Depending on how a site is built and what content it delivers, it’s possible there could be third-party embeds that fire their own tracking technologies which are not affected by the addition of a CMP to the site.
- Server-Side Tracking: If analytics or advertising data is sent via server-side APIs, those data flows must be explicitly configured to honor user consent. CMPs do not automatically block server-level data transmission.
This is where Consent Management Platforms come in.
Some of the big players out there are Cookiebot, OneTrust, Termly, Ketch, Iubenda, Captain Compliance, etc. Some purpose-built platforms like Shopify include native consent settings or dedicated apps. If you’re not sure what is right for you – ask your web developer.
CMPs have some significant benefits that make them very attractive:
- They stay up-to-date as privacy regulations change (so you don’t need to worry regularly about remaining compliant).
- Implementation is usually fairly straightforward, and they have easy-to-use customization tools (for example, to control the look/appearance of the consent banner).
- They can handle a variety of ways in which tracking may be implemented (and provide support to handle more challenging use cases).
Mitigating Data Loss While Remaining Compliant
The most significant consequence of ensuring cookie compliance is a serious loss of data businesses rely on to make decisions about how they communicate with customers. When a user declines to give consent (or does not make a decision), tracking pixels are blocked from firing so no data is sent to analytics platforms (not even basic details like session starts or page views). This is because the best practice is to set the default state for consent as “denied” until a signal is detected that allows tags to fire.
There are two best practices that can help mitigate this data loss:
- Big Banners: Force users to make a decision regarding cookie consent. While it’s historically been popular to make consent banners unobtrusive (usually at the bottom of the page), you’ve likely encountered some sites where the cookie consent banner takes up most or all of the entire page, making them impossible to ignore. This is actually a best practice because it at least forces the user to make a decision. In practice, ignoring a consent banner has the exact same outcome as declining all cookies (so you may as well force a decision).
- Regional Customization: Use a CMP that allows the tailoring of consent options based on region (which virtually all of the major providers offer). In this case, a consent management banner will only be presented to users detected to originate from applicable regions (such as the EU, or in states like California, Virginia, and Colorado).
Final Thoughts
Privacy regulations around digital tracking are evolving quickly, and businesses are increasingly finding themselves caught in the middle of a legal environment that hasn’t fully caught up with modern web technologies. Whether the recent surge in lawsuit threat letters represents a long-term trend or a temporary tactic from a handful of law firms, the risk to businesses is real—and the cost of becoming a legal test case can be significant.
Implementing a properly configured Consent Management Platform is one of the most practical ways to reduce that risk. A CMP not only helps demonstrate good-faith compliance with current privacy laws, but also ensures that tracking technologies on your site behave according to the choices made by your visitors.
While consent management can reduce the amount of analytics data available to marketers, the alternative—ignoring privacy compliance altogether—carries far greater potential consequences. By proactively implementing consent management, auditing how tracking technologies fire across your site, and coordinating those efforts with your web developers and legal advisors, businesses can continue to use data responsibly while protecting themselves from unnecessary legal exposure.
In short, consent management is no longer just a technical feature—it’s quickly becoming a standard part of responsible website governance.
