What website owners need to know about cookie tracking claims and how to stay out of trouble
By Brent C. J. Britton
If you run a website, congratulations.
You are now a potential defendant.
Not because you did anything nefarious. Because you had the temerity to install Google Analytics.
Since 2022, an estimated 50,000 to 100,000 claims have been filed or threatened under California’s Invasion of Privacy Act (CIPA), a 1967 wiretapping law originally written to stop people from tapping telephone lines. Plaintiffs are now attempting to stretch that same law to cover the analytics snippet your web developer installed without a second thought.
The theory is simple: if your website sends a visitor’s search query or other information to Google before the visitor clicks an “I Accept” button, an unlawful interception has occurred.
The statutory damages can reach $5,000 per violation, multiplied by however many third-party services are running on your site.
The math gets ugly fast.
The More Serious Problem
Beyond the wiretapping claims, a newer and, in many cases more legitimate wave of litigation targets websites whose cookie consent banners simply do not work.
The scenario is straightforward.
A visitor clicks “Reject All.”
Your website continues firing analytics tags or advertising cookies anyway because the banner contains a bug, a plugin was updated, or someone added a tracking tag after the consent platform was last tested.
At that point, your website may be misrepresenting its own privacy practices.
That is no longer a gray area.
The Los Angeles Times settled a class action based on this theory for $3.85 million. American Honda was fined $632,500 by California’s privacy regulator for a cookie interface that failed to honor user opt-out requests.
Ironically, a broken “Reject All” button can be harder to defend than having no banner at all.
What the Law Actually Requires
Despite what many website owners assume, there is no federal law requiring a cookie consent banner.
Most of the banners appearing across the internet exist because of the European Union’s General Data Protection Regulation (GDPR), which generally requires opt-in consent before many tracking technologies may be used.
Most U.S. privacy laws work differently.
California’s Consumer Privacy Act (CCPA), for example, generally follows an opt-out model. Businesses must provide California residents with a method to opt out of certain data sales or sharing and must honor the Global Privacy Control (GPC) browser signal when it is detected. Nine states now recognize GPC requirements, with additional states moving in the same direction.
For many U.S.-only websites, simply running Google Analytics does not automatically require a consent banner.
The catch is this:
If you choose to display a consent banner and it fails to do what it promises, you may have created a legal problem that did not previously exist.
Where the Courts Are Beginning to Push Back
Courts have begun pushing back against some of these claims.
In May 2026, a federal judge dismissed a CIPA case brought by serial plaintiff Vivek Shah, who has filed numerous lawsuits alleging unlawful website tracking. The decision suggests that courts are not uniformly accepting every expansive interpretation of CIPA being advanced against website owners.
That said, a favorable court decision does not eliminate the practical problem. Demand letters continue to be sent, and defending even a weak claim can cost far more than resolving it. Even if you would ultimately win, getting there can be significantly more expensive than preventing the issue in the first place.
What You Should Do Now
Audit Your Trackers
Open your website in a browser, launch the Developer Tools network panel, and watch what fires as each page loads.
Most website owners are surprised by what they discover.
Free scanning tools such as Cookiebot and CookieYes can automate much of this review.
Verify That Your Consent Banner Actually Works
Click “Reject All.”
Then determine whether analytics tags, advertising pixels, or other tracking technologies continue firing.
If they do, your banner is not doing what it promises and should be fixed immediately.
Use a Real Consent Management Platform
A properly configured Consent Management Platform (CMP) prevents tracking scripts from executing until a visitor has made the required choice.
Most major CMPs integrate easily with WordPress, Shopify, and other common website platforms.
The subscription cost is modest compared with responding to even a single demand letter.
Honor Global Privacy Control
If your business serves visitors in California or other states recognizing Global Privacy Control, configure your CMP to detect and honor that browser signal automatically.
Keep Your Privacy Policy Honest
Your privacy policy should accurately describe the technologies your website actually uses.
Update it whenever you add or remove analytics tools, advertising platforms, chat widgets, or other tracking technologies.
Courts have shown little sympathy for privacy policies that promise one thing while the website does another.
Consider Privacy-Friendly Analytics
Several modern analytics platforms provide useful traffic insights without relying on third-party cookies.
Depending on your business, these solutions may significantly reduce potential CIPA exposure.
Don’t Ignore a Demand Letter
If one arrives, resist the temptation to simply pay it.
Preserve your website configuration as evidence, document your consent settings, and speak with a technology attorney before making changes or responding.
The Bottom Line
Many of these claims are opportunistic.
The people sending demand letters are often betting that website owners have never heard of CIPA, do not understand how cookie tracking works, and will conclude that paying a settlement is cheaper than fighting.
Sometimes they are right.
Although some courts are beginning to reject the more aggressive CIPA theories, defending even an unsuccessful lawsuit can still be expensive.
Fortunately, the solution is rarely complicated.
A few hours spent auditing your website and a few hundred dollars invested in a properly configured consent management platform can eliminate much of the risk before someone else decides to monetize your ignorance.
Knowledge is power.
Here, specifically, it is the power to spend a lazy afternoon fixing your cookie setup rather than a week or a month dealing with the purveyor of a litigation mill.
Take the afternoon.
Sources
- Vivek Shah CIPA Demand Letters Against Business Websites: How to Respond (Jeffer Mangels, 2026)
- No Standing for Vivek Shah (CIPAWorld, 2026)
- The Rise of the Cookie Banner Class Action (IPWatchdog, 2025)
About the Author
Brent C.J. Britton is the Founder and Principal Attorney at Brent Britton Legal PLLC, a law firm built for the speed of innovation. Focused on M&A, intellectual property, and corporate strategy, the firm helps entrepreneurs, investors, and business leaders design smart structures, manage risk, and achieve legendary exits.
A former software engineer and MIT Media Lab alum, Brent sees law as “the code base for running civilization.” He’s also the co-founder of BrentWorks, Inc., a startup inventing the future of law using AI tools, and is the author of Ownability.

