Your Small Business Website Could Get Sued for Using Cookies
Your Small Business Website Could Get Sued for Using Cookies
If you run a business in California and your website uses Google Analytics, Facebook Pixel, or any tracking tool, you could be facing a class action lawsuit right now. A California law written in 1967 to stop telephone wiretapping is being used by plaintiff attorneys to sue businesses over website cookies — and the courts are letting it happen. The statutory damages are $5,000 per violation, no actual harm required. Here is what is happening and what you should do about it.
What Is CIPA and Why Does It Apply to Your Website
The California Invasion of Privacy Act (CIPA) was passed in 1967. It was designed to prevent unauthorized wiretapping of telephone conversations. One section, Penal Code 638.51, prohibits the use of "pen registers and trap and trace devices" without a court order or the user's consent. Back then, that meant devices that recorded phone numbers dialed from a telephone line.
Here is the problem. CIPA defines a pen register as "a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted." Plaintiff attorneys noticed something: website tracking pixels and cookies collect IP addresses, browser types, device identifiers, and navigation data — which is "addressing information" under this definition. A "process" could be software code. And your website transmits electronic communications.
So they started filing lawsuits. Lots of them.
The Lawsuits Are Already Flooding California Courts
Starting in 2024 with the Greenley v. Kraft Heinz and Moody v. Biltmore decisions, California federal courts began allowing CIPA claims against businesses using website tracking technologies. The cases allege that tools like the TikTok Pixel, Meta Pixel, Microsoft Bing UET tag, and Google Analytics collect "addressing information" — specifically IP addresses and device identifiers — without user consent, violating CIPA 638.51.
According to Baker Donelson, one of the law firms tracking these cases, the litigation has become a "onslaught of class action lawsuits" targeting businesses of all sizes. The firm's January 2026 analysis warned that following the Camplisson v. Adidas ruling — which rejected Adidas's attempt to dismiss a CIPA claim over tracking pixels — "businesses are likely to see yet another substantial uptick in the already high volume of CIPA pre-suit demand letters and class action lawsuits."
CapRadio reported in June 2026 that "waves of lawsuits" over internet tracking under CIPA are hitting businesses across California. The Business Journals reported on a California bill designed to "stop attorneys from weaponizing" the 1967 wiretapping statute against small businesses.
And CIPA is not the only legal threat. The National Law Review warned that CIPA claims are compounding an already serious ADA website accessibility problem. One person has filed over 1,800 disability lawsuits against Southern California businesses, according to the Los Angeles Times. Multiple states are passing laws to curb these lawsuits, but California is behind.
The $5,000 Problem
CIPA provides for statutory damages of $5,000 per violation — and plaintiffs do not need to prove any actual harm, financial loss, or data breach. If a tracking pixel on your site recorded data from 10,000 California visitors without proper consent, you are looking at a potential damages exposure in the tens of millions of dollars.
This is not a hypothetical scenario. Camplisson v. Adidas survived dismissal on the theory that two tracking pixels — the TikTok Pixel and Microsoft Bing UET — collected visitors' IP addresses, browser information, and unique identifiers without consent. The court found that even a standard cookie banner buried in the site footer was not sufficient to establish consent, because users were not required to actively opt in.
The legal logic is brutal for website owners. Even if you never personally configured the tracking pixel — if your marketing agency, your e-commerce platform, or your ad account auto-installed one — your business is on the hook. The plaintiffs are going after the website owners, not the tool providers.
Which Tracking Tools Put You at Risk
Any technology that collects identifying information about website visitors without explicit opt-in consent is potentially within CIPA's crosshairs. The tools specifically named in lawsuits so far include:
- Meta (Facebook) Pixel — Tracks visitor behavior, IP addresses, and device data across websites. Used by millions of businesses for ad retargeting. Named in multiple CIPA lawsuits.
- TikTok Pixel — Central to the Camplisson v. Adidas case. Collects similar data for ad targeting on TikTok.
- Microsoft Bing UET Tag — Also named in the Adidas case. Used for Microsoft Ads conversion tracking.
- Google Analytics — Collects IP addresses (even anonymized ones), browser data, and behavioral data. Not yet named in a CIPA case, but legal analysts consider it vulnerable under the same legal theory.
- Google Ads conversion tracking, Hotjar, Crazy Egg, HubSpot tracking — Any script that records visitor behavior or device information falls under the same risk profile.
If your business website uses any of these — and most do — you need to understand your exposure.
What Counts as "Consent" Under CIPA
This is where many small businesses get caught. In the Camplisson v. Adidas case, the court specifically rejected the argument that a website's terms of service and privacy policy in the footer constituted consent. The ruling found that Adidas did not:
- Make its terms sufficiently conspicuous — visitors had to scroll to the footer to find the privacy policy.
- Offer a pop-up or similar method for visitors to affirmatively demonstrate assent — there was no active opt-in mechanism.
What this means in practice: having a privacy policy page and a cookie notice that says "by continuing to use this site, you agree to cookies" is probably not enough under current CIPA case law. California courts are looking for affirmative, informed consent — meaning a user actively clicks or toggles to approve tracking, not passive acceptance through continued browsing.
The ArentFox Schiff law firm noted in a recent analysis that "CIPA Plaintiffs Target Cookie Banners, Join State Regulators in Attack on Opt-Out Compliance." The standard cookie banners that offer an "Accept" button alongside a "Manage Preferences" link are being challenged. Plaintiffs argue that default-on tracking with an opt-out option does not constitute consent.
California Is Trying to Fix This. Legislation Is Not There Yet.
There is bipartisan recognition that CIPA was never intended to apply to website cookies. California Assemblymember Jacqui Irwin introduced Assembly Bill 3047 to address the problem, and the Sacramento Bee reported that the state is weighing changes as "businesses get sued for wiretapping."
But legislation takes time, and the lawsuits are happening now. Even if a fix passes, it may not apply retroactively. Waiting is not a strategy.
What Southern California Small Business Owners Should Do Right Now
You do not need to panic, but you do need to act. Here is a practical checklist, ordered by priority:
- Audit your website for tracking scripts. Use your browser's developer tools (press F12, go to the Network tab, and reload your page) to see every third-party script loading on your site. Check your WordPress plugins, Shopify apps, or whatever platform you use for analytics, ad pixels, and chat widgets. Make a list of every tool that collects visitor data.
- Implement an opt-in cookie consent banner. Not a passive banner. Not "by using this site you consent." You need a banner that blocks tracking scripts from loading until the visitor actively clicks "Accept" or "Allow." Tools like CookieYes (free tier available), Osano, OneTrust (enterprise), and Cookiebot (free for small sites) can handle this. Make sure the banner blocks scripts by default and only loads them after affirmative consent.
- Remove tracking scripts you do not actually use. If you installed the Meta Pixel six months ago for a campaign that ended, remove it. Every unnecessary tracking script is unnecessary legal exposure. If you are not actively running TikTok ads, the TikTok Pixel should not be on your site.
- Review your privacy policy. Make sure it accurately describes what data you collect, which third-party tools you use, and how visitors can opt out. Link it prominently — not just in the footer, but also near your cookie consent banner.
- Consider geofencing or geo-targeting. If your business only serves Southern California, consider implementing server-side logic that presents the consent banner only to visitors from California (or the US). This is not a complete legal shield, but it reduces your exposure from international traffic where different privacy laws apply.
- Consult a privacy attorney if you have been contacted. If you have received a demand letter or lawsuit, do not ignore it. CIPA cases have specific response windows, and early engagement can sometimes lead to resolution before class certification. This is not legal advice — it is a reminder that ignoring a lawsuit makes it worse.
The Cost of Compliance vs. The Cost of a Lawsuit
Let us put dollar amounts to this. A CookieYes subscription for a small business website costs $0 to $9/month depending on traffic. Osano starts at free for basic compliance. Installing a proper consent banner on an existing website takes 30-60 minutes if you are using a CMS like WordPress or Shopify.
On the other side: CIPA statutory damages are $5,000 per violation. A class action settlement for a small business typically runs $25,000 to $150,000 in legal fees and settlement costs, even if you win. If you lose, damages can reach millions. The NFIB (National Federation of Independent Business) has been tracking this and running op-eds calling for federal protections, noting that "frivolous lawsuits" are draining small business resources nationwide.
This is not a close call. The compliance cost is trivial. The litigation risk is existential for small businesses. If you operate a website in California and you have not implemented proper cookie consent, fix it this week.
This Is Not Going Away
The convergence of CIPA wiretapping claims and ADA accessibility lawsuits is creating a "full website compliance crisis" in California, according to the National Law Review. Plaintiff attorneys have found a profitable formula: file lawsuits against businesses with common website technologies, demand settlements below the cost of litigation, and move on. Multiple states — Missouri, Florida, and others — have already passed legislation to protect small businesses from this model. California has not.
The Bottom Line
A law written in 1967 to stop people from tapping phone lines is now being used to sue California businesses over website cookies. The courts have allowed it, the plaintiffs are filing in volume, and the legislature has not fixed it yet. If your Southern California business website uses any tracking tools — Google Analytics, Meta Pixel, ad conversion tags — you need an opt-in cookie consent banner that blocks those scripts until the visitor actively consents.
The fix costs under $10/month and less than an hour of your time. The cost of ignoring it could be $5,000 per visitor to your website. Do the math.
Need help auditing your website's tracking scripts and implementing proper cookie consent? Get in touch with PepeWebTech — we help Southern California small businesses stay compliant and protected.
Sources
- Baker Donelson — Green Light for CIPA: New Federal Court Ruling Fuels Digital Tracking Class Actions (January 2026)
- CapRadio — Waves of Lawsuits and Internet Tracking: CIPA in the Digital Age (June 2026)
- National Law Review — ADA Lawsuits Are Just the Beginning: California's Full Website Compliance Crisis (2026)
- Sacramento Bee — California Weighs Changes to Privacy Law as Businesses Get Sued for Wiretapping (2026)
- The Business Journals — California Bill Seeks to Stop Attorneys from Weaponizing 1967 Wiretapping Statute Against Small Businesses (June 2026)
- Los Angeles Times — One Man Has Filed 1,800 Disability Lawsuits Against SoCal Shops (2026)
- NFIB — New NFIB Op-Ed: Protect Small Businesses from Frivolous Lawsuits (2026)