Published:

Updated:

7 Steps to avoid CIPA Demand Letters

General

Photo of author

Hans Skillrud

Vice President of Termageddon

cipa lawsuits explained

Please note this is all created for informational purposes only and should not be considered legal advice. If you have received a CIPA demand letter, you should not only resolve whatever issues currently exist on your website, but you should also connect with an attorney who specializes in dealing with CIPA demand letters. You can also review our general informational article on the CIPA lawsuits.

Also please note: although this article was created to help as many people as possible avoid CIPA related demand letters, this article was also written to help Termageddon customers. Therefore several of the steps below are utilizing the Termageddon dashboard and consent solution to set up proper CIPA protections.  However if you use another provider, this article likely will still be helpful to a large degree.

Basics: What is CIPA and what are third party tracking technologies?

This California Invasion of Privacy Act (CIPA) was created over 30 years ago to stop eavesdropping on land line phones. In recent years, this law has been reinterpreted to apply to websites that utilize third party tracking technologies without first getting consent from the site visitor to do so. As a result, a growing number of opportunistic attorneys in California are targeting website owners (especially those located throughout the US), asking for thousands of dollars in ‘damages’ for non-compliance.

What’s a third party tracking technology?  Examples include (but are certainly not limited to): Google Analytics, Facebook Pixel, Google Ads, LinkedIn Insights tag, Hubspot Forms. It is a script you add to your website, that upon loading, takes your website visitor data, shares it with a third party (like Google or LinkedIn, etc.) and allows that third party to monitor your website visitors as they navigate through the website. 

Here’s an example of a third party script:

<script async src=”https://www.googletagmanager.com/gtag/js?id=G-05Q99QQCGE”></script><script> console.log(“Hello from Google Tag Manager!”)  window.dataLayer = window.dataLayer || [];  function gtag(){dataLayer.push(arguments);}  gtag(‘js’, new Date());  gtag(‘config’, ‘G-XXXXXXX’);</script>

Do you notice how it starts with ‘script’, and also there is a URL to a third party website? This is a big indicator that this particular script is loading a third party technology into your website, and it may be tracking your website visitors.

The key to complying with CIPA is ensuring that visitors from California are opted out from these third party tracking technologies.  Only if the visitor takes an explicit action (such as clicking ‘accept’ within a consent banner), can you allow these third party technologies to load.

7 Steps to avoid CIPA Demand Letters

Step 1: Identify all third party tracking technologies loading on your website

Create a list of all the third party tracking technologies you are loading on your website. This includes common features like Google Analytics, Facebook Pixel, Google Ads, LinkedIn Insights tag, Hubspot Forms, third party live chat embeds, or any other type of third party tracking technology. You can utilize tools such as Wappalyzer (a free chrome extension) and review the backend of your website to help with this step.

Step 2: Remove all unnecessary tracking scripts.

Determine whether these tracking technologies are actually needed for your website. Due to these demand letters, third party tracking technologies are considered high risk and, if you are not actually using them (e.g. you are not running ads any more or you aren’t actively utilizing your website analytics), you should remove them from your website altogether. You can also consider replacing third party tracking scripts with privacy friendly alternatives.

Step 3: Add a consent solution for all scripts that remain on your website

To ensure that you obtain consent for any third party tracking technologies that remain on your website, add a consent solution to your website (visit the Embed Codes page of your Termageddon license for your consent code + implementation instructions).

Step 4: Ensure you have all third party scripts set to ‘off’ by default for your consent settings

Ensure that these third party technologies are off by default in the Cookie Policy and Consent Tool questionnaire. This means that the “accepted by default” setting should not be selected, and any non-essential tracking technologies should be classified as “Functional” or “Marketing” (under the General tab for each Service).

Step 5: Display your consent solution, at the very least, to website visitors from California

Ensure that the consent solution is properly displaying to visitors from California (you can use a VPN to access your site from California if needed), at the very least. You may want to consider simply displaying the consent solution to all visitors, thus giving all your website visitors the option to be opted out of third party tracking by default.   

Step 6: Test your consent solution

Testing is a key part of the web design process, and installing a consent solution is no exception.  After adding a consent tool to your website, it is essential that you test to ensure it is properly working. 

Steps for initial testing:
1. Visit your website in a fresh incognito window (using the Chrome browser). The consent tool should display (if it does not display, you may need to adjust geolocation settings so that you can properly test).
2. Right click (anywhere on your website), and click Inspect.
3. Click “Application” -> “Cookies”.
You should not see any non-essential tracking cookies load until after you click ‘accept all’ within the consent banner. Additionally, the Network tab can also show what third party URLs are receiving data as well from your website.
This is for basic/initial testing.  For Termageddon customers, see the full guide link below on how to test, troubleshoot, and resolve any site specific issues.

Our step by step testing guide provides both written and video instructions on how to test. This article can also be found on the Embed Codes tab of each Termageddon license that has an activated Cookie Consent.

If you are using optimization or performance plugins (commonly found with WordPress websites), this is an important step. It’s best to exclude your consent solution from any type of performance modifications to ensure that it properly displays.

Step 7: Fix any issues found when testing 

If you see any issues when testing (e.g. non-essential tracking cookies are loading without consent), the step by step testing guide provides popular ways to resolve any site specific issues. 

Frequently asked questions

I’m using Google Tag Manager to load in third party scripts. How do I set up proper consent? 

You need to set up compatibility with Google Consent Mode.  For Termageddon customers, this step by step written/video guide will show you how to do this.  

When properly set up, this will allow your website visitors to provide consent on a per-script basis (aka granular consent), and Google Tag Manager will only fire the respective tags that the user consents to.

I’m using third party plugin/widget/module to install a third party technology. How do I get consent? 

Plugins, modules, widgets provide a layer of complexity that may make it difficult for consent solutions to manage.  Therefore, whenever possible, we instead recommend copy/pasting the default script into the website (and not using the plugin, module, widget), to help ensure proper consent can be set up. 

My web building platform offers an integrations page, where I simply put in ID’s to the third party scripts that I want to integrate into my website.

Similar to the response above, when using a third party module to insert IDs to third party tracking technologies, this adds a layer of complexity that may or may not work well with consent solutions.  If your web building platform does not support consent with an ‘integrations’ page, it is best to deactivate that feature, and instead copy/paste the normal third party embed code directly into the <head> and then test/troubleshoot. 

Conclusion:

The steps above show exactly how reduce your risk of receiving a CIPA demand letter.  And to end on a positive note, by following these steps, chances are you learned more about how your website works, and you’ve set yourself up to respect the privacy rights of your website visitors.  

Protect your self while respecting your visitor’s personal privacy.  Win win!

Photo of author
About the Author
Hans Skillrud

Hans is the Vice President of Termageddon, an auto-updating website policies generator. With Termageddon, you can generate a comprehensive set of policies for your website, and then receive automatic updates to your policies when the laws change.  When not working on Termageddon, you can find Hans gardening, beekeeping, fishing or taking care of his chickens.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.