Here’s what’s going on…
Throughout 2024, several agency partners have reported to us that they have small business clients (non-Termageddon customers) who have received demand letters due to their website being non-compliant with the California Invasion of Privacy Act (CIPA).
CIPA, a 30-year-old privacy law intended to protect Californians from phone tracking software, is now being reinterpreted to apply to website owners. The law allows California consumers to sue businesses directly for violations and obtain damages of $5,000 per violation (aka per site visitor whose rights were infringed upon). If a website is using tracking technologies without first getting consent from California visitors, the website owner is at risk of being sued under this law.
This law can apply to businesses formed outside of California, and the size of the business does not matter. We are directly aware of several small business website owners (located in and outside of California) who are actively dealing with this type of lawsuit, and several articles have been released covering larger companies like the LA Times, CNN and StitchFix who are also being sued for CIPA non-compliance.
Our latest article covering CIPA further addresses who this law applies to, the consequences for non-compliance, the dramatic rise in website-related lawsuits filed, and how you and your clients can avoid this issue. Below, you will find a summary of actionable steps you can take.
We also provided some pre-written email templates below which you are welcome to share with your clients to educate them on this new development.
How to address this new law
In lieu of this most recent news and as an abundance of caution, we have released compatibility with CIPA, and Termageddon currently stands as the only generator to be actively addressing this law.
For any of our customers that marked that they collect the personal information of Californians where CPRA does not apply (one of California’s other privacy laws), we have released the opt-in consent framework (aka the GDPR framework) as an additional feature to add to each impacted website.
Steps: You need to activate the Cookie Policy and consent tool within each impacted license, and then add the cookie consent banner to each website to ensure third-party tracking technologies are blocked by default, at least for visitors from California.
Here are step-by-step instructions on how to do this.
If you are using the Termageddon WordPress plugin’s geolocation feature for any of your client sites, we recommend selecting/enabling the option to display the consent tool to visitors from California.
How to educate clients about this change
1. For your existing clients who use Termageddon, here’s a pre-written email sequence you can use to send to your clients, educating them on this update, and how you will go about embedding the cookie consent for them. You can choose to charge a setup fee or not (we recommend you do).
- Reminder: each license has a ‘users’ tab where you can ensure your client gets access to their license. That way, they receive updates directly from us when privacy laws change. We recommend you share license access if you haven’t already when reselling Termageddon to clients.
2. For customers that don’t already use Termageddon, here is a pre-written email sequence you can send, discussing how non-compliance with applicable privacy laws may now result in lawsuits and what they can do to address the issue.
- If you haven’t already, now would be a great time to ensure clients sign the website policies waiver just to help protect your own agency.
Frequently Asked Questions
Common examples of tracking technologies include many popular 3rd party video embeds, map embeds, analytics/heatmap scripts, visitor intelligence services, and ad tracking pixels. If you have clients that use third party tracking technologies and get traffic from visitors from California, it is best to consider setting up compatibility with CIPA (even if the client is located outside of California).
There are multiple sources online (Examples 1, 2, and 3) discussing this increase in lawsuits related to website owners not complying with CIPA. We also personally are aware of several agency partners who’ve reached out to us, informing us that they have small business customers (who aren’t using Termageddon) who have received these demand letters.
Yes, you can. If your website isn’t available for Californians, then you aren’t tracking them with your website, and therefore you can avoid adding a cookie consent to the website (assuming no other respective laws apply).
This can, however, be a slippery slope, so just be cautious. As more laws pass, you would continually need to block more and more visitors from more and more areas of the world. This may not be a fruitful long term strategy.
To avoid using cookie consents to avoid dealing with CIPA, you have to ensure you’re not tracking your website visitors behind the scenes in your website.
Here are common features we see on websites that could involve 3rd party tracking:
- Store fonts locally – using Google Fonts? Download the font and store it locally. This not only avoids you needing to get consent to load custom fonts, but technically your website should load faster too. Not to mention, Google Fonts was deemed non-compliant with GDPR in 2022 when not stored locally.
- Load videos locally – instead of embedding YouTube or Vimeo videos, load videos locally.
- Try privacy-focused analytics alternatives – Instead of Google Analytics 4, try using UseFathom.com or Matomo Analytics.
- Avoid embedded maps – Google Maps is another third-party script that loads maps. It’s a great experience, but technically it’s a third party. Perhaps you can list just an address or provide a map screenshot or a Google Maps link as a privacy-focused alternative.
- Alternative to reCaptcha – Try using Friendly Captcha or another privacy-focused captcha alternative.
- Don’t use IP Address Intelligence services – If customers want to inquire, they’ll inquire. Try to avoid services that look up site visitor IP addresses who provide you with their contact information. If you need to use this tool, ensure you get consent first from site visitors.
There will be scenarios where clients require you to install at least some of the above tracking technologies. It is best practice to get consent from at least California visitors when using these 3rd party tracking technologies.
About 20 minutes per site with the majority of this time being for QA/testing. Generate the Cookie Policy and Consent Tool, embed the new codes, and then troubleshoot. Here are step-by-step instructions. Testing and QA is a critical step. For example, you can visit the site in a fresh incognito window, click ‘decline’ cookies, and then visit each webpage to ensure that third-party scripts are blocked from loading. For example, YouTube video embeds should be blocked if a user clicks ‘deny’ for all non-essential cookies. Be sure to visit and test pages with forms where people submit data to ensure they properly work as well. Testing/QA can take as little as 5 minutes for simple informational sites or longer for more complex websites with advanced features (e-commerce, login portals, extensive 3rd party features implemented into the site, etc).
Ensure that you have any geolocation settings set to display the consent solution to visitors from California.
Other questions?
If you have any other questions, feel free to review our support portal or contact us.