CIPA (California Invasion of Privacy Act) has become a hot topic lately, and we’ve seen many agency owners ask questions about it during our Office Hours livestreams. We first discussed it during our January 29, 2026, stream, but the questions have kept coming since then.
Do I need to do something about CIPA?“
“Are cookies suddenly illegal?“
“Is my website out of compliance right now?
We decided enough is enough; the people need clarity, so we invited Hans Skillrud from Termageddon to join us on our most recent Office Hours. He is the co-founder of Termageddon, a website policy generator, and the perfect man to answer all those burning questions.
CIPA in plain English
CIPA is a California law that aims to prevent the collection of users’ data without their consent. Sounds like a noble law, right?
The issue arises when third-party cookies load automatically into a user’s browser without their consent. That’s what Hans stressed himself.
Before you try to fix anything, you need to understand what problem the law is actually trying to solve.
At a high level, CIPA is about consent and communication. However, many people have been introduced to it in a much less positive manner. Usually through:
Lawsuits in the news or directly aimed at them.
Alarming blog posts.
Tools marketed as “mandatory.”
So during our livestream, Hans clarified what CIPA isn’t. It’s not brand-new, it’s not a sudden ban on cookies, and it doesn’t put every website at risk overnight. Still, cookies are at the center of it, and he explained why.
Why cookies became the flashpoint
One thing Hans pointed out is that cookies aren’t inherently bad. They are, in fact, essential for many normal website functions (such as staying logged in).
Not all cookies are to blame for this sudden surge in CIPA cases, since the act focuses on third-party cookies that track user data like the cookies Google Analytics drops, for example. However, because of that, all other cookies end up lumped in with them.
The real issue is how data is collected and whether users understand it.
Where website owners get tripped up
Agencies are important to us at hosting.com, and seeing the chaos CIPA has introduced hits too close to home.
Many website and agency owners have suddenly found themselves in an uncertain situation, so some common assumptions have started to emerge. The biggest and most misleading one that Hans mentioned is “If I add a cookie banner, I am compliant.”
Unfortunately, that’s not the case. As Hans said, having a cookie banner that simply informs you are collecting user data, without giving users the option to decline, is as useful as not having a banner at all.
What websites need to do
We touched on this during the Q&A blog post we mentioned earlier, but there are ways and tools for website owners to be compliant without significantly disrupting their operations.
Regardless of the tool or solution used, the first thing any website owner must do is understand what data your site collects and what cookies it uses. The most common third-party cookies that CIPA can target include Google Analytics, Facebook Pixel, Instagram tags, and YouTube embeds.
A neat trick that Hans showed during the stream is that you can open your website in incognito mode, right-click it, and then Inspect. There is a Cookie tab where you can find all the cookies your website uses. Third-party ones typically show which domain they lead to.
You can then implement features to block these cookies until explicit consent is given, or use an analytics solution that doesn’t drop tracking cookies, like Independent Analytics for WordPress.
However, one viewer asked if they should bother with all this since they don’t have any visitors from the U.S., and Hans’ answer was spot on:
It's a lot to take in initially, but I can't help but encourage you. Instead of trying to fight against it [CIPA], embrace it because it's here. Get proper consent and have proper policies, and move on in life.
When it makes sense to get extra help
For many agency owners, being informed about CIPA and knowing how to handle it is probably enough. They are professionals who handle such issues for a living. However, to the everyday site owner, it can be overwhelming.
So, let's break it down for you. If your site is:
Running advertising or tracking-heavy tools.
Relying heavily on analytics.
Serving users in multiple regions.
Handling sensitive data.
Then it’s a good idea to talk to a professional in the field. It’s not because you are in trouble necessarily, but, as Hans said earlier, it’s easier to be compliant. It also future-proofs you for any other laws that may crop up.
We recommend Termageddon. Not because we had him on our livestream. We had him on our livestream because of Termageddon. It’s a tried-and-tested solution for issues exactly like CIPA. Hans even offered his email ([email protected]) as a direct line of communication.
The takeaway
We hope that this interview with Hans was helpful. We strongly recommend watching the livestream to learn even more about CIPA and compliance.
What you should remember is that there’s no need to panic. You simply need to understand which cookies your website uses and how to control them. Complying with CIPA and similar laws is about transparency and user agency.
And if you’d like to ask Nathan and our community a question about CIPA, or anything else related to websites, hosting, and agencies, register for our Office Hours livestreams to get answers live.
