Table of Contents

Office Hours Q&A: What website owners should know about CIPA
Written on by Konstantin Kolarov
Updated on
Estimated read time 5 minutes
Office HoursSecuring Your Site

Office Hours Q&A: What website owners should know about CIPA

We try to keep things light-hearted in our Office Hours Q&A blog posts and to elaborate on or summarize the answers given by our host, Nathan Ingram, in a way that’s accessible to everyone.

However, during the January 29, 2026, Office Hours, we broached a heavier topic than usual, which has been getting a lot of attention in the WordPress and agency world recently: the California Invasion of Privacy Act (CIPA). Specifically, demand letters and even lawsuits showing up in inboxes for sites that use common tracking technologies.

Naturally, this has raised two logical questions: Is my website at risk? What do I need to do?

The purpose of this blog is not to offer legal advice, but to explain what CIPA is, why it’s coming up now, and what it could mean for your website. For legal advice specific to your situation, you should consult a qualified attorney.

What is CIPA, and why is everyone talking about it?

CIPA (California Invasion of Privacy Act) is a law initially passed in 1967 to prevent unlawful wiretapping and electronic eavesdropping. It was not written for the web we use today, but has since been adapted for it.

​In recent years, it has become the basis for a surge of demand letters and lawsuits alleging that using common online tracking technologies (Google Analytics, pixels, session replay scripts, chat widgets, etc.) violates the Act. That it is equivalent to intercepting or recording visitor data without their consent.

Those letters usually claim damages of up to $5,000 per violation and are not limited to California businesses. If your website is accessible to California residents (which most public sites are), you could receive such a letter.

What’s the core concern?

At the heart of it all lies a simple idea. If a site loads third-party tracking cookies (or transfers visitor data to another service) before the visitor gives explicit consent, some argue that it’s in breach of CIPA’s consent arguments.

Only having a cookie banner that says “We use cookies” isn’t enough. The tracking script must run only after the user has clicked “I agree.” What many sites do instead, which is what the demand letters target, is automatically load analytics or marketing scripts (cookies) without prior consent.

Because this legal strategy is relatively new, there’s still significant uncertainty about how courts will ultimately interpret it. Some claim cases have advanced, others have stalled.

If you want a more detailed, up-to-date breakdown of how CIPA is being interpreted and applied to websites, Termageddon has put together a comprehensive resource for website owners. It goes deeper into the legal background and current landscape.

What this means for your website

Given the uncertainty around CIPA, many are wondering whether they should do anything to their websites at all. That’s for each website owner to decide, but if you’d like to know what could put you in the spotlight, read on.

Additionally, there are alternatives and mitigation options available that should help your website continue operating normally without the potential risks of legal action.

Common tracking technologies that can trigger attention

First, check whether your website uses any of these technologies for analytics or tracking. Nobody would blame you if you did, as they are very popular and useful.

  • Google Analytics’s standard setup drops cookies by default.

  • Social media pixels (Meta, LinkedIn, TikTok).

  • Session replay or chat widgets.

  • Third-party scripts that transfer data off your site.

  • Even loading Google Fonts can be considered a third-party request that sends information to Google. Host them locally.

Sites that allow these to trigger before user consent is given are more likely to be spotted and targeted.

Practical alternatives and mitigations

For the time being, as the law still stands, there isn’t much wiggle room to allow for creative solutions. Because of that, you really have only two options for shoring up your website against this Act.

  1. Get cookie consent before tracking: The most direct approach is to use a cookie consent tool that blocks tracking scripts until a user expressly opts in. A passive banner that merely informs doesn’t meet the standard. If this sounds familiar, it’s because it’s how GDPR cookie consent works in the EU. Here are a few examples:

    1. Tools that block Google Analytics until acceptance, such as WPConsent and CookieYes.

    2. Cookie banners that allow users to select which categories they allow, or flat-out refuse, which the two plugins from above can also do.

    3. Configurations that hold scripts until consent is verified. These are typically customized to your website and setup.

  2. Consider cookieless analytics: There are some WordPress analytics tools that don’t drop tracking cookies. For example, Independent Analytics is Nathan’s personal recommendation. It’s privacy-first, so it doesn’t use tracking cookies. It collects basic data usage without installing anything on the visitor’s device. If you don’t need session-level tracking or advanced marketing features, this is a good way to reduce risk.

Audit your site for cookies and tracking

One more thing you can do to see if you could end up in CIPA’s crosshairs is to see what cookies and tracking your site drops on your device. The process is quick and straightforward.

  1. Open your website using any modern browser (we recommend Chrome).

  2. Right-click then Inspect.

  3. Go to the Application tab.

  4. Click Cookies under Storage and see what’s being set.

This will show you both first- and third-party cookies, along with some info about which services generate them. For example, analytics and pixels may appear under domains such as google.com, gstatic.com, facebook.com, etc.

Keep in mind that this isn’t legal proof if it comes to that, but it’s a good way to see what’s happening on the site.

Setting the correct expectations

Fortunately for all website owners, there is some movement in California to narrow the application of CIPA for routine commercial data practices, such as cookies and analytics. Namely, Senate Bill 690. It would exempt normal business tracking if a site is already complying with other privacy laws.

As that bill isn’t law yet and won’t apply retroactively, the environment remains uncertain. Conversations with compliance experts, including our recent discussion with Termageddon, suggest that the safest short-term approach is thoughtful consent management rather than waiting for courts or legislation to catch up.​

And if you have any questions about how WordPress admins and agencies are complying with CIPA, or anything else about websites and hosting, join us in our Office Hours livestreams. They are every Thursday at 2 PM ET, where you can get your answers live.

Konstantin is a content writer for hosting.com with a strong foundation in web hosting and tech support. After several years of dedicated customer assistance, helping websites stay online and secure, he now brings clarity and creativity to the complex world of digital infrastructure. His writing combines real-world technical knowledge with a knack for making complex topics accessible.

View more posts by Konstantin Kolarov