Free website privacy scan · Vancouver, WA
They clicked Reject. Your site kept sending their data anyway.
In California, a visit like this is now $5,000 of exposure. Most owners never knew the trackers were there.
- $0
- per website visitor, in California
- ~0
- businesses sued so far
- $0
- up to, in Washington
This is not hypothetical
This is hitting businesses like yours, not just big companies.
The law is CIPA, California's Invasion of Privacy Act. It is from 1967 and was written about phone wiretaps, but plaintiffs are now pointing it at the tracking pixels on business websites. The damages are $5,000 for every website visit, and nobody has to prove they were harmed. A reform group counts around 3,000 businesses sued, and it is not slowing down.
HVAC · Folsom, CA · Feb 2026
Folsom Lake Heating & Air
Folsom Lake Heating and Air was served in early 2026 over the standard analytics on its website. The owner thought she was running normal tools. Her whole exposure was calculated at $5,000 per visitor.
$5,000 per visitor
Electrician · Sonoma County · 2026
Element Electric
Element Electric's owner got hit a few months later, then found the same person had already sued three other local businesses with the exact same complaint, word for word. A defense attorney who has handled over 500 of these said the demand letters are so identical they are “almost automated.”
3 more businesses · same complaint
The part that stings
“They are tracking me. They are not getting sued, I am.”
One owner put it plainly: the big platforms are the ones doing the tracking, but she is the one getting sued, not them.
Washington, the one that reaches you here
Washington's My Health My Data Act lets people sue directly, stacks damages up to $25,000, and defines “health data” so broadly it can catch a site with no obvious health angle. A Seattle retailer was sued in 2025 just for pixels sending purchase and appointment details to Google. If your site touches wellness or appointments, this is the one to watch.
Oregon
As of January 2026 the state can enforce directly, your site has to honor universal opt-out signals, and you cannot sell precise location data.
I am not here to scare you into anything, and none of this is fully settled law. But it is real, it is spreading toward small local businesses, and the demand letters are cheap to send. Knowing what your site does is the cheap side of this. Finding out in an envelope is not.
The part owners never see
The banner is often just for show.
Most people assume a cookie banner means they are covered. Usually it is the opposite. On a lot of small-business sites the tracking pixels are hardcoded to load the moment the page opens, so the Meta Pixel, Google Analytics, a session recorder like Hotjar or Microsoft Clarity, all of it fires whether the visitor clicks Accept, clicks Reject, or never touches the banner. The Reject button changes nothing. That data still travels out to ad platforms and brokers like LiveRamp and Acxiom, and the banner sitting on top of it can make things worse, because now the site is promising a choice it does not keep. This is almost never on purpose. It is usually a plugin someone installed a year ago and forgot.
They click Accept
cookie banner- Meta Pixelstill sending
- Google Analyticsstill sending
- Microsoft Claritystill sending
- TikTok Pixelstill sending
Everything fires, as expected.
They click Reject
cookie banner- Meta Pixelstill sending
- Google Analyticsstill sending
- Microsoft Claritystill sending
- TikTok Pixelstill sending
Everything fires anyway.
The free tool
Start with the free Exposure Scan. It is genuinely free and genuinely useful.
Enter your site and in about a minute you get a plain-language read on three things most owners have never seen:
- Every third-party tracker your site loads, by name and count.
- How many of those keep firing after a visitor clicks Reject.
- Whether your privacy policy actually names the trackers you are running, or says nothing about them.
That is a real snapshot of where you stand, yours to keep. Most people are surprised by the number alone.
If you want the full picture
The paid audit, when the free scan raises questions.
The Exposure Scan shows you the headline. The paid audit is the whole story, done by a person, not a robot. I go through every tracker, document what fires before consent, look at whether your banner is designed to mislead, find the gaps between what you run and what your policy admits to, and flag where each finding creates real risk in California, Washington, or Oregon. You get a short report you can actually read: a plain summary, findings ranked high, medium, and low, the fix for each, and a clear line on anything worth taking to your attorney. If you want the problems handled instead of just named, I can do that too, quoted from what the audit finds.
$650 for most small-business sites, and $500 to $900 depending on size. Fixes are quoted from what the audit finds.
The honest boundary.
I audit what your site actually does with visitor data and how your consent experience is designed. I flag where that creates legal exposure and tell you what to bring to an attorney. I do not give legal advice or certify compliance. That line is the whole point. You get a clear read of what is happening and what to do about it, from someone who works in websites, not billable hours.
Who this is for
If your site runs Google Analytics, a Meta or TikTok pixel, a booking or quote form, or a chat widget, it is running trackers, and this applies to you. It matters most in Washington, and for any site touching health, wellness, or appointments, where the rules are strictest and the exposure is highest.
Questions
Straight answers.
Genuinely free
Start with the free Exposure Scan.
See every tracker your site loads, how many ignore a Reject, and whether your policy names them. Yours to keep, in about a minute.