Last week, I opened my Instagram DMs to a panicked message from a small business owner who’d just been hit with a lawsuit from a California law firm. And, turns out, she wasn’t the only one. This same attorney is going after dozens of businesses with nearly identical allegations: their cookie pop-up wasn’t set up correctly, didn’t include the right disclosures, or didn’t give users real choices about their data. The small business owner who messaged me is already somewhere between $20,000–$25,000 deep, trying to defend herself — all because they were missing this tiny pop up:

This isn’t a scare tactic. It’s genuinely happening, and it’s one of the strangest legal “fishing expeditions” I’ve seen in a long time. Cookie lawsuits are exploding, especially in California, where attorneys are using laws like the California Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act (CCPA/CPRA) to argue that everyday tracking tools — things like Google Analytics and Meta Pixels — violate users’ privacy rights when businesses don’t disclose them correctly. One tiny mistake can snowball into a five-figure legal bill. No small business owner has time for that.

1. So… What Are “Cookies,” Really?

Before we get into the legal mess, let’s make sure we’re talking about the same thing. “Cookies” are simply small data files stored on a visitor’s device when they land on your website. They sit quietly in the background and help remember things like logins, user preferences, or how someone navigates your site. Some cookies are essential for your website to work. Others track analytics, help personalize the user experience, or allow your ads to show up in the right places. Almost every modern website uses them in some capacity, and most businesses don’t realize how many are firing the moment someone lands on their home page.

Here’s the quick breakdown:

Essential Cookies
These keep your site functional — shopping carts, logins, basic operations.

Analytics Cookies
Google Analytics, heat maps, session tracking, etc.

Marketing/Retargeting Cookies
Your Facebook Pixel, Instagram tracking, Google Ads, TikTok Ads… all the fun stuff.

Functional Cookies
These remember preferences like dark mode, location, or language.

How businesses use cookies:
• Managing customer sessions
• Personalizing the website experience
• Tracking behavior for analytics
• Running targeted ads
• Improving user flow and sales funnels

2. Why Websites Need Cookie Pop-Ups

The legal issue isn’t the cookies themselves — it’s the transparency surrounding them. The United States doesn’t have one overarching federal cookie law, so we’re dealing with a growing patchwork of state rules and international requirements. California is leading the charge with CCPA/CPRA, which treats many cookies as “personal information,” especially when they track behavior tied to a specific device or person. If your cookies collect that type of data, you’re required to tell users what you’re collecting, why you’re collecting it, and whether that data goes to any third-parties. 

SIDE NOTE- If you’re using tracking for retargeting or cross-context advertising, California may even consider that a “sale” of personal information, which triggers a whole new level of obligations.

Virginia, Colorado, Connecticut, Utah, and several other states are following suit with their own privacy laws that give users rights to opt out of targeted advertising, profiling, and data sharing. In many cases cookies are what enable these activities, so websites have to give people a meaningful way to opt out.

3. International Rules: GDPR & ePrivacy (Europe)

Even international rules come into play. GDPR and the ePrivacy Directive require businesses to get consent before using any non-essential cookies — and that includes analytics and marketing cookies. Yes, even U.S. businesses can be subject to these rules if Europeans can access their websites. These laws insist on clear explanations, real consent (not a sneaky “Accept Only” button), proof that consent was collected, and the ability for users to change their mind just as easily as they gave permission.

4. The Surge in Lawsuits and Demand Letters… YIKES!

All of this sets the perfect stage for lawsuits, because most small business websites weren’t built with privacy laws in mind. Because of that, plaintiffs’ attorneys have been targeting things like cookie banners that don’t actually let users decline tracking, pop-ups that still allow analytics to fire in the background, confusing layouts that push users toward “accept,” or disclosures that simply don’t match what’s happening behind the scenes. They’ve also gotten creative — some are using California’s old wiretapping law (CIPA) to argue that everyday web tools like pixels, cookies, and session-replay software are secretly “intercepting” communications. Yes… these arguments can be a stretch, but it hasn’t stopped plaintiffs’ attorneys from using them aggressively.

What makes all of this even more complicated is that businesses don’t need to be in California to be sued under California law. Attorneys have been sending these demand letters nationwide, insisting that CIPA applies if a California resident visited the business’s website. Because CIPA allows statutory damages of $5,000 per violation, these claims become incredibly tempting for law firms that are looking to pressure small businesses into quick “nuisance-value” settlements.

5. What California Is Doing About It

The good news is that California lawmakers have finally taken notice! Over the last 18 months, more than 1,500 businesses have been sued under CIPA, with plaintiffs arguing that totally normal business practices — saving a shopping cart, running analytics, or showing a retargeting ad — somehow count as “wiretapping” or using an illegal “pen register.” It’s gotten so out of hand that the California Senate publicly called these cases what they are: shakedown lawsuits.

That’s where Senate Bill 690 comes in. In simple terms, SB 690 would carve out a “commercial business purpose” exception so that businesses using cookies, pixels, and analytics in a normal, disclosed, consumer-friendly way are not treated like they’re spying on anyone. It makes clear that tools used to further a legitimate business purpose — or tools subject to consumer opt-out rights — are not wiretaps, not pen registers, and not eavesdropping devices. If SB 690 becomes law, which looks very likely given its bipartisan support, it could take effect sometime in 2026.

The bill has already passed the California Senate unanimously, but it was sent to the Assembly’s Privacy and Consumer Protection Committee for further review. The Assembly does not plan to take up the bill in 2025, but it is likely to be considered in 2026. If the Assembly approves the bill without any changes, it will then go to the Governor to be signed into law. If the Assembly proposes amendments, the bill will return to the Senate for an additional vote before heading to the Governor.

But here’s the important part: this bill would not apply retroactively. That means businesses can still be sued under the current version of CIPA until the effective date of the bill. And unfortunately, that may motivate even more lawsuits in the short term as plaintiffs’ attorneys race to file before the law changes.

This is why small businesses need to tighten things up now. Small businesses are especially vulnerable because most small business owners assume this is something their web designer handled, when, in reality, many web designers simply don’t touch the cookie or privacy-law side of things. Tools like Google Analytics, Shopify integrations, and CRM tracking often load automatically unless someone specifically disables them. If you're a Showit user, for example, you may not even realize what’s firing on your site. And, once a cookie is tracking someone, the legal obligations kick in, whether you meant to collect the data or not.

6. Why Your Privacy Policy Has To Talk About Cookies

One huge misconception I see? People think a cookie banner alone solves everything. It doesn’t. Your Privacy Policy needs to match your cookie disclosures. So, your Privacy Policy is where you explain, in plain English, what information you collect, how you collect it, why you collect it, and who you share it with. And because cookies are one of the main ways websites gather personal information, they can’t be ignored or mentioned as a tiny footnote. If your site uses analytics, retargeting tools, pixels, heat maps, or session replay technology, that activity has to be reflected in your Privacy Policy. Otherwise, there’s a big mismatch between what your site is actually doing and what you’re promising users.

Thus, if your cookie banner says one thing and your Privacy Policy says something else — or worse, says nothing — that inconsistency becomes a massive legal vulnerability. Plaintiffs’ attorneys love finding outdated privacy policies because it makes the case for “deceptive business practices” much easier.

7. Another Overlooked Issue: Website Accessibility

There’s also a related issue that’s quietly creeping into these lawsuits: website accessibility. ADA-based complaints have skyrocketed in the last few years, and some lawyers are bundling accessibility issues with cookie claims. If your website isn’t compatible with screen readers, doesn’t have alt text, isn’t navigable by keyboard, or lacks proper contrast, you could end up with a whole second lawsuit stapled to the first one. This is especially true for businesses with brick-and-mortar locations, or any business that offers online ordering or booking.

8. How to Make Your Website Legally Compliant

If you’re reading all of this and feeling a little overwhelmed, take a breath — you’re not alone. Website compliance feels intimidating because so much of it happens behind the scenes, and most small business owners have no idea what cookies, pixels, or analytics tools their sites are quietly firing in the background. The good news is that getting legally compliant isn’t nearly as complicated as it sounds. It’s really about understanding what your site is doing, telling your users the truth about that activity, and giving them a real choice when it comes to their data. Once you take a few key steps, your website becomes significantly safer, stronger, and far less attractive to the attorneys sending out these demand letters.

To keep this simple, here’s a straightforward checklist you can work through to get your website legally compliant in no time:

Website Compliance Checklist

✓ Run a full cookie scan to identify every tracking tool firing on your site — especially the ones you didn’t know were there.

✓ Install a compliant cookie banner that doesn’t load analytics or marketing cookies until after a user chooses. Your banner should allow users to accept, decline, or set their preferences without any tricks or pressure.

✓ Update your Privacy Policy so it accurately explains what cookies you use, what data they collect, who receives that data, how users can opt out, and what rights they have under laws like CCPA/CPRA.

✓ Add an Accessibility Statement and begin working toward basic ADA-friendly features like alt text, proper contrast, and screen-reader compatibility.

✓ Double-check with your web designer or your website platform settings to make sure no one has auto-installed analytics or tracking tools without your knowledge. Showit, Shopify, Squarespace, and Wix users especially — take a look at your integrations and plugin settings.

✓ Use attorney-drafted Website Terms & Conditions and a Privacy Policy that are reviewed and updated as the law changes. These two documents are your website’s legal backbone, so this is not the place to copy and paste something from Google.

Final Thoughts

At the end of the day, this all comes down to transparency and accuracy. You don’t need to be perfect. You just need to be clear and truthful about the data you collect and give people a real choice about how their information is used. A solid Privacy Policy, strong Website Terms & Conditions, and a properly functioning cookie banner can save you from very real, very expensive legal headaches… especially in California, where CIPA and CCPA/CPRA lawsuits are only growing.

And if you’re thinking, “Paige, I don’t even know where to start,” this is exactly why The Legal Paige created up-to-date, attorney-drafted Website Terms & Conditions and Website Privacy Policy templates. They’re written with cookie usage, tracking tools, and modern privacy laws in mind — and we update them regularly as privacy laws evolve, so your website stays protected even as the legal landscape shifts and you won’t be stuck wondering whether your documents still cover you. This is the easiest, safest way to get compliant fast — without spending months trying to figure it out yourself.

Once you have those two foundational legal documents in place, make sure your cookie pop-up links directly to your Privacy Policy, and your Privacy Policy links back to the cookie preferences or opt-out section. This simple loop of transparency is one of the strongest ways to protect your business and build trust with every person who lands on your site.

And if you’re looking for a tool to actually build a compliant cookie pop-up, you can start with something straightforward like WebsitePolicies’ Cookie Consent Banner Generator (https://www.websitepolicies.com/cookie-consent-banner-generator), or find a third-party app that integrates well with your website builder. The key is choosing a tool that lets users easily accept, decline, or adjust their cookie settings — and making sure it works seamlessly with the Website T&Cs and Privacy Policy you publish on your site.

Citations:

https://www.nhada.com/

https://natlawreview.com/article/

https://usercentrics.com/knowledge-hub/california-invasion-of-privacy-act-cipa/

https://natlawreview.com/article/playing-rules-california

https://oag.ca.gov/news/press-releases/attorney-general

https://cppa.ca.gov/announcements/

https://oag.ca.gov/news/press-releases

https://natlawreview.com/article/california-bill-aims-limit-cookie-privacy-lawsuits

https://www.americanbar.org/

https://www.reuters.com/legal/legalindustry/cipa