A while back, posts started popping up in my web designer groups about small business owners getting demand letters from law firms. The claim? Their website tracked a visitor without consent. The ask? $5,000. Per visitor.
These weren’t tech companies. One was a photographer. Another ran a little online boutique. Businesses with websites that look a whole lot like yours.
Take a breath, though. You’re not in trouble. You just have a to-do, and by the end of this post you’ll know whether you need a cookie consent banner [you do] and how to get one set up without a law degree or a scary legal bill.
Quick heads up: I use referral links for Termageddon in this post because I genuinely use it on my own site and recommend it to clients. If you sign up through my link, I may earn a small commission at no extra cost to you, but you also save 10%. [That’s a win for both of us!]
Also important: I’m not a lawyer, and nothing here is legal advice. It’s one web designer sharing what she’s learned so you can make informed decisions about your own site. When in doubt, talk to an actual attorney.
Wait, My Website Tracks People?
Probably, yes. And I’d bet you didn’t set out to do it.
The tools you forgot you installed
Most website owners hear “tracking” and picture some shady data operation. But tracking tools hide in the most ordinary places:
- Google Analytics – collects IP addresses and browsing behavior
- Meta Pixel – even one left over from an ad campaign you ran years ago
- Pinterest tags – same deal
- Embedded YouTube videos – yep, those count
- Google Fonts and Google Maps – loading these from Google’s servers can share visitor data too
If your site has any of these, and it’s highly likely you’re using Google fonts on your website, you’re collecting visitor information. Using these tools isn’t the problem. The problem is using them without telling anyone, and increasingly, without asking permission first. The Better Business Bureau has a solid plain-English overview of what privacy policies need to disclose if you want a neutral second opinion on all this.
The 5-minute self-audit
Grab a coffee and answer these honestly:
- Do you have a contact form?
- Do you have an email signup form?
- Do you use Google Analytics or any analytics tool?
- Do you have a Facebook, Meta, or Pinterest pixel installed (even an old one)?
- Do you embed YouTube videos, Google Maps, or Google Fonts?
- Do you sell anything on your site?
Answered yes to even one? Keep reading. Yes to number 3, 4, or 5? The next section is specifically for you.
The Lawsuit Nobody Warned You About (CIPA)
Here’s where it gets real.
What the California Invasion of Privacy Act actually says
The California Invasion of Privacy Act (CIPA) is an old wiretapping law that lawyers are now applying to websites. The argument goes like this: if your site uses tracking tools to record what visitors do without their consent, that’s a form of illegal eavesdropping.
I know. A wiretapping law from the era of actual telephone wires, aimed at your Pinterest tag. Welcome to the internet in 2026.
Unlike most privacy laws, CIPA lets individuals sue businesses directly. No government agency has to get involved. Small business owners have received demand letters asking for $5,000 or more per website visitor. Termageddon keeps a running guide on CIPA and website tracking claims that’s worth a read if you want the full legal picture.
Why “but I’m not in California” doesn’t protect you
Privacy laws protect people, not businesses. That means they follow the visitor.
If someone in California lands on your website and your Meta Pixel fires before they’ve consented, California’s law can apply. It doesn’t matter that you’re in Texas, Ohio, or Nova Scotia. Your website is open to the whole internet, and the whole internet includes California. Rocket Lawyer’s small business guide to digital privacy laws breaks down how these state laws reach across borders, and it’s eye-opening.
CIPA also has no revenue threshold. There’s no “too small to matter” exemption. Honestly, small businesses can make easier targets because they’re less likely to have lawyers on retainer.
What a demand letter looks like (and costs)
It’s usually a letter from a law firm claiming your site tracked their client without consent, with a settlement demand attached. Even a weak claim costs money to respond to. Hiring an attorney to make it go away costs more. Settling costs the most.
Prevention, meanwhile, costs about what you’d spend on a nice dinner out. We’ll get there.
What a Cookie Consent Banner Actually Does
A real cookie consent banner does one job: it stops tracking tools from loading until the visitor says yes.
Consent before tracking. That’s the whole point.
There’s a business upside here too, beyond the legal stuff. A Cisco survey found that 94% of consumers are more likely to trust companies that protect their data. Your visitors notice when you handle their info with care, even if they never consciously think about it.
Cookie consent banner vs. cookie policy vs. privacy policy
These three get mixed up constantly, so let’s untangle them:
- Privacy policy – the document disclosing what personal info your site collects, what you do with it, and who you share it with. I covered which laws require one in my guide to website privacy laws.
- Cookie policy – explains the specific cookies and trackers your site uses and why.
- Cookie consent banner – the interactive piece that asks visitors for permission and actually blocks trackers until they agree.
You likely need all three working together.
Why that fake “we use cookies, OK?” bar doesn’t count
You’ve seen those little bars that say “This site uses cookies” with a single OK button.
Cute. Useless.
A banner only counts if it gives visitors a real choice, including the option to decline, and actually prevents tracking tools from loading until consent happens. A notification bar that tracks you anyway isn’t consent. It’s decoration.
How to Get Compliant Without a Law Degree
You’ve got three real options.
Option 1: Hire an attorney
A privacy attorney can draft custom policies for your business. It’s the most tailored route, and for complex businesses it might be the right one. Expect to spend anywhere from several hundred to a few thousand dollars.
The catch is maintenance. Privacy laws change constantly (dozens of new bills are in the works at any given moment across the US, EU, UK, Canada, and Australia), and every change potentially means another call to your attorney. Budget for the relationship, not just the document.
Option 2: Copy a template (please don’t)
I get the temptation. Free template, ten minutes, done.
But a privacy policy has to accurately describe your practices, the laws that apply to your visitors, and the tools on your site. A copied policy almost never does, which means you’re publicly making promises your business doesn’t actually keep. Regulators treat an inaccurate policy as a deceptive practice, so a bad policy can hurt you more than having none at all. Termageddon wrote a whole piece on why copying a privacy policy backfires, and I co-sign every word.
A static policy has the same problem in slow motion. It was accurate the day you pasted it in. Then the laws changed and it quietly went stale.
Option 3: An auto-updating cookie consent banner and policy solution
This is what I use and what I offer to set up for my clients: Termageddon.
One license includes a privacy policy, cookie policy, consent banner, terms of service, disclaimer, and EULA. You answer a questionnaire about your business, it figures out which laws apply to you, and it generates everything. Then it monitors privacy laws and automatically updates your policies when things change.
Set it up once. It stays current. [It’s basically the “let it go” of legal compliance… did you sing that? Sorry not sorry.]
For what it’s worth, I didn’t pick it because of the referral program. I picked it because it was co-founded by a privacy attorney and it’s the longest running policy generator listed as a trusted vendor by the International Association of Privacy Professionals. The referral link came later, after I’d already been recommending it to clients for free.
How this works on a WordPress site
If you’re on WordPress, setup is genuinely simple. You generate your policies in Termageddon, then paste an embed code onto your policy pages. The consent banner installs through a WordPress plugin, which can even show the banner only to visitors in regions that require it, so you’re not annoying everyone else. Although, I recommend just show it to everyone, it’s not that annoying.
The embed code is the quiet hero here. Because your policies live in Termageddon and display through that code, updates push to your pages automatically. You don’t touch a thing.
Not on WordPress? Not a problem. Termageddon can be used on non-WordPress websites also.
Termageddon Set Up – save $50, only $49
I normally charge $99 to get Termageddon set up for you. For the months of July and August 2026, I’m offering 50% off my set up fee! You must use my link to purchase your license in order to qualify for this special. Make your purchase and drop me an email.
What I Do on My Own Site
I don’t just recommend this. I run it.
Instanticity has a contact form, an email list, analytics, and a shop, which means I collect personal information every single day. My privacy policy and cookie policy are both generated and maintained this way, and my consent banner blocks trackers until visitors opt in.
When a new privacy law passes, I get an email letting me know my policies were updated. That’s the whole task. After 20+ years of building and maintaining websites, I’ve learned the best systems are the ones you don’t have to think about.
The Bottom Line
If your website uses analytics, pixels, embedded videos, or fonts loading from Google, you very likely need a cookie consent banner backed by real policies. “I didn’t know” isn’t a defense, and the demand letters aren’t slowing down, they’re becoming more common.
The fix takes about an hour:
- Run the 5-minute audit above
- Set up Termageddon, or whichever compliant solution you choose, and answer the questionnaire honestly
- Add your policies and consent banner to your site
- Get back to running your business
Rather have someone handle it for you? Compliance setup is exactly the kind of behind-the-scenes work I take care of for my website care plan clients. Not a care plan client? Reach out and we’ll get your site covered.
Frequently Asked Questions About Privacy Policies
Do I need a cookie consent banner if I only use Google Analytics
Very possibly. Google Analytics collects IP addresses and behavioral data, which several privacy laws treat as personal information requiring consent before collection.
Does this apply to me if I’m not in California or Europe?
Yes. Privacy laws follow your visitors, not your business address. If people from California or EU can visit your site, those laws can reach you.
What’s the difference between a cookie policy and a privacy policy?
A privacy policy covers all the personal information your site collects and how you use it. A cookie policy specifically explains the cookies and tracking tools on your site. Most sites need both.
Is a free privacy policy template good enough?
Usually not. Templates aren’t tailored to your actual practices or the laws that apply to your visitors, and they don’t update when laws change. An inaccurate policy can create more risk than it removes.
