How one demand letter exposed a compliance problem that’s sitting on most business websites right now.
It landed on a Tuesday morning. A law firm in California, representing a plaintiff none of the company’s leadership had ever heard of, claiming the company’s website had violated the California Invasion of Privacy Act. The threat wasn’t a single $5,000 claim. It was a class action. Every California visitor who had hit the site during the violation window, pulled into one lawsuit, at $5,000 per head in statutory damages.
The math gets ugly fast. A modest traffic site with a few thousand California visitors a year is staring down a seven-figure exposure on paper. The settlement offer to make it all disappear was still more than a decade of proactive compliance monitoring would have cost.
The company in question is a well-established industrial manufacturer based in New England. Decades in business. Loyal customer base. The kind of company that does real work, makes real things, and doesn’t spend a lot of time thinking about obscure California privacy statutes.
They had a cookie banner on their website. They thought they were covered. They weren’t.
Here’s what happened, what we found, and why you should probably go check your own site when you’re done reading this.
The Demand Letter
The plaintiff was a professional. Not in the sense of being particularly skilled. Professional in the sense that this person has filed dozens of nearly identical lawsuits against companies all over the country. Visit website, note that tracking cookies fire before clicking Accept, forward to the law firm, wait for the settlement checks to roll in.
The law firm works on volume. File a hundred of these cases a year, threaten class action, settle most of them in the $5,000 to $15,000 range before discovery ever starts, and do the math. They know the defendant’s attorney is going to calculate the cost of fighting a class action versus paying a quick settlement and recommend the settlement every time. That’s the whole play. Threaten something massive, collect something modest, move on to the next one.
It’s a business model, and it’s perfectly legal under California’s statute, which allows private citizens to sue for CIPA violations at $5,000 per incident and to aggregate those incidents into class actions.
No traffic threshold. No minimum company size. One California visitor and one non-essential cookie firing before consent is enough to start. Add up every other California visitor who hit the site during the window and you have a class action.
The company’s leadership read the letter, talked to their attorney, and made the practical call. Fighting a class action, even a weak one, costs more than the plaintiff firm would accept to walk away. The attorney’s recommendation was to negotiate the settlement down, pay it, and then fix the underlying issue so this never happened again. The final number was a fraction of the exposure on paper, and a fraction of what a trial would have cost. It was also, for what it’s worth, roughly twenty times what proper compliance setup would have cost from day one.
That’s where we came in.
What We Found When We Looked
The company already had a cookie consent banner running on their site. It was installed. It was visible. It had the right buttons. On the surface, everything looked fine.
We loaded the site in a clean browser, one that had never visited before. No cookies, no history, no prior consent. Just a fresh visitor, the same kind of visitor that the plaintiff had been.
Before clicking a single button on that consent banner, here’s what the site fired:
- LinkedIn Insight tracking pixel
- Google Analytics, both legacy Universal Analytics tags and GA4
- HotJar session recording scripts
- Several third-party marketing cookies
- A handful of fingerprinting data points loaded into browser storage
All of it firing before consent. All of it constituting a textbook CIPA violation under the standard the plaintiff’s law firm was using.
The banner looked correct. The banner was functionally useless. It was sitting there on the page like a security guard asleep at the post.
Why the Banner Wasn’t Working
The root cause was a misconfiguration of the consent management plugin. The plugin was capable of blocking tracking scripts until a visitor clicked Accept. That capability had never been turned on. The plugin was installed in a kind of default display mode, showing the banner but not actually enforcing any blocking behavior behind it.
Compounding the issue, an older hardcoded cookie banner from a prior website build was still present in the theme code. It conflicted with the new plugin in subtle ways, hidden from view but still loading in the background.
There was also a caching problem. The site was running aggressive page caching and JavaScript deferral, which meant the consent banner was loading about three seconds after the rest of the page. For three full seconds on every visit, the site was firing tracking scripts while the consent tool hadn’t even initialized yet.
Three seconds is a long time when every visit represents potential liability.
What We Did
The fix was not glamorous. It was methodical.
We audited every cookie, every script, and every storage mechanism the site was using. We categorized each one. Essential cookies that make the site function got cleared to load normally. Everything else, the analytics pixels, the marketing tags, the session recorders, got reclassified as consent-required and blocked at the source.
We reconfigured the consent plugin to actually do what it was installed to do. Block scripts by default. Allow them only after explicit opt-in. Honor opt-out the same way.
We stripped out the old hardcoded banner that was hiding in the theme.
We worked around the caching plugin’s interference with the consent tool, using a cookieless initialization method that doesn’t require a server round-trip to show the banner.
We rewrote the cookie policy and privacy policy to match the attorney’s recommended language.
We tested the whole thing with a clean browser, verified zero non-essential tracking fired before consent, verified that clicking Reject kept everything blocked, and verified that clicking Accept released the tracking as expected.
When we were done, the site passed the same test the plaintiff’s attorney had used to build their case in the first place. That’s really the whole game. The legal test is a proxy for whether you’re actually doing what you told visitors you’d do.
Now they are.
The Bigger Problem Nobody Is Talking About
Here’s the part that matters for every other business owner reading this.
The company in this case study is not unusual. They did not do anything wrong on purpose. They installed a cookie banner because their web team told them they needed one. They assumed, reasonably, that installing the banner meant they were compliant.
Nobody told them that consent management plugins have to be configured correctly to actually block tracking. Nobody told them that caching can interfere with how the banner loads. Nobody told them that the marketing team’s decision to add a LinkedIn pixel last quarter had created a compliance gap. Nobody scanned the site to verify that what they thought was happening was actually happening.
This is the norm, not the exception. We’ve audited dozens of sites since this engagement, and the majority of them have the same problem. A banner sitting there doing decorative work while tracking scripts run freely in the background. The companies running those sites have no idea.
And the plaintiff’s law firms know it.
What Every Business Should Be Doing
If your website runs a cookie consent banner, three things need to be true, and you need to be able to verify all three.
First, when a first-time visitor loads your site, nothing non-essential should fire until they click Accept. Not Google Analytics. Not Meta Pixel. Not LinkedIn Insight. Not HotJar. Nothing. If any of those load before the visitor interacts with the banner, you have a problem.
Second, the banner needs to offer a genuine choice. Accept, Reject, and Customize. Not just an Accept button with a tiny X in the corner. Regulators and plaintiff’s attorneys increasingly treat Accept-only banners as no banner at all.
Third, the consent decision needs to be enforced. Clicking Reject should mean Reject, across the whole site, across the whole session. This is the piece that fails most often, because clicking Reject on a misconfigured banner often does absolutely nothing.
Most business owners cannot verify any of this themselves. They can see the banner on their site, but they cannot see what’s firing in the background. Which is why this problem is everywhere.
Why We’re Building Something Bigger
This engagement changed how we think about compliance work. We had already been offering cookie consent setup as part of our services, but this case made clear that one-time setup is not enough. Sites change. Marketing teams add new tools. Plugins update and behaviors shift. A site that was compliant in January can drift out of compliance by March without anyone noticing.
That’s the problem we’re now building to solve at scale. An always-on scanner that watches every site we maintain, catches new tracking scripts the moment they appear, and flags compliance drift before a demand letter shows up in the inbox.
The manufacturer in this case study is now protected. Their banner works. Their scripts are blocked. Their policies are accurate. They sleep a little better at night.
The question is whether every other business owner reading this can say the same.
The Numbers That Matter
- Time from demand letter to full remediation: 11 business days
- Non-essential cookies firing pre-consent before remediation: 10+
- Non-essential cookies firing pre-consent after remediation: 0
- Cost of proper compliance setup from day one: under $1,000
- Cost of the settlement: more than 10 years of proactive compliance monitoring
- Cost of fighting the class action in court: more than the settlement
One settlement check covered what a decade of prevention would have cost, several times over.
The math on prevention is always easier than the math on response. Always. The companies that figure this out before the letter arrives are the ones who never end up as the subject of a case study like this one.
Names and identifying details have been withheld to protect the client. The facts of the engagement are accurate. If you’re reading this and wondering whether your own site has the same problem, you can request a free cookie compliance scan at whatarmy.com/cookie-compliance.
