Consent Resolve
Compliance & Privacy Blog

Is It Legal to Know When a Past Visitor Returns to Your Site?

Knowing the moment a past visitor comes back is one of the best signals a contractor can act on — but only if you're allowed to know it. Here's where consent draws the legal line.

By Tyler Spurlock, Account Manager at Consent Resolve 7 min read

The signal is great — but are you allowed to have it?

A homeowner who visited your site last week comes back today. Same person, second look, this time on the exact service page that matches their problem. Every marketer will tell you that return visit is one of the strongest buying signals you’ll get, and that you should be the first to know it happened.

They’re right about the value. What almost nobody stops to ask is the question a careful owner should ask first: am I actually allowed to know that? Because “we can tell when a specific person comes back to our website” is either a smart, legal follow-up practice or a lawsuit waiting to happen — and the entire difference is one word. Consent.

Knowing a past visitor returned is not, by itself, illegal. Watching aggregate traffic in your analytics is fine. The line gets crossed when you identify a specific person who never agreed to be identified, then use that to contact them.

That distinction is the whole ballgame in privacy law right now, and it shows up in three places a contractor should know about:

  • CIPA (California’s Invasion of Privacy Act). This is the one being mass-filed against websites. Plaintiffs’ firms argue that certain tracking scripts “wiretap” visitors who never consented, and the statute carries $5,000 per violation — per visitor, which adds up fast. The claims hinge on whether the visitor agreed to the tracking.
  • The TCPA. If you turn a website visit into a phone call or text without proper consent, you’re in TCPA territory, where damages run $500 to $1,500 per message and recipients can sue you directly. This is a big reason consent-first follow-up is email-grade, not a phone number to cold-dial.
  • State data-privacy laws. California’s CCPA adds administrative penalties for mishandling personal data, and newer statutes like the Texas Data Privacy and Security Act regulate how personal information is collected, used, and sold. Texas brought its first-ever enforcement suit under that law over data gathered and sold without clear consent.

Read those three together and the pattern is obvious. None of them punish knowing a visitor came back. They punish knowing it about someone who never said you could.

Picture two contractors who both get an alert that a past visitor returned to their site.

The first bought a tracking tool that quietly matches anonymous visitors to names and emails — no banner, no permission, nobody asked. That contractor is now sitting on exactly the kind of non-consented identification CIPA suits are built around. The signal is useful, but every follow-up they send is exposure.

The second contractor uses consent-first identification. On the first visit, the homeowner saw a clear banner and accepted it. That yes was logged with a date and time and kept on a 7-year audit trail. When the same person returns, the alert fires — but it’s an alert about a homeowner who is already, on the record, someone who agreed to hear from you. The follow-up email isn’t a cold interruption to a stranger. It’s a timely note to a contact who opted in.

Same alert. Same buying signal. Completely different legal posture. The consent step at the front is what turns a risky capability into a routine, defensible one.

Why regulators are moving on this now

If this felt like a niche concern a few years ago, it doesn’t anymore. Enforcement over data captured without consent has gotten large and public. Texas alone secured a $1.4 billion settlement with Meta over unauthorized data capture, and the FTC required Angi’s HomeAdvisor to pay a $7.2 million settlement tied to how it handled and marketed leads.

Those are enterprise numbers, not forecasts for a plumbing shop — but they set the tone for what the smaller CIPA and TCPA cases are testing against thousands of ordinary business websites. The direction is one-way: consent is becoming the thing you have to be able to prove, not the thing you can assume. A contractor who can show a timestamped yes for every contact is on the right side of that trend. One who can’t is betting the shop on never getting the letter.

So how do you keep the signal and drop the risk?

You don’t have to give up return-visit alerts to stay clean. You have to gate them behind consent and keep the receipt. In practice that means three things:

  • Only consented visitors ever become known. If a homeowner declines or ignores the banner, they stay anonymous and never turn into a contactable lead. The murky cases simply never enter your pipeline, so there’s nothing to defend.
  • Every consent is timestamped and stored. The moment someone accepts the banner is logged with a date and time on a 7-year audit trail, so if anyone ever asks how you got their information, the answer is a lookup, not a guess.
  • Follow-up stays email-grade. You reach returning visitors by email into the funnel you already run — Jobber, Housecall Pro, HubSpot, GoHighLevel — never a cold call or text, which keeps you well clear of the TCPA’s per-message exposure.

That’s the design. The useful part of “know when a past visitor comes back” is fully compatible with the law. It’s the shortcut version — identifying people who never agreed — that isn’t.

Not every “consent” banner is worth the pixels it’s printed on, and the difference matters if you’re ever asked to prove it. Courts and regulators tend to look for consent that’s clear, informed, and affirmative — the visitor understood what they were agreeing to and took a deliberate action to agree. A pre-checked box, a banner buried at the bottom of the page, or a “by using this site you agree” line nobody reads is the kind of thing plaintiffs’ firms argue isn’t real consent at all.

A defensible banner does a few plain things: it’s visible before tracking starts, it says in ordinary language what the visitor is agreeing to, it requires an actual click to accept, and it records that click with a timestamp. That last part is what turns consent from a claim into evidence. Anyone can say “we had a banner.” A shop that can produce the date, time, and record for a specific homeowner is in a completely different position if a question ever lands. The point isn’t to lawyer up your website — it’s to make sure the yes you’re relying on is a yes you can actually show.

The bottom line for your shop

Is it legal to know when a past visitor returns? Yes, if you earned the right to know. A homeowner who accepted your banner and is on the record as opted in is a person you can follow up with, promptly and confidently, when they come back. A visitor you fingerprinted without asking is a risk you’re carrying whether or not you ever act on it.

Consent-first identification is what keeps you in the first category every time — the signal in your hands, the receipt on file, and a flat $7 per exclusive lead that’s yours alone and never resold. See why consent-first protects your shop, then look at what your current lead channels actually cost — in fees and in exposure.

This article is educational, not legal advice. Talk to a qualified attorney about your specific situation.

FAQ

Frequently asked questions

Yes, when it's consent-first. If the visitor accepted a clear consent banner on an earlier visit and that agreement was logged with a timestamp, being alerted to their return is following up with someone who opted in — not surveilling a stranger. The legal problem starts when you identify and contact people who never agreed.