Consent Resolve
Compliance Blog

Is Retargeting Legal for Contractors? The Consent Question

Retargeting isn't against the law. Building the audience from people who never agreed to be tracked is where contractors get exposed. Here's the line, and how to stay on the right side of it.

By Tyler Spurlock, Account Manager at Consent Resolve 6 min read

Retargeting isn’t the problem — the tracking behind it is

Ask most contractors whether retargeting is legal and you’ll get a shrug. The honest answer is: the ads are fine. Showing a homeowner your name again after they visited your site is ordinary marketing. What’s drawing lawsuits and settlements isn’t the ad — it’s the machinery that decides who sees it.

Almost all off-the-shelf retargeting runs on a tracking pixel: a snippet that fires the moment a visitor loads your page, quietly collecting identifiers and behavior and shipping them off to an ad platform to build an audience. Nobody asked the homeowner. Nobody logged a yes. That silent collection is the part regulators have started treating as a violation — and it’s the part a busy shop owner never thinks about until a demand letter shows up.

So the real question isn’t “is retargeting legal.” It’s “is the way my audience gets built legal.” Those are two very different things.

What the law actually cares about

The rules that bite here aren’t about advertising. They’re about collecting and sharing a person’s data without telling them and without their consent.

  • CIPA — California’s wiretapping statute, Penal Code §637.2 — has become the tool plaintiffs’ firms use against website tracking, arguing that a pixel capturing a visitor’s activity without consent is an unlawful intercept. These suits carry statutory damages per person, which is why they scale into real money fast.
  • The CCPA in California and the TDPSA in Texas both require disclosure and, in key cases, consent before a business collects and shares personal data. A pixel that fires before anyone agrees to anything runs straight at that requirement.
  • The TCPA governs calls and texts, not pixels — but it’s the same principle, and it’s the reason consent-first follow-up stays email-grade. You don’t get a phone number to cold-call, because a cold call to someone who never opted in is its own liability.

None of this makes retargeting illegal. It makes undisclosed, unconsented data collection illegal — which happens to be how the default version of retargeting works.

This isn’t theoretical anymore

It’s tempting to file privacy law under “big-tech problem” and move on. The enforcement record says otherwise, and it’s landing closest in the states where a lot of home-service work happens.

Texas alone has secured a $1.4 billion settlement with Meta over capturing biometric and personal data without authorization, and has sued Allstate’s Arity unit under the TDPSA for collecting and selling driving data from tens of millions of people without their consent. The pattern in both is identical to the pixel story: data gathered quietly, used commercially, no clear yes from the person it came from.

A three-truck HVAC shop isn’t Meta. But CIPA suits don’t need you to be — they need a tracking pixel on your site and a plaintiff in the right state. The exposure a small business inherits from a “set it and forget it” retargeting tag is out of all proportion to the marketing it buys. You can see the full run of these settlements, sourced, on our stats page.

The fix isn’t to stop retargeting. It’s to change the one thing the law cares about: whether the person agreed.

With consent-first retargeting, the audience is built only from visitors who see a clear, visible consent banner and accept it. Before that yes, nobody is tagged and nothing is added. After it, that visitor becomes a consented member of your audience — and the moment is logged with a timestamp and held in a 7-year audit trail.

That record is the whole difference. If a regulator, a plaintiff’s lawyer, or an ad platform ever asks how you obtained a contact, you can answer with a date and a documented consent. A covert pixel has no answer to that question, because the entire point of a covert pixel is that nobody was asked. Consent-first marketing isn’t a slower way to do the same thing — it’s the version that holds up when someone checks.

The version that’s also better marketing

Here’s the part that surprises people: doing this the legal way usually makes the retargeting work better, not worse.

A pixel that fires on everyone hands you a bloated audience full of bounces, bots, and people who wandered in by accident and never engaged. You pay to show ads to all of them. A consent-first audience is smaller on day one and cleaner every day after, because every member is a homeowner who actually engaged and chose to keep hearing from you. Ad platforms increasingly reward audiences built on genuine, permissioned signals and distrust the ones stitched together from silent tracking — so the compliant list tends to be the one that performs.

And it changes how the homeowner experiences you. A reminder from a shop they consented to hear from reads as helpful. The same reminder from a shop that clearly tracked them without asking reads as creepy — and “creepy” is a brand problem long before it’s a legal one.

What this looks like when something goes wrong

The abstract risk becomes concrete the day a letter arrives. Picture a roofing company running a standard retargeting pixel — installed a year ago by a web guy who’s since moved on, firing on every visitor, feeding an ad audience nobody thinks about. Then a demand letter shows up citing CIPA, alleging the site intercepted a California visitor’s activity without consent, and asking for statutory damages per affected person plus fees. The owner didn’t set out to break any law. He set out to advertise. But he has no consent records, no banner, no way to show that a single one of those tracked visitors ever agreed — so he has nothing to answer with.

Now run the same scenario with a consent-first setup. Every member of the audience accepted a visible banner, and each acceptance sits in a timestamped log. The question “how did you obtain this person’s data?” has a one-line answer: they consented on this date, here’s the record. That’s the difference between a problem you can respond to and a problem you can only settle. The audit trail isn’t paperwork for its own sake — it’s the thing that turns an accusation into a documented yes.

It’s worth adding that this isn’t only a California and Texas story. The CCPA set the template a growing list of states are copying, and homeowners increasingly expect to be asked. The direction of travel is one way: more disclosure, more consent, more enforcement. A shop that’s already consent-first isn’t scrambling to catch up each time a new state law lands — it’s already operating the way the rules are heading.

How to make your retargeting defensible

  • Assume your current pixel collects before consent. Most do by default. Treat that as a liability to close, not a feature to keep.
  • Put consent first, literally. Build the audience only from visitors who accept a clear banner, so there’s a yes behind every member.
  • Keep the record. A timestamped consent log and audit trail is what turns “trust us” into “here’s the date.” That’s your defense if anyone ever asks.
  • Keep follow-up email-grade. Retarget on the ad accounts you already run and follow up by email into your funnel — never a cold call, which is a separate law and a separate risk.

Retargeting is legal. Tracking homeowners who never agreed to it is the part that isn’t safe — and it’s avoidable. Build the audience from consented visitors, keep the record behind every one, and you get the marketing benefit of staying in front of past visitors without carrying the exposure that comes with covert pixels. Each recovered lead stays a flat $7, exclusive to you and never resold. Doing it right and doing it safely turn out to be the same move.

FAQ

Frequently asked questions

Yes. Showing ads to people who visited your site is legal. The legal risk isn't the ads — it's how the audience gets built. Most retargeting relies on tracking pixels that collect a visitor's data without asking, and that collection is what state privacy laws increasingly treat as a violation.