Consent Resolve
Compliance & Privacy Blog

Website Tracking Lawsuits: The Risk a Consent Banner Removes

The pixels and tracking scripts on most contractor websites are legal right up until a visitor never agreed to them. Here's the exposure that creates — and the one piece that removes it.

By Tyler Spurlock, Account Manager at Consent Resolve 7 min read

Open the source code of almost any contractor website and you will find tracking scripts. An analytics tag. An ad pixel or two. Maybe a tool that tries to figure out who is visiting. None of that is inherently illegal. Plumbers, roofers, and HVAC shops run this stuff every day without a problem.

The problem starts at a specific, invisible moment: when one of those scripts identifies or tracks a person who never agreed to it. That is the line. On one side, you have ordinary marketing. On the other, you have the exact conduct a growing stack of privacy laws was written to punish — and the kind that turns a quiet website into a legal headache with your shop’s name on the complaint.

I spend my days on the compliance side of this, and the thing I want every contractor to understand is simple: the lawsuits are almost never about the data. They are about the missing yes.

What a website tracking lawsuit actually is

Strip away the legalese and the pattern is the same across regimes. A visitor lands on a site. Something on that site captures, intercepts, or identifies them. The visitor never consented. A law that requires consent gets triggered. That is the whole shape of it.

California’s CIPA — its wiretap statute — is the clearest example. It was written for phone taps decades ago, and plaintiffs’ lawyers now aim it squarely at website tracking that happens without permission, treating the interception like an unauthorized recording. The damages are not theoretical: CIPA carries $5,000 per violation, and it has a private right of action, which means an individual resident can bring the claim directly — no regulator required.

That last detail is the one contractors underestimate. You do not need to catch the eye of an attorney general to get sued. Under a statute with a private right of action, any covered visitor who feels their data was taken without consent is a potential plaintiff.

This is not just a California problem

It is tempting to file all of this under “California stuff” and move on. Don’t. The same principle is spreading, and the enforcement is real.

In Texas, the TDPSA is being actively enforced. The state attorney general filed suit against Allstate and its Arity subsidiary for collecting and selling driver data without proper consent — a live example of a state regulator treating non-consented collection as a violation worth pursuing. The same office secured a $1.4 billion settlement with Meta over unauthorized capture of biometric data. Those are enormous companies, yes — but they lost on the same principle a small shop is subject to: you collected identifying information from people who did not agree to it.

And layered on top of all of it is the federal TCPA, which governs how you contact people once you have their information. It carries $500 to $1,500 per unsolicited call or text. So even a contractor who scrapes together contact info without consent and then dials it is exposed on a second front. The collection is one problem; the cold outreach is another.

The mistake is capturing first and asking later

Here is where a lot of shops get into trouble without meaning to. They buy a tool that promises to “identify your website visitors,” bolt it on, and start collecting names and emails from anonymous traffic. It feels like a marketing win. Structurally, it is the risky pattern: identify everyone, worry about consent never.

That approach quietly puts you on the wrong side of the line for every visitor who never agreed. You now hold data you collected without permission — which is the exact fact pattern these laws punish. Worse, you often cannot tell which contacts were gathered cleanly and which weren’t, so the whole list is suspect. When someone eventually asks “where did you get my information?”, you have no good answer.

The FTC’s action against HomeAdvisor is a useful reminder of how seriously regulators take the provenance of leads. The company entered a consent order and agreed to pay up to $7.2 million to settle claims about how it marketed leads to contractors. The lesson for your own site is the same: how a contact was obtained matters as much as the contact itself.

The good news is that the fix is not “stop capturing leads.” It is “change the order of operations.” Instead of identifying everyone and hoping consent sorts itself out, you put a clear consent banner in front of every identification. Nobody is tracked or identified until they say yes.

That one design choice removes the most common lawsuit trigger, because the trigger is non-consented tracking — and under this model, non-consented tracking never happens. A visitor who declines the banner is simply never identified. There is no data collected without permission, so there is nothing to sue over on that front. This is what built-in compliance means in practice: the legal safety is the first thing in the pipeline, not a patch bolted on after the fact.

It also flips your position in any dispute. The whole game in these cases is consent — did the person agree? When identification only happens after a visitor accepts a clear banner, and that acceptance is captured as a timestamped record, the answer is documented. You are not arguing that you probably had permission. You can show the yes, and when it happened.

What this looks like on a real shop’s site

Picture a plumbing company running ads into a metro that includes out-of-state homeowners. Under the risky model, every visitor who clicks through gets identified the instant they land — including people in states with a private right of action, none of whom agreed to anything. That is exposure stacking up on autopilot.

Under consent-first identification, the same traffic arrives, sees a plain banner, and chooses. The ones who decline stay anonymous and are never tracked — no risk created. The ones who accept become real, consent-first leads with a receipt attached. The plumber captures the people who actually want to be contacted, follows up by email into the funnel they already run, and holds proof of consent on every single one. Same traffic, opposite risk profile.

The takeaway for your shop

  • Know what triggers these cases. It is almost always non-consented tracking — the missing yes, not the data itself.
  • Stop identifying first. A tool that captures everyone and asks nobody is the pattern that gets shops sued.
  • Gate every identification behind a clear banner. A visitor who declines is never identified, which removes the exposure at the source.
  • Keep the receipt. A timestamped consent record turns “we probably had permission” into “here is the proof, with a date.”

You do not have to choose between capturing leads and staying out of court. Gate identification behind consent, follow up by email at a flat $7 per exclusive lead — never resold — and keep the record on every one. See how built-in compliance is engineered in, read how the Texas TDPSA fits the same pattern, and weigh it against what your current lead channels actually cost. This article is general information, not legal advice — for how these laws apply to your specific business, talk to an attorney in your state.

FAQ

Frequently asked questions

The businesses in the headlines are big, but the rule they broke is the same one that applies to a five-truck shop: tracking or identifying a person who never consented. California's CIPA treats non-consented website interception like wiretapping at $5,000 per violation, and it carries a private right of action, meaning residents can sue directly. The size of the target changes; the underlying line does not. This is general information, not legal advice.