Plaintiff firms run automated scanners that find tracking pixels firing before consent — then send demand letters at scale. A standard BigCommerce install ships with exactly that exposure. Run a free check and see where you stand against CIPA, CCPA, and the new wave of state privacy laws.
This score is a self-assessment. The full scan inspects your live tags — exactly what fires, in what order, before consent — and we hand you a prioritized fix plan for your BigCommerce store.
Informational risk assessment based on your answers — not legal advice. For any demand letter, talk to a qualified attorney.
Your answers stay in your browser until you ask for the full scan. No tracking on this tool.
Courts have stretched California's Invasion of Privacy Act to cover the tracking pixels and analytics nearly every ecommerce site runs. The trigger is simple and mechanical: a pixel that collects data before the visitor consents. Plaintiff firms automated the hunt, and the letters followed.
Here's the part most store owners miss: being CCPA-compliant does not protect you from CIPA. CCPA is about opting out of data sales. CIPA is about whether you intercepted the communication in the first place — in the first seconds after someone lands on your page. You can do one perfectly and still be wide open on the other.
They overlap, they conflict, and they all come down to what your tags actually do before a visitor says yes.
Pixels, session replay, and chat widgets that capture and transmit visitor data before consent. The pen-register theory driving today's demand letters. $5,000 per violation, private right to sue.
Notice at collection, a working "Do Not Sell or Share" mechanism, and honoring Global Privacy Control signals. Sharing data with ad pixels counts as a "sale/share."
The comprehensive state laws now live across the country: consumer access/deletion rights, universal opt-out, and consent for sensitive data. No federal law yet — so the states each set the bar.
Affirmative opt-in consent before any non-essential tracking, a lawful basis for processing, and real data-subject rights. Optional unless you ship across the Atlantic.
A law firm can tell you you're exposed. A cookie-banner vendor can sell you a widget that often doesn't actually block anything. We work at the layer that matters — what fires, when, and whether your banner truly enforces the visitor's choice.
Yes. CIPA applies when one party to the communication is in California. If Californians can visit your store — they can — the law can reach you regardless of where your business sits. Plaintiff firms specifically target out-of-state stores that assume they're safe.
Often not. The current wave of cases targets banners that appear but don't actually block tracking before consent. A banner that looks compliant while your pixels fire on page load can be worse than none — it shows you knew consent was needed and didn't enforce it. What matters is the firing order, not the existence of a banner.
No — and this is the most expensive misunderstanding in the space. CCPA governs the sale and sharing of data on an opt-out basis. CIPA is about intercepting the communication in the first place and generally expects prior consent. You can be perfectly CCPA-compliant and still face significant CIPA exposure.
No. The goal is risk reduction, not going dark. We keep your analytics and ad tools working — they just fire after consent instead of before it. You keep your marketing data; you lose the pre-consent exposure that drives the lawsuits.
First, talk to a qualified attorney — a demand letter is a legal matter, not a DIY fix. Then we work alongside counsel on the technical side: documenting what your site did, remediating the firing order, and producing the evidence of a corrected, defensible posture.
The scanners that find vulnerable stores are already running. Run yours first, fix what they'd find, and turn a liability into a checkbox you can prove.
Run the free check →