Nine steps to get your site off the CIPA / CCPA target list — and stay off it.
This is the exact sequence we walk business owners through. Work top to bottom; the free scan below does steps 1–3 and your exposure number automatically.
Want it emailed to you (plus new-tracker alerts)?
No spam. Unsubscribe anytime.
The checklist
1. Inventory every third-party script List every analytics, session-replay, chat, and ad-pixel tool loading on your site — including ones marketing added without telling IT.
2. Identify session-recording tools Hotjar, FullStory, Microsoft Clarity, Lucky Orange, Mouseflow, Smartlook, Inspectlet and similar tools carry the highest CIPA § 631 risk.
3. Test what fires BEFORE consent Load the site without accepting cookies and confirm no tracker contacts a third-party server until the visitor opts in. This is the test that matters.
4. Verify your consent banner actually blocks scripts A banner that only displays a notice while scripts load underneath is not compliant. Confirm it gates at the network level.
5. Gate trackers behind a consent management platform Use a CMP (Cookiebot, OneTrust, Osano, Termly, CookieYes, etc.) so tools don't load until opt-in.
6. Publish a current privacy policy with opt-out + DSAR CCPA requires a posted policy, a way to opt out of data sale/sharing, and a data-access request process.
7. Document your remediation with timestamps Dated evidence that you fixed issues is your good-faith defense if a notice arrives.
8. Set up ongoing monitoring Scripts get re-added constantly. Continuous monitoring catches new trackers before a plaintiff firm does.
9. Know your exposure number Understand roughly what a CIPA claim could cost so remediation gets prioritized appropriately.
Do steps 1–3 right now, free
Run the scan — it audits your trackers and flags anything firing before consent.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.