Free scan
Guide

How to check if your website is CIPA compliant

California's CIPA § 631 is behind a wave of "wiretapping" lawsuits against ordinary business websites. The trigger is simple: trackers that record or transmit a visitor's activity before that visitor consents. Here is how to check whether yours do.

What CIPA compliance actually means

CIPA § 631 (with damages set by § 637.2) is a California wiretapping statute. Plaintiffs argue that when a session recorder, analytics tag, or ad pixel captures what a visitor does before they consent, that is an intercepted communication — worth up to $5,000 per violation. It is not about whether you have a cookie banner; it is about whether trackers actually stay off until a visitor clicks it.

Check it yourself in 5 minutes

  1. Open your site in a fresh private/incognito window so no prior consent is remembered.
  2. Open developer tools → Network tab before you interact with anything.
  3. Reload the page and do not click the consent banner. Watch the requests that fire.
  4. Look for known trackers — requests to domains like facebook.com/tr (Meta Pixel), clarity.ms (Microsoft Clarity), hotjar.com, analytics.tiktok.com, or HubSpot analytics. Anything that loads before you consent is a potential CIPA exposure.
  5. Repeat on your highest-intent pages — home, pricing, contact, checkout, any intake form. Scripts often differ page to page.

This manual check catches the obvious cases. It misses trackers that load a few seconds late, fire only on interaction, or were added to one template and not another — which is why most owners run an automated scan.

Skip the manual check — scan your whole site in 30 seconds, free.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

The trackers that most often trip CIPA

Across the small-business sites we've scanned, the most common pre-consent offenders are everyday marketing and analytics tags: Meta Pixel, Microsoft Clarity, LinkedIn Insight, Hotjar, HubSpot, and TikTok Pixel. They're usually added by a marketing team long after the consent banner was set up — which is exactly why banners so often fail to block them. (We break down the full list in our website-tracking report.)

Fixing what you find

Once you know which trackers fire before consent, the fix is to gate them behind your consent tool (or remove the ones you don't need) and then re-check — because a banner that says it blocks trackers and one that actually does are not the same thing. RegSentry gives you the flagged list, a remediation step for each, and ongoing monitoring so a newly-added tag doesn't silently reopen the exposure.

See exactly what fires before consent on your site — free, no signup.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Run a free scan Estimate my exposure