58% fired at least one tracking pixel before the visitor consented — the exact pattern behind California's CIPA § 631 session-replay lawsuits. Here is what is running, on whom, and what plaintiffs argue it is worth.
We ran RegSentry's headless-browser scan against 1,478 small- and mid-sized business websites and watched exactly when each third-party script first contacted its server. On 857 of them (58%), at least one tracker fired before the visitor was given a consent choice. Across those sites we recorded 1,889 distinct CIPA § 631 exposures — an average of 2.2 pre-consent trackers per affected site, and 261 sites were running three or more.
Under California Penal Code § 631 (with statutory damages set by § 637.2), plaintiffs argue every California visitor session recorded before consent is a separate violation worth up to $5,000. Applied to the traffic these sites report, that works out to a median statutory ceiling of $1.1M per site — the theoretical maximum plaintiff firms cite, not a prediction of what any site would owe.
The most common culprits are the everyday marketing and analytics tags almost every site installs — frequently added by a marketing team long after the consent banner was set up.
| Tracker | Found on | |
|---|---|---|
| Meta Pixel | 322 sites | |
| Microsoft Clarity | 209 sites | |
| LinkedIn Insight Tag | 198 sites | |
| Sentry | 182 sites | |
| Hotjar | 119 sites | |
| HubSpot Tracking | 102 sites | |
| TikTok Pixel | 73 sites | |
| VWO | 66 sites | |
| Datadog RUM | 62 sites | |
| Twitter/X Pixel | 53 sites | |
| Pinterest Tag | 51 sites | |
| Optimizely | 48 sites |
Violations clustered in verticals that pair high traffic with sensitive intake — but no category was clean.
| Vertical | Pre-consent violations |
|---|---|
| SaaS | 154 sites with a pre-consent violation |
| E-commerce | 96 sites with a pre-consent violation |
| Fintech | 61 sites with a pre-consent violation |
| Legal | 39 sites with a pre-consent violation |
| Healthcare | 38 sites with a pre-consent violation |
| Home services (HVAC) | 22 sites with a pre-consent violation |
Nearly every site in this set had some consent setup — a banner, a cookie notice. The trackers fired anyway, because a banner only helps if it actually blocks scripts until a visitor clicks, and most are mis-configured or quietly bypassed by tags added later. The only way to know is to watch the network in a real browser.
See if your site fires trackers before consent — free, 30 seconds.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.
Methodology: figures reflect RegSentry automated scans of 1,478 business websites through July 2026, detecting third-party requests that fire before a consent signal. Exposure is the CIPA § 637.2 statutory ceiling ($5,000 per California session) applied to self-reported traffic — a directional maximum, not a prediction, and not legal advice. A tracker's presence is not by itself proof of a violation.