Free scan
Data report · 2026

The state of website tracking: we scanned 1,478 small-business sites

58% fired at least one tracking pixel before the visitor consented — the exact pattern behind California's CIPA § 631 session-replay lawsuits. Here is what is running, on whom, and what plaintiffs argue it is worth.

1,478
SMB sites scanned with a real browser
58%
fired a tracker before consent
$1.1M
median statutory-ceiling exposure per site
66%
of violations were high-severity

What we found

We ran RegSentry's headless-browser scan against 1,478 small- and mid-sized business websites and watched exactly when each third-party script first contacted its server. On 857 of them (58%), at least one tracker fired before the visitor was given a consent choice. Across those sites we recorded 1,889 distinct CIPA § 631 exposures — an average of 2.2 pre-consent trackers per affected site, and 261 sites were running three or more.

Under California Penal Code § 631 (with statutory damages set by § 637.2), plaintiffs argue every California visitor session recorded before consent is a separate violation worth up to $5,000. Applied to the traffic these sites report, that works out to a median statutory ceiling of $1.1M per site — the theoretical maximum plaintiff firms cite, not a prediction of what any site would owe.

The trackers firing before consent

The most common culprits are the everyday marketing and analytics tags almost every site installs — frequently added by a marketing team long after the consent banner was set up.

TrackerFound on
Meta Pixel322 sites
Microsoft Clarity209 sites
LinkedIn Insight Tag198 sites
Sentry182 sites
Hotjar119 sites
HubSpot Tracking102 sites
TikTok Pixel73 sites
VWO66 sites
Datadog RUM62 sites
Twitter/X Pixel53 sites
Pinterest Tag51 sites
Optimizely48 sites

Who is most exposed

Violations clustered in verticals that pair high traffic with sensitive intake — but no category was clean.

VerticalPre-consent violations
SaaS154 sites with a pre-consent violation
E-commerce96 sites with a pre-consent violation
Fintech61 sites with a pre-consent violation
Legal39 sites with a pre-consent violation
Healthcare38 sites with a pre-consent violation
Home services (HVAC)22 sites with a pre-consent violation

The gap most owners miss

Nearly every site in this set had some consent setup — a banner, a cookie notice. The trackers fired anyway, because a banner only helps if it actually blocks scripts until a visitor clicks, and most are mis-configured or quietly bypassed by tags added later. The only way to know is to watch the network in a real browser.

See if your site fires trackers before consent — free, 30 seconds.

Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.

Methodology: figures reflect RegSentry automated scans of 1,478 business websites through July 2026, detecting third-party requests that fire before a consent signal. Exposure is the CIPA § 637.2 statutory ceiling ($5,000 per California session) applied to self-reported traffic — a directional maximum, not a prediction, and not legal advice. A tracker's presence is not by itself proof of a violation.