In the seven days before we recorded this interview, three business owners contacted Termageddon after receiving demand letters asking for $50,000 in damages. Their offense? Having a Meta Pixel or LinkedIn Tag on their website without a proper consent mechanism in place. One business owner didn't even know the pixel was still active. It was left over from an ad campaign that ended three years ago.
This is not a hypothetical risk. It is happening right now, and the pace is accelerating. Attorneys are filing a dozen or more demand letters per day, each one targeting businesses for loading tracking technologies without obtaining user consent. The law they are using is called the California Invasion of Privacy Act (CIPA), and it applies to any website that California residents can visit, regardless of where your business is located.
If your website runs Meta Pixel, LinkedIn Tag, Google Analytics, or any other tracking script, and you do not have a cookie consent banner blocking those technologies until visitors opt in, your business is exposed to this exact scenario.
We recently sat down with Hans Skillrud, co-founder of Termageddon, to break down what is driving this wave of tracking pixel lawsuits, what every business owner needs to understand about CIPA compliance, and what you can do right now to protect yourself. The full interview is below, and this post covers every key takeaway along with our recommendation for getting this handled.
Disclaimer: A quick note before we dive in. We are not attorneys, and nothing in this post or in the interview below should be construed as legal advice. We created this content because we care deeply about our clients and small business owners. We believe every business owner deserves to understand the risks they are facing right now. For any legal decisions related to your specific situation, please consult with a qualified attorney. What we can do is point you toward the tools and resources that we trust and use ourselves, and that is exactly what this post is about.
Watch the Full Interview with Hans Skillrud, Co-Founder of Termageddon
What Is the California Invasion of Privacy Act (CIPA)?
CIPA was written over 30 years ago as a California wiretapping law. Its original purpose was to prevent eavesdropping on phone calls. The law makes it illegal for any third party to secretly monitor a communication without consent.
Here is the problem: the law regulates "communications" broadly. A growing number of attorneys have realized that when a website loads a tracking pixel, that pixel monitors the visitor's activity and sends data to a third party (Meta, LinkedIn, Google) without the visitor ever agreeing to it. Under CIPA, that can be treated as unauthorized monitoring of a communication.
The result is a wave of what many in the industry are calling "privacy trolls." These attorneys systematically visit websites, identify tracking technologies firing without consent, and send demand letters seeking damages. Some of these letters ask for $20,000. Others ask for $50,000 or $60,000. Many settle for $5,000 to $8,000 after back-and-forth negotiation. But even at the settlement level, that is a serious hit for a small business.
What makes CIPA different from most privacy laws is the enforcement mechanism. Laws like CPRA (California Privacy Rights Act) or GDPR carry government-imposed fines. CIPA allows private right of action. That means any individual can directly sue for damages of up to $5,000 per violation. No government agency needs to get involved. That is why it has become the weapon of choice for this type of litigation.
How Meta Pixel and LinkedIn Tag Trigger CIPA Lawsuits
The lawsuits follow a predictable pattern. An attorney visits your website. Your site has Meta Pixel, LinkedIn Tag, or another tracking script firing in the background. That script starts collecting data about the visitor the moment the page loads, before the visitor has provided any form of consent.
The attorney then sends a demand letter claiming that they were tracked without permission under CIPA and that they are entitled to damages.
Hans shared something during our conversation that really drives this home: many of the business owners who contacted him had no idea the offending pixel was even on their site. It was installed for an ad campaign years ago, the campaign ended, and nobody thought to remove the script. That leftover pixel became a liability sitting in plain sight.
The tracking technologies most commonly cited in these demand letters include Meta Pixel (formerly Facebook Pixel), LinkedIn Tag (LinkedIn Insight Tag), TikTok Pixel, Microsoft Bing tracking, session replay tools, and chatbot widgets. If any of these load on your website before a visitor has given explicit consent, you are exposed.
Does My Website Need a Privacy Policy?
Yes. If your website collects any form of personally identifiable information, and that includes names, email addresses, phone numbers, and even IP addresses captured through analytics tools, you are almost certainly required by law to have a compliant privacy policy.
The critical thing to understand is that privacy laws do not care where your business is located. They care about whose data you are collecting. If a California resident visits your website, California's privacy laws apply. If someone from the EU visits, GDPR applies. If a Canadian visits, PIPEDA may apply. Your website is available to anyone anywhere, which means multiple privacy laws likely apply to your business right now.
Here is a snapshot of the major privacy laws that could affect your website:
- California: CIPA (allows private lawsuits for tracking without consent), CPRA (applies to larger businesses with $25M+ revenue or 100K+ consumer records), CalOPPA (applies broadly to any site collecting personal info from Californians)
- Federal/International: GDPR (EU residents), UK Data Protection Act (UK residents), PIPEDA (Canada), Australia Privacy Act
- Emerging state laws: Kentucky and Rhode Island went into effect in January 2026. Colorado, Virginia, Connecticut, and Indiana all have active privacy laws with varying thresholds. More states are introducing bills every year.
Termageddon currently covers over 120 website-related laws, rules, and regulations across the US, EU, UK, Canada, and Australia. The landscape is constantly evolving, which is exactly why a static, copy-and-pasted privacy policy template is a liability waiting to happen.
Why a Generic Privacy Policy Template Will Not Protect You
Before we partnered with Termageddon, we had a privacy policy on our own site that came from a free template generator years ago. When we ran our site through Termageddon's onboarding process, the difference was staggering. The comprehensive, customized policy that Termageddon generated was dramatically more thorough than what we had been relying on.
The reason is straightforward. Privacy laws are not one-size-fits-all. Your business might need to comply with seven, ten, or even fifty different privacy laws depending on where your website visitors are located. Each of those laws has its own specific disclosure requirements. A template pulled off Google five years ago covers none of that.
Hans put it simply during our conversation: a policy needs to address the exact disclosures required under each privacy law that applies to your specific business. Termageddon's onboarding questionnaire is designed to figure out which laws apply and then generate the specific disclosures required under those laws. If you select "non-profit" as your entity type, the entire questionnaire changes because certain laws do not apply to non-profits. That level of customization is the point.
And when you consider that a custom privacy policy from a privacy attorney typically costs $4,000 to $8,000 for a single-jurisdiction policy, and $60,000 to $120,000 for comprehensive multi-jurisdictional coverage, a $119/year Termageddon license becomes an obvious choice for most small and mid-sized businesses.
Why You Need a Cookie Consent Banner
A compliant privacy policy is essential, but it alone will not protect you from a CIPA-style demand letter. The actual mechanism that stops tracking technologies from firing without consent is a cookie consent banner.
Here is how it works. A properly configured cookie consent tool blocks all non-essential cookies, pixels, and tracking scripts from loading when someone first visits your website. The visitor sees a consent banner and can choose to accept or decline tracking. Only after they click "accept" does the tool release those scripts to start collecting data.
This is the core issue in every CIPA demand letter: tracking technologies fired without the visitor's consent. If you have a cookie consent banner that blocks those technologies by default and only enables them after consent is granted, you have addressed the fundamental compliance requirement.
Termageddon includes a cookie consent tool as part of their platform. It integrates with their privacy policy and scans your site for cookies and tracking technologies.
As marketers, we understand the tension here. We want conversion data reported back to our ad platforms. We need to know our campaigns are working. But the trade-off is clear: the cost of a cookie consent banner is a fraction of what a single demand letter could cost your business. Running campaigns without proper consent mechanisms in place is a risk that no business should be taking in 2026.
Hans actually made a point during our interview that stuck with us. He said that most marketing agencies hate cookie consent tools. They tell clients not to worry about it. And he hears it constantly. But that mindset is exactly what is getting businesses into trouble right now. We take the opposite approach at VDG. We see cookie consent as a necessary part of running responsible marketing campaigns, not an obstacle to them.
CIPA Compliance: What to Do Right Now
If you have read this far and you are realizing your website might be out of compliance, here is what we recommend:
Audit your website for tracking technologies. Identify every cookie, pixel, tracking script, analytics tool, and third-party plugin on your site. Many businesses have leftover pixels from old ad campaigns that are still firing in the background. If you do not know what is on your site, you cannot protect yourself.
Get a compliant privacy policy in place. Whether you work with a privacy attorney or use a platform like Termageddon, make sure your policy is comprehensive, covers the laws that apply to your business based on where your visitors are located, and is kept current as laws change. A stale template from five years ago is not going to hold up.
Install a cookie consent tool. Block tracking technologies from firing until the visitor provides explicit consent. This is your primary defense against CIPA demand letters. A privacy policy tells visitors what data you collect. A cookie consent banner actually prevents collection until they say yes.
Do not treat this as a one-time fix. New state privacy laws go into effect every year. Existing laws get amended. Kentucky and Rhode Island just went into effect. More are coming. You need an ongoing strategy, and that is where auto-updating solutions like Termageddon really earn their value.
What Makes Termageddon Different
Termageddon was co-founded by Hans Skillrud and his wife Donata Skillrud. Donata is a licensed privacy attorney who serves as Chair of the American Bar Association's ePrivacy Committee and was elected to represent the ABA at the United Nations to help write privacy laws. The platform is the longest-running privacy policy generator listed as a vendor by the International Association of Privacy Professionals (IAPP).
A few things stand out about the platform:
The questionnaire is thorough for a reason. Every question exists because a specific privacy law requires a specific disclosure based on your answer. The tool determines which laws apply to your business and then generates the exact disclosures required. It is not a template. It is a policy built around the way your business actually operates.
Policies auto-update as laws change. Termageddon monitors over 120 laws and pushes updates through the embed codes on your site automatically. When Kentucky's new privacy law went into effect in January 2026, Termageddon customers did not need to do anything. The update rolled out on its own.
It is built by humans, not AI. In a world where everyone is rushing to use AI for everything, Termageddon is proudly human-built when it comes to their legal policy engine. Donata's team reads and re-reads every law, calls government agencies for clarification on ambiguous language, and goes through extensive QA. When you are dealing with legal documents that could determine whether you get sued, that human oversight matters.
The pricing is hard to beat. A Termageddon license runs $12 per month or $119 per year. That includes a privacy policy, terms of service, disclaimer, cookie policy, end user license agreement, and cookie consent tool for one website.
Attorneys can use it too. Termageddon offers full customization capabilities and a law firm partner program. Many attorneys use the platform to build the foundation, then review and customize from there. It is the best of both worlds for businesses that want attorney oversight without the full cost of custom policy drafting.
GDPR and International Compliance
If your website is accessible to visitors outside the United States, GDPR and other international privacy laws likely apply to you. GDPR was the privacy law that captured the world's attention when it went into effect in 2018, and its reach extends beyond Europe.
If you offer goods or services to EU residents, or if you monitor the behavior of EU residents (which includes tracking their website activity for analytics or advertising purposes), you are required to comply with GDPR. There have been US companies fined for GDPR non-compliance. It is not just a European concern.
GDPR introduced the concept of requiring a "legal basis" for processing someone's personal data. For most websites, that legal basis comes through a consent banner where the user explicitly opts in. This is another reason a cookie consent banner is not optional for any website with international traffic.
Termageddon has covered GDPR since 2018, along with the UK Data Protection Act (which went into effect when the UK left the EU), Canada's PIPEDA, Quebec's Law 25, Australia's Privacy Act, and dozens of other international regulations.
Why We Partner with Termageddon
At Vendilli Digital Group, we build and manage websites for businesses across industries. We run ad campaigns. We install tracking pixels. We configure analytics platforms. All of that work puts our clients in the crosshairs of these privacy laws, and it would be irresponsible for us to ignore it.
We partner with Termageddon because it is the most practical, thorough, and affordable solution we have found for getting our clients' websites into compliance and keeping them there. We have experienced firsthand how their platform generates comprehensive policies that address the full scope of applicable laws, and we have seen how their cookie consent tool blocks tracking technologies until consent is obtained.
If you are a Vendilli Digital Group client, talk to your account manager about getting Termageddon set up on your site. If you are not a client but want to protect your business, you can sign up directly at Termageddon.com. Use promo code BUSINESS at checkout to get 10% off your first year. We recommend the annual plan at $119/year for the best value.
The demand letters are landing in inboxes right now. The cost of getting this right is a fraction of what it costs to get it wrong. Do not wait for the lawsuit to arrive.
Disclosure: Vendilli Digital Group is an affiliate partner of Termageddon. We recommend them because we use them ourselves and believe in their product. If you purchase through our link, we may earn a small commission at no additional cost to you.
Frequently Asked Questions
Does my website need a privacy policy?
Yes. If your website collects any personally identifiable information (names, emails, phone numbers, IP addresses), you are likely required by one or more privacy laws to have a privacy policy. These laws are based on where your visitors are located, not where your business is based.
What is the California Invasion of Privacy Act (CIPA)?
CIPA is a California law originally written over 30 years ago to prevent eavesdropping on phone calls. Attorneys are now using it to target websites that load tracking technologies (like Meta Pixel or LinkedIn Tag) without getting user consent first. Unlike most privacy laws, CIPA allows individuals to sue for damages of up to $5,000 per violation.
Are tracking pixels legal?
Tracking pixels like Meta Pixel and LinkedIn Tag are legal to use, but many privacy laws require you to obtain user consent before firing them. Without a cookie consent banner that blocks these technologies by default, you could face demand letters or lawsuits under laws like CIPA.
Do I need a cookie consent banner on my website?
If your website uses cookies, tracking pixels, or analytics tools that collect data from visitors in jurisdictions with consent requirements (EU, California, Canada, and others), you likely need a cookie consent banner that blocks tracking by default and only enables it after the visitor gives explicit consent.
How much does a custom privacy policy cost?
A single-jurisdiction policy from a privacy attorney typically costs $4,000 to $8,000. Comprehensive multi-jurisdictional coverage can cost $60,000 to $120,000. Termageddon provides auto-updating coverage across 120+ laws for $119 per year.
Does Termageddon cover GDPR?
Yes. Termageddon has covered GDPR since 2018, along with the UK Data Protection Act, Canada's PIPEDA, Australia's Privacy Act, and over 120 total laws, rules, and regulations. Policies auto-update when these laws change or new ones go into effect.
What tracking technologies trigger CIPA lawsuits?
The most commonly cited include Meta Pixel (formerly Facebook Pixel), LinkedIn Tag, TikTok Pixel, Microsoft Bing tracking, Google Analytics cookies, session replay tools, and chatbot widgets. Even if a pixel is leftover from a campaign you no longer run, it can still create liability if it is firing on your site without consent.
What is the difference between CIPA and CPRA?
CPRA (California Privacy Rights Act, formerly CCPA) is a privacy law that generally applies to larger businesses and carries government-imposed fines for non-compliance. CIPA (California Invasion of Privacy Act) applies more broadly, does not have revenue thresholds, and allows individuals to directly sue businesses for damages. That private right of action is what makes CIPA the primary vehicle for the tracking pixel lawsuit wave.
Get Protected: How To Avoid Pixel Tracking Lawsuits
We took the time to write this post and record this interview because this issue is real, it is urgent, and it is affecting businesses we work with every day. If you are ready to take action, here is how we can help.
If you are a Vendilli retainer client: Contact your account manager and we will schedule a complimentary setup session to walk you through the Termageddon onboarding wizard, generate your privacy policies, and configure your cookie consent banners. There is no fee for the setup. The only cost you will need to cover is the annual Termageddon license ($119/year).
If you are not a retainer client but we built your website: Reach out to us and for a small fee we will do a one-hour guided consultation (Termaggedon site license fees will obviously also apply, currently at $119/year). We will walk through the Termageddon setup with you step by step, help you answer the questionnaire, get your policies generated, and configure your cookie consent tool. We will also use that time to answer any questions you might have about your web presence or digital marketing goals. Think of it as a privacy compliance session and a strategy check-in rolled into one.
If you are not a client but want to explore Termageddon on your own: You can sign up directly at Termageddon.com and use promo code BUSINESS at checkout to get 10% off your first year. That promo code is a special offer that Hans extended to our podcast listeners and readers.
Whatever path makes sense for you, do not put this off. The demand letters are not slowing down, and the cost of getting compliant is a fraction of what a single claim could cost your business.
