Earlier this week, a new client reached out to us.
Not because they found us through a referral or saw something we posted. They reached out because a letter had appeared at their door—a formal legal notice from a privacy law firm citing California's data privacy law regarding cookie tracking on their website.
Before they even called us, they had already logged into their website and stripped out every piece of tracking code they could find. Google Analytics. Google Ads Conversion Tracking. HubSpot UTM Persistence. All of it. Gone.
I completely understand the reaction. When legal language shows up with your business name on it, you go into survival mode.
But here's what made it particularly painful: they already had a cookie consent pop-up on their website. It just wasn't set up correctly.
This is the third violation letter we've encountered in 2026.
Let's start from the beginning, because most explanations make this more complicated than it needs to be.
When someone visits your website, small files called cookies get placed on their device. Some of these are essential — they keep the site functioning, remember your login, that kind of thing. But many are not essential. They track behavior, feed data to advertising platforms, and build visitor profiles.
Here's the part that matters legally: you are not allowed to drop non-essential cookies on someone's device without their permission.
That permission has to be:
Informed: the visitor has to know what they're agreeing to
Active: they have to make a choice, not just scroll past a banner
Prior: consent must happen before any non-essential cookies fire, not after
This is where most websites fall apart. A banner stating "By continuing to browse, you agree to our use of cookies" does not constitute valid consent. A pop-up that pre-checks all the boxes is not valid consent. A notice buried in your footer that links to a privacy policy is not valid consent.
Valid consent looks like this: a clear banner appears when someone lands on your site, before anything tracks them, with a genuine Accept and Reject option. If they reject, non-essential tracking does not run. Full stop.
California's CCPA gives residents and their attorneys the legal right to take action against websites that don't follow these rules. And as we're seeing firsthand, they are starting to use it.
How to audit your current setup
You don't need a lawyer or a developer to do a basic audit. Here's where to start:
Step 1: Visit your own website as a stranger.
Open your site in a private/incognito browser window. Does a consent banner appear before you do anything else? Or does the page just load normally?
If the page loads without a consent prompt, your tracking is almost certainly firing before any consent is collected.
Step 2: Check what your banner actually does.
If you do have a banner, look closely. Is there a clear way to reject cookies rather than just accept them? Is the reject option as visible and accessible as the accept option? (A bright green "Accept All" button next to a tiny grey "Manage Preferences" link is not a balanced choice.)
Step 3: Test whether rejection actually works.
Accept everything, then visit your Google Analytics or Meta Events Manager. Do you see your visit tracked? Now, clear cookies, go back, and reject everything. Do you still show up? If you do, your consent tool is connected to your banner but not actually blocking anything.
This last point is the most common failure we see. The banner exists. The consent tool is installed. But the two were never properly connected, so tracking runs regardless of the visitor's choice.
Step 4: Check your cookie categories.
A compliant setup categorizes cookies by type — Essential, Analytics, Marketing, Preferences — and lets visitors accept or reject each category. If your banner is just "Accept All" or "Decline All" with no middle ground, that's worth revisiting.
Analytics will recognize when you’ve got it right. The consent settings in GA4 will show “Excellent”.
The fix is simpler than you think — but it has to be done right
The good news is that getting compliant doesn't require rebuilding your website or removing your tracking. Our client, who stripped everything out, didn't need to do that. What they needed was a properly configured consent management platform (CMP) connected correctly to their tracking tools.
There are solid tools that handle this. We prefer Termly.io, but Cookiebot, OneTrust, and Complianz are among the most widely used. The tool itself is only half of it. The configuration is where most people go wrong.
A cookie consent banner that looks like compliance and one that is compliant are two very different things.
Not sure where you stand?
We offer website compliance audits that look at exactly this — what's firing on your site, whether your consent setup is actually blocking what it should, and what needs to change to get you covered.
If you want a set of fresh eyes on your setup before a letter arrives, reply to this email or reach out at https://www.clearglance.com/contact. We'll take a look and tell you honestly where things stand.
You don't have to figure this out alone — and you definitely don't want to figure it out after the fact.