Banner Scanner
And I’m not talking about your OneTrust renewal quote.
The age-old tension between Legal and Marketing over cookie compliance is being played out across the US right now. Mainly because of CIPA (the California Invasion of Privacy Act), which is being weaponised to sue organisations across the country for supposed non-compliance.
But unlike the CCPA or European ePrivacy rules, this isn’t an issue of choosing whether to comply with the law. With CIPA and other weaponised laws like it, it’s about choosing whether you want to defend yourself against a deliberate misinterpretation of the law. And that’s with the knowledge that doing so could materially hurt your business.
Having an opt-in cookie banner where scripts don’t load until a web visitor consents should protect you from most claims. But wherever you take that approach, you’re losing valuable analytics and advertising potential. And Marketing do not like that.
To make matters worse, the one state you likely want to target the most is the one you need to be the most defensive in. California.
And it’s not just California. Florida and Pennsylvania have these weaponised laws too, and others are following. And the cherry on top is ECPA, a federal law, which means the exposure doesn’t stop at state lines at all.
Defending yourself with an opt-in banner in California only is far from a solid strategy.
When you speak to Marketing people you’d think that turning off analytics will be the end of the world and certain death for the business. It’s far from that, but it can be massively problematic for two reasons.
The first is revenue. Depending on the nature of the business, cutting off big chunks of your marketing funnel can have serious commercial consequences. The second is more human. Most Marketing people live and die by their metrics, and have likely committed to goals that you’re now proposing they flush down the toilet. You’re asking them to go back to the business and explain that their whole analytics strategy might need to change. That’s a big toll on someone just trying to do their job.
But this is America, so let’s not worry too much about staff welfare, and keep our eye on what really matters. Money.
Measuring revenue impact from turning off website scripts is difficult. Marketing as an industry is notorious for not knowing which successes and failures come from which spend at the best of times, so trying to estimate the impact of a proposed switch-off will always be imperfect. But some factors help.
Assume around 25% of visitors will opt in from the banner. That still means you get zero stats on first page load, which often breaks analytics like ad attribution, but you will get the data after that. Beyond that, B2B is very different to B2C. B2B analytics are often more focused on intelligence to enhance your CRM, whereas B2C tends to be retargeting-heavy for personalised advertising. And sector matters too. Some luxury brands don’t advertise as heavily as other B2C companies. Some B2B SaaS providers serve such narrow markets that direct selling matters far more than website analytics anyway.
What’s important is that you estimate the impact as best you can.
Then measure the cost of doing nothing. For a US company, the chances of receiving a CIPA-style claim are high. Assume it’s inevitable. Claims in 2026 are likely to land between $10k and $40k, with the legal cost of defending them likely to surpass $10k on its own. Which means you also need to understand what you’d actually do in a claim. Is your CEO the type to swallow their pride and settle early to keep costs low? Or are they the type to refuse and see it through to its expensive conclusion? And do you even have budget for either?
With CIPA and the like, this isn’t about compliance. It’s about putting your business hat on and weighing up the best approach. Legal, Privacy, Marketing and the C-Suite need to be in the same room for this conversation.
The cookie banner isn’t a compliance checkbox. It’s a financial decision. Make it like one.
