A new kind of letter is landing in small business inboxes. It comes from a law firm, usually in California, and it says your website recorded a visitor’s activity without permission: the analytics script, the Facebook pixel, the chat widget, maybe a session replay tool you forgot you installed. It cites the California Invasion of Privacy Act, mentions statutory damages of $5,000 per violation, and offers to settle.
These letters are not a scam, and they are not only going to big companies. Small businesses are attractive targets because most will pay a nuisance settlement rather than hire defense counsel. The good news: the thing that defeats these claims is cheap and takes an afternoon to set up. That is what this guide covers.
First, the disclaimer we owe you
We build CRM software. We are not a law firm, this is not legal advice, and your situation may differ based on where you operate and what your site does. What follows is the practical setup work we did on our own website and what we have learned helping small businesses run theirs. For decisions with real legal stakes, especially if you have already received a letter, talk to a privacy attorney. It is worth the hour of their time.
The one rule that matters
Almost everything about cookie compliance collapses into a single rule: nothing that tracks a visitor should run until that visitor says yes.
Not “runs, but we mentioned it in the privacy policy.” Not “runs, but there is a banner they can dismiss.” Running first and asking second is exactly what the demand letters allege, because a recording that happens before consent cannot be un-recorded by a banner click afterward. Lawyers call this the millisecond problem.
A banner that satisfies the rule looks like this:
- Analytics and marketing scripts stay off until the visitor makes a choice
- “Reject” is right next to “Accept,” the same size, one click
- Closing the banner with the X is treated as “no,” not “yes”
- The visitor can change their mind later through a link in your footer
- If the visitor’s browser sends a Global Privacy Control signal, marketing tracking stays off automatically
If your current banner just says “we use cookies” with an OK button while Google Analytics loads underneath it, you have decoration, not consent. That is the most common setup we see, and it is the one the letters target.
What counts as tracking on a typical small business site
Take an inventory before you configure anything. Open your site in a private browsing window and think about everything you or your marketing person ever installed:
- Google Analytics (GA4)
- Ad pixels: Meta (Facebook/Instagram), Google Ads, TikTok, LinkedIn
- Session replay and heatmaps: Hotjar, Microsoft Clarity, FullStory. These record scrolls, clicks, and sometimes keystrokes, and they are the single most litigated category
- Chat widgets, which capture conversation content
- CRM visitor tracking, and yes, that includes ours. If you added SMBcrm’s tracking snippet to your site so you can see which marketing source brought in a lead, that script is part of your tracking surface and it needs consent like everything else
Forms and booking calendars a visitor chooses to fill out are a different category. Someone typing into your contact form is handing you their information on purpose. The scripts that watch people who never asked to be watched are the issue.
If you built your site on SMBcrm
If your website or funnels run on SMBcrm’s builder, you already have a consent banner available. You just have to turn it on, and it is a per-site job: open each website or funnel in the page editor, click the cookie consent banner settings icon in the top action bar, and enable it on every site and funnel you run, not just your homepage.
Three settings inside it matter more than the colors:
- Compliance type. Choose the ask-to-opt-in mode. The “don’t ask” mode shows a notice without asking for anything, which defeats the purpose.
- Region. Set the banner to show worldwide. A banner shown only to EU visitors does nothing about California, and California is where the letters come from.
- The cookie list. The banner recognizes the usual suspects like Google Analytics and the Meta pixel on its own, and a built-in scanner helps fill in the rest. Anything custom you pasted into the builder’s code settings is yours to add, along with a link to your privacy policy in the banner text.
Once the banner is on, the chat widget handles itself: it waits and loads only after a visitor consents. Forms and booking calendars have their own consent checkboxes for marketing and text-message follow-up. That is a different kind of consent than cookies, but turn it on for the same reason.
Two caveats. First, the banner’s script coverage works by recognizing known tools, so if you pasted extra tracking code into your site, run the reject test described below and confirm it stays quiet until someone accepts. Second, if you run Google Ads, ask whoever manages them about Google Consent Mode: since mid-2026 Google requires those signals for ad conversion data, and they need their own wiring beyond a banner.
If your site runs on WordPress, Wix, Squarespace, or Shopify
Most of our customers run their main site somewhere else and embed SMBcrm pieces into it. The rule is the same everywhere; only the switch you flip changes.
WordPress has no native banner, so you need a consent plugin. Complianz and CookieYes are the two we see small businesses succeed with, and both do real blocking rather than showing a notice. The catch: they only auto-block services they recognize, and a CRM tracking snippet is not in anyone’s recognition database. You classify it yourself. On Complianz’s free tier that means a small edit to the snippet itself (their docs walk through it, and so will our support team); the paid tier makes it point-and-click in their Script Center. One CookieYes warning worth knowing: its free plan stops showing the banner entirely past 5,000 pageviews a month, which silently switches your consent off right as your traffic grows.
Wix has real blocking built in under Settings, then Privacy & Cookies, with one rule that matters: it only governs code added through Settings, then Advanced, then Custom Code, where Wix makes you pick a category for every snippet. Add your tracking code there and tag it Marketing. Code dropped into a page’s HTML embed element never gets asked the category question, and the banner will not control it.
Squarespace ships a cookie banner, but it manages Squarespace’s own analytics only; scripts you paste into Code Injection are generally not blocked by it. The banner shows, your custom trackers run anyway. If you have injected tracking code, add a dedicated consent tool that does real script blocking and let it take over. (Code Injection itself requires the Business plan or higher, so if you have never seen that menu, this section is not your problem yet.)
Shopify has a real consent system in Settings under Customer Privacy, and a right way into it: do not paste tracking scripts into your theme code. Add them under Settings, then Customer events, as a custom pixel, set its permission to required, and tick Marketing as the purpose. That one checkbox puts your script behind the same consent gate as Shopify’s own pixels. The limit: custom pixels run in a sandbox, so a snippet that needs to touch the page itself, like a chat bubble, will not work there and needs different handling.
Platform menus move around, so treat the names above as search terms in your platform’s help center rather than a frozen map.
Whatever platform you are on, the test is the same: open your site in a private window, reject everything, and watch the network tab (or just use a browser extension like a tracker blocker’s counter). If analytics or pixel requests still fire after you rejected, the banner is not blocking anything and you are not done.
The checklist
- Inventory every script on your site. If you do not recognize one, find out what it is before deciding its fate.
- Remove what you do not use. The tracker you deleted is the one that can never generate a letter. Session replay tools you never look at are a favorite target.
- Install a banner that actually blocks. Consent first, tracking second.
- Make reject equal to accept. Same size, same click count. Closing the banner is not a yes.
- Honor Global Privacy Control. A dozen states now require it, and it removes an entire argument from any future complaint.
- Update your privacy and cookie policy so it lists what you actually run. A policy that promises a banner you do not have, or omits a pixel you do have, makes things worse, not better.
- Keep proof. Good consent tools log each visitor’s choice with a timestamp. If a letter ever arrives, that log is your answer.
Then put a reminder in your calendar to re-check the inventory quarterly, and re-run the private-window test any time you or an agency adds a new tool.
What we did on our own site
We did not write this guide from theory. This month we rebuilt smbcrm.com’s own tracking to be consent-first: nothing non-essential loads until a visitor says yes, reject is one click, Global Privacy Control is honored automatically, and every choice is logged with a receipt. You can see the result, including the full table of every cookie we set and why, on our cookie policy page. If you want to sanity-check your own setup, that page is a reasonable template for what “done” looks like.
Run your marketing on a platform that takes this seriously
SMBcrm gives you CRM, marketing automation, funnels, and booking in one place, with consent tooling built into the website builder. Every plan is backed by a 60-day money-back guarantee.
See plans & pricing or schedule a demo and we will show you around.