Plaintiff firms are sending thousands of CIPA demand letters over pixels, chat widgets, and session recording tools running without consent — with no revenue threshold to qualify as a target. Enter your URL and see, in about ten seconds, what an automated scan finds on your homepage.
82% of 208 sites we scanned last month showed at least one tracking-consent issue · No signup required
Meta, TikTok, Google, Bing and other pixels firing before any consent choice.
CIPA — wiretap theoryClarity, Hotjar, FullStory and similar tools capturing visitor sessions.
CIPA — recording theoryThird-party chat tools that can share conversation data off-site.
CIPA — transcript sharingWhether a cookie banner exists, and whether declining actually stops tracking.
CCPA/CPRA §1798.135The specific opt-out link CCPA requires in your footer or privacy page.
CCPA/CPRA §1798.135Every finding is something the scan actually observed — a specific script, a specific cookie, a specific missing link. We never tell you that you're "violating the law." We tell you what a plaintiff's technical expert would also find if they looked.
The cookie banner (or lack of one) gives visitors no way to opt out of tracking.
clarity.ms, googletagmanager.com, connect.facebook.net — all loaded on page arrival.
_fbp, _ga, MUID were set even though the Global Privacy Control signal was sent.
Enter your URL. We fetch your homepage and check it against 60+ known tracking, chat, and analytics vendors — no install, no signup.
Get a letter grade and a plain-English breakdown of exactly what's running on your site and why it matters.
Follow the fix guidance yourself, or ask us to quote the work — then let weekly monitoring make sure it stays fixed.
Sites re-break constantly — a theme update, a new marketing app, an agency edit to GTM. Staying off the demand-letter target list is an ongoing job, not a one-time fix.
CIPAScan performs automated technical scans and reports what it observes. It is not a law firm and does not provide legal advice or determine legal compliance.
No. CIPAScan reports technical observations — which scripts loaded, which cookies were set, whether specific links exist. Whether any of that creates legal exposure is a judgment call for your attorney, not something an automated scan can determine.
The California Invasion of Privacy Act is a decades-old wiretapping law now being applied to website trackers. It allows a private citizen to sue for $5,000 per violation with no need to prove actual harm, and — unlike CCPA — it has no company size or revenue threshold, so it can apply to any business with a website.
You'll get an email with a magic sign-in link — no password to set. From your dashboard you can add up to 3 sites, see full reports, and get your embeddable trust badge. Weekly scans start automatically.
Yes — paying subscribers can request a custom-quoted, done-for-you fix on any finding. We don't automate changes to your site; a person reviews it and quotes the work.
No. We scan your public homepage the way any visitor's browser would and store only the scan results. We don't collect anything about the people who visit your site.