TL;DR: CIPA claims surged past 800 filings in 2025 as courts increasingly examine how tracking tools fire, whether consent propagates, and if data is shared before user choice is enforced, according to OneTrust. The compliance problem is shifting from disclosure design to runtime control, where technical enforcement now defines defensibility.
NHIMG editorial — based on content published by OneTrust: CIPA Litigation Is Accelerating and Website Tracking Practices Are Getting Wrong
By the numbers:
- More than 800 CIPA claims were filed in 2025 alone.
- The statutory damages under CIPA are $5,000 per violation.
- Forbes Media recently agreed in principle to a $10 million settlement in a California wiretapping lawsuit.
Questions worth separating out
Q: What breaks when website consent controls are only enforced in the banner?
A: If consent is enforced only in the banner, tracking code can still fire before the choice is applied.
Q: Why do consent choices need to propagate across downstream systems?
A: A consent choice is only useful if every system that receives the data recognises it.
Q: How can organisations know if website tracking controls are actually working?
A: They should verify live production behaviour, not just banner configuration.
Practitioner guidance
- Inventory every active tracker and purpose map Create and maintain a live inventory of pixels, session replay tools, chat widgets, and marketing tags, then map each one to its actual purpose and legal basis.
- Block collection before consent at the execution layer Enforce consent checks where the script or tag fires, not only in the banner experience.
- Synchronise consent state across downstream systems Propagate consent and preference decisions into analytics platforms, adtech tools, CDPs, mobile apps, and data warehouses so the original choice persists beyond the first page view.
What's in the full article
OneTrust's full blog covers the operational detail this post intentionally leaves for the source:
- How the vendor maps specific tracking technologies, including pixels, session replay, and chat widgets, to litigation risk scenarios
- The practical consent-management patterns used to block firing before consent and propagate choice into downstream systems
- Examples of continuous monitoring checks for broken signals, deprecated scripts, and misconfigured banners
- How the article frames CIPA exposure across marketing, privacy, and engineering workstreams
👉 Read OneTrust's analysis of CIPA litigation and website tracking risk →
CIPA website tracking risk: are your consent controls keeping up?
Explore further
Consent enforcement has become an identity-adjacent control problem. CIPA litigation is exposing the gap between what a user selects and what the site actually executes. That gap looks different from classic IAM, but the governance failure is familiar: a policy exists, yet the system does not reliably enforce it at runtime. For teams that already manage access, privilege, and lifecycle control, the lesson is that consent state needs equivalent operational discipline.
A question worth separating out:
Q: Who is accountable when tracking tools collect data before valid consent?
A: Accountability usually spans privacy, marketing, engineering, and governance teams because the failure arises at the intersection of policy, configuration, and runtime execution. If the organisation cannot show who owns tracking inventory, tag deployment, and consent propagation, it will struggle to defend the control model in litigation or audit.
👉 Read our full editorial: CIPA litigation is exposing failures in website consent enforcement