Cookie Consent and Privacy Lawsuits: Why Cleveland Business Owners Are Getting Demand Letters

There is a quieter risk sitting on most contractor websites right now, and it has nothing to do with Google rankings or load speed. It is the tracking code running on your site without anyone clearly agreeing to it.

Over the last couple of years, a wave of privacy lawsuits has rolled out of California. One name that keeps coming up is Vivek Shah, a California plaintiff tied to a string of cases that follow the same playbook: scan a large number of websites, find ones running tracking technology without proper consent, and send a demand letter or file a claim under California's privacy laws. He is not alone. There is a whole cottage industry of plaintiffs and law firms doing the same thing at scale.

If you run a plumbing, roofing, or HVAC business in Cleveland, your first reaction is probably "I'm in Ohio, why would a California law touch me?" Fair question. Let's walk through it honestly, because the answer is more annoying than you'd hope.

What these lawsuits are actually about

Most of these claims lean on California's privacy and wiretapping laws, especially the California Invasion of Privacy Act (CIPA). The argument goes something like this: when your website loads a tracking pixel (think the Meta pixel, Google Analytics, a chat widget, or a session recorder) before a visitor agrees to it, that tracking is recording the visitor's activity. Plaintiffs argue that recording is a form of unauthorized interception, the same way a hidden wiretap would be.

Whether that argument holds up is something courts are still sorting out, and it is not settled. But here is the thing about demand letters: they don't need to win in court to cost you. The business model is volume. Send hundreds of letters, ask for a few thousand dollars each to make it go away, and count on most owners settling because fighting it costs more than folding.

Two things make Cleveland businesses targets even though they are nowhere near California:

• Your website serves anyone, anywhere. If a single California resident visits your site and gets tracked without consent, that is the hook. You don't choose where your visitors come from.
• The tools are automated. These plaintiffs aren't hand-picking you. They run software that crawls thousands of sites looking for tracking scripts that fire before a consent banner appears. A small contractor site is just as easy to flag as a national brand.

This is not legal advice, and you should talk to an actual attorney about your exposure. What we can tell you is the technical side, because the technical side is where this gets fixed.

The fix is mostly about consent, and it is not complicated

The core of nearly every one of these claims is the same: tracking ran before the visitor said yes. So the defense is straightforward in concept. Don't load tracking technology until the visitor has actually consented to it.

That means three things working together:

• A real consent banner that appears before any tracking fires, not after.
• Scripts that actually wait for consent instead of loading the moment the page opens.
• A record that someone consented, in case you ever need to show it.

That last piece is the one people skip. A banner that says "we use cookies" but loads the Meta pixel anyway is worse than nothing. It looks like compliance while doing none of the work, and it is exactly what the scanning software is built to catch.

Doing it yourself: the off-the-shelf route

If you want to handle this on your own, the most common path is a consent management tool. Two you'll run into constantly are CookieYes and Cookiebot.

Here is roughly what that looks like:

1. Scan your own site first. Both tools will crawl your pages and list every cookie and tracking script running. Most owners are surprised how many there are. A typical contractor site has Google Analytics, maybe a Google Ads tag, a Meta pixel, a chat widget, an embedded map, and a booking tool, all dropping trackers.
2. Pick a plan. CookieYes and Cookiebot both have free tiers for very small sites and paid plans (often $10 to $50 a month) once you cross a certain number of pages or visitors.
3. Install their script in your site's header, usually through a plugin or a snippet of code.
4. Configure the categories. You sort your scripts into buckets like "necessary," "analytics," and "marketing," so visitors can accept or reject each.
5. Set scripts to block until consent. This is the step that matters most and the one most people get wrong. If you skip it, the banner shows but the tracking still fires first.
6. Re-scan and test to confirm nothing loads before a click.

For a lot of businesses, that is genuinely enough. These tools exist for a reason and they work. The honest tradeoff is that they add a recurring monthly cost forever, they put a third-party script on every page (which has its own small speed and privacy cost), and steps 4 and 5 are easy to get subtly wrong if you've never done it before. A banner that exists but doesn't actually block anything gives you a false sense of safety, which is arguably worse than knowing you're exposed.

Doing it custom: coding the consent yourself

The other route is building consent handling directly into the site. This is the approach we usually take, because on a custom-built site the tracking scripts are already under our control. We can hold them back until a visitor consents without bolting on a third-party tool, log the consent, and keep the whole thing fast.

The advantages are real: no monthly subscription, no extra script slowing every page, and tracking that is wired correctly from the start instead of patched on top. The catch is that it requires someone who actually knows how the scripts load and fire. This is not a weekend DIY project unless you're comfortable in the code, which is the whole reason these lawsuits work in the first place. Most sites were never set up with consent in mind, so the trackers just run.

This is the same reason we argue against treating a website as a one-time purchase. The web keeps changing underneath you. Privacy law is just the latest example of something that wasn't a problem three years ago and is now landing in business owners' mailboxes.

Why getting ahead of this saves you money

Settling a demand letter is not cheap, and it is not a one-time event. Pay one and your site is still misconfigured, which means you're still on the scanning software's list for the next plaintiff. The actual fix costs less than a single settlement and ends the exposure instead of renting peace for a few months.

Think of it the way you'd think about a roof. You can wait for the leak and pay for water damage, or you can spend a fraction of that sealing it before the storm. The consent setup is the seal. It is dull, it is invisible to your customers, and it quietly removes a category of risk you'd otherwise be carrying every single day your site is live.

A straight answer

For most Cleveland contractors, the right move is not to panic and not to ignore it. It is to find out what's actually running on your site, because almost nobody knows until they look.

That is exactly what we check in a free audit. We'll scan your site, tell you which tracking scripts are firing before consent, and lay out whether a tool like CookieYes is the right call for you or whether it's worth handling in the code. No pressure, no jargon, just a straight read on where you stand. And if your site needs more than a consent fix, you'll know that too.

One last time, because it matters: we build websites, we are not lawyers. If you've already received a demand letter, talk to an attorney first. But if you want to stop being an easy target before one shows up, that part is a website problem, and that part we can fix.