The Milliseconds Before Consent: Why Tag Timing Has Become the Center of CIPA Litigation
The real exposure in 2026 website-wiretapping cases isn't whether a site uses trackers — it's when they fire relative to a visitor's choice.
Most operators assume their consent problem is solved the moment a banner appears. The cases working through California courts in 2026 suggest the real exposure sits earlier — in the fraction of a second between when a page starts to render and when the visitor has done anything at all.
That window has a name among practitioners now: the millisecond problem. It captures a simple technical reality that has quietly become a litigation engine. More than 800 CIPA claims were filed in 2025, and the center of gravity has shifted from whether a site uses tracking technology to when, precisely, those technologies fire relative to a user's choice. What started as a California-specific theory has matured into a multistate, multi-statute campaign aimed at ordinary advertising stacks.
What's actually happening on the wire
The mechanism is unglamorous, which is part of why it persists. Tag managers — Google Tag Manager being the common one — are frequently configured to fire on page load or DOM-ready by default. Consent gating is something you have to deliberately build: Consent Mode, blocking triggers, a clean CMP integration. When that wiring is absent or incomplete, a pixel like Meta's fbevents sends a request to facebook.com/tr the instant the page paints. That request carries the page URL, the event, the visitor's _fbp cookie, often a click identifier such as fbclid, and — by virtue of the connection itself — an IP address. None of it waited for a click.
Two patterns draw the most scrutiny. The first is pure pre-consent firing: tags transmit before any banner interaction exists. The second, and arguably the more damaging, is a consent-propagation failure — the visitor clicks "Reject," sees a confirmation that preferences were saved, and the tags keep firing anyway. Practitioners have distilled this "broken banner" pattern into a memorable framing — a site that "set an expectation that user data wouldn't be collected, but then collected it anyway." That framing matters, because it reframes the issue from a technical footnote into something that looks, to a court, like a broken promise.
How it has surfaced in litigation
Plaintiffs typically plead two theories. Under CIPA Section 631, the argument is unauthorized interception of communications in transit — the third-party script as an undisclosed eavesdropper. Under Section 638.51, the newer pen-register and trap-and-trace theory, the argument is that a pixel records "addressing, routing, or signaling" information without a court order. CIPA's appeal is structural: Section 637.2 allows $5,000 per violation, and at class scale that arithmetic is what funds the motion practice.
The settlements signal the stakes. The Los Angeles Times resolved tracking-technology claims for $3.85 million, and Forbes Media agreed in principle to roughly $10 million in a matter alleging that website trackers transmitted identifiers, including IP addresses, to third parties without sufficient consent. Neither outcome adjudicated the merits — but both reflect how expensive the timing question has become to litigate.
Where courts disagree
This is not a settled area, and honest analysis has to say so. On session replay, courts have reached differing conclusions on the Section 631 interception element. At least one California federal court granted summary judgment for the defense, reasoning that replay software does not intercept communications "in transit" because click, keystroke, and mouse data become readable only after transmission, once the vendor has stored and reassembled them. That is a meaningful defense foothold, and it turns on a genuinely technical distinction about when capture occurs.
The pen-register theory is even more fractured. California state courts have generally taken a narrower view — the May 2026 decision in Blaker v. NetScout Systems held that Section 638.51 reaches telephonic communications, not software on a commercial website — while several federal judges in the state have been more willing to read pixels into the statute. Standing adds another axis. Applying the Ninth Circuit's reasoning in Popa v. Microsoft, courts have dismissed claims where only generic device and browser metadata was collected; others have let claims proceed where IP addresses combined with inferred location or behavior. The practical consequence is uncomfortable: the same implementation can survive in one venue and fail in another. A legislative fix, SB 690, would narrow CIPA's reach, but it stalled as a two-year bill and offers no near-term certainty. Defendants, meanwhile, increasingly lean on procedural off-ramps — arbitration, Article III standing, and the vendor party exception — that can end these cases before the merits, which we map in the defense-side playbook.
What this looks like from the outside
The useful thing about a timing theory is that timing is observable. The indicators that map to these claims are concrete and detectable from the network layer:
- Third-party pixels or analytics requests that fire on initial page load, before any consent action.
- Tags that continue firing after a "Reject" — or that are blocked on first load but quietly return on the next page.
- Full page URLs,
fbclid/_fbpvalues, or IP-bearing parameters riding along in tracker requests. - Session-replay scripts and when they initialize.
- The gap between what a privacy policy describes and what the page actually does.
The questions that decide these cases are, at bottom, questions of sequence — what loaded, what it sent, and whether the visitor had said anything yet. Those answers live in the request waterfall, not the privacy policy. It is worth knowing what your own pages do in those first milliseconds before a plaintiff's expert documents it for you.
Sources
See what your own pages do
The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.
Run a free scan