Just so we’re clear upfront: this is not legal advice. It’s general information to help you understand the landscape. For anything specific to your business, talk to a lawyer.
Here’s something a lot of business owners don’t know: if your website uses Google Analytics, runs Facebook or Google ads, or has any kind of ad tracking set up – privacy laws may already apply to you. Not because you did anything wrong. Just because of the tools you’re using.
The good news? It’s not that hard to fix.
Wait, What’s the Problem?
For years, adding Google Analytics or a Facebook pixel to your website was totally normal. Everyone did it. It’s how you figured out who was visiting, where they came from, and whether your ads were working.
The problem is privacy laws have changed. These tools can’t just quietly run in the background anymore. Visitors need to be told what’s happening – and in most cases, they need to actually say “yes, that’s okay” before any tracking kicks in.
And here’s the part that surprises most people: it doesn’t matter where your business is. It’s based on where your visitors are. Someone visiting from California? California’s privacy laws apply. Someone from Europe? GDPR applies. You could be running a business from a small town in rural Canada and still need to play by these rules.
Does This Apply to Me?
There is a good chance it does if your website uses any of the following:
- Google Analytics – this is most websites
- Ad tracking – such as Google Ads, Meta/Facebook, TikTok, LinkedIn pixels
- Remarketing or retargeting – the ads that “follow” people around after they visit your site
- No cookie banner, or one that doesn’t actually do anything
That last one is a big deal. A banner that just pops up and says “We use cookies – OK!” isn’t enough anymore. If your tracking tools are already running the moment someone lands on your page (before they’ve clicked anything) that banner is just decoration.
So What Does a Proper Cookie Banner Actually Do?
A cookie banner that’s set up correctly does three important things:
1. Wait for Permission Before Tracking
It stops trackers from running until someone says yes. Nothing fires – no Google Analytics, no ad pixels, no retargeting – until the visitor actually gives permission. This is the big one. It’s the thing that directly addresses the “tracking people without their consent” issue that most privacy complaints come down to.
2. Remember the Visitor’s Choice
It keeps a record of who said what. Every time someone clicks accept or decline, that gets saved – when it happened, what they agreed to, and where on your site they were. If someone ever complains, you’re not just hoping people believe you had a banner. You have an actual record. It’s your paper trail. One extra tip: whenever you update your privacy policy or change your banner, write down the date. That way you can always show what a visitor would have seen when they gave their consent.
(This isn’t legal advice – if you want to know exactly what you’re required to log, ask a lawyer.)
3. It keeps you on the right side of the main privacy laws.
A properly set up banner covers the core requirements for Canada, the U.S., and Europe. More on those below.
A Simple Overview of Privacy Laws
Canada
Canada’s privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA), generally focuses on how businesses collect, use, and protect personal information.
Businesses need to provide:
- A clear privacy policy
- An explanation of what information is collected
- The reason information is collected
- Information about how data is protected
United States
Unlike Canada and Europe, the United States doesn’t have one nationwide privacy law that applies to all businesses. Instead, privacy rules vary by state, with California’s California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) being the most widely known.
If you have California visitors, you need:
- A clear privacy policy
- Information about what personal information you collect and how it’s used
- A way for people to request access to or deletion of their personal information (when applicable)
- A way for people to opt out of certain data sharing activities
- A clear “Do Not Sell or Share My Personal Information” option if your business sells or shares personal information as defined under California law
Europe
The General Data Protection Regulation (GDPR) is one of the strictest privacy laws in the world.
Here’s what GDPR actually requires in plain terms:
- Get Permission Before Certain Tracking Begins.
You can’t run your analytics or ad tools first and sort it out later. Everything needs to be paused until the visitor says “yes” (Accepts/Opts in). - Make Consent Clear
The “yes” has to be a real yes. Pre-checked boxes don’t count. Hiding the options in tiny text doesn’t count. The person needs to actually understand what they’re agreeing to and make a genuine choice. - You need a privacy policy that actually explains things.
What are you collecting? Why? Who do you share it with? How long do you keep it? How can someone reach you about it? All of that needs to be in there. - People can ask questions – and you have to answer them.
Under GDPR, individuals have the right to request access to their personal data, ask for corrections, request deletion in certain circumstances, or withdraw consent. - Keep Records
You need to be able to prove it happened. If a regulator comes knocking, the burden is on you to show that consent was properly collected. Your consent logs help demonstrate that you collected consent properly. - Only collect what you actually need.
Don’t vacuum up data you’ll never use. GDPR follows the principle of data minimization: collect only the information you actually need.
Could I Actually Get Fined?
For most small businesses, the real-world risk is pretty low day-to-day — unless someone makes a formal complaint. But here’s what the numbers look like if things do go sideways.
Under GDPR, fines can technically go up to €20 million or 4% of global revenue. That sounds scary, but those numbers are really for large companies with serious violations. Smaller businesses may be more likely to receive warnings or opportunities to correct issues, depending on the circumstances.
California’s privacy laws can include significant penalties. In certain situations, consumers may also have the right to seek damages, especially related to certain types of data breaches.
The bigger your site, the more tracking you run, and the more European visitors you have – the more this matters.
How Oracast Can Help
Getting privacy compliance right is about more than adding a cookie banner to your website. The banner needs to work properly by preventing certain tracking tools from running until a visitor has given consent.
We’ll handle the technical setup, including:
- Identifying the cookies and tracking tools your website uses
- Blocking analytics and advertising cookies until consent is given
- Organizing cookies into clear, easy-to-understand categories
- Recording visitor consent decisions
- Allowing visitors to update their preferences at any time
Our job is to make sure the technology works the way it’s supposed to.
What we can’t do is provide legal advice. Privacy requirements vary depending on your business, your customers, and the laws that apply to you.
For most small businesses, properly configuring a consent banner is one of the simplest and most effective steps you can take toward improving your privacy compliance.
The Short Version
Almost every website uses tools that now need visitor permission before they run. A cookie banner that actually works — not just one that looks like it works – stops those tools until someone opts in, keeps a record of it, and helps you meet important privacy requirements.
It’s easy to put this off when nothing bad has happened. But getting it sorted is pretty painless, and the alternative keeps getting riskier.
This article is general information only and is not legal advice. Privacy laws vary by location and change over time. Please speak with a qualified lawyer for advice specific to your business.