I am going to start with the awkward part, because the rest of this piece only makes sense once you understand the position we are in.

For the last two years I have been quietly building WebSentinel - a forensic web audit platform that produces court-grade evidence of what a website actually does to a visitor at runtime. Not what the privacy notice claims. Not what the tag manager is supposed to be configured to do. What actually fires, in what order, to which third party, before or after consent, captured against a cryptographically signed and independently anchored chain of custody.

I had a launch plan. A sensible, measured, summer-quarter launch plan.

That plan is now in pieces, because the demand arrived before the launch did. Class-action firms are contacting me daily - from both sides. Plaintiff firms want evidence to file. Defendant counsel want evidence to respond. I sold a defendant-side forensic audit recently for a price I will admit, publicly, was six to ten times too low - turned around in 48 hours, no negotiation, entirely inbound. That was not a one-off. It is the new normal, and it is accelerating faster than I can responsibly scale to meet it without compromising the one thing that makes the evidence worth anything: its integrity.

So I am doing the thing I would normally roll my eyes at when a tech company does it. WebSentinel orders are now on a queue. We are accepting engagements in the order they come in, prioritising active and imminent litigation, and we are escalating the launch timeline to match the demand rather than the calendar. If you have a matter, the sensible move is to get in the queue now rather than when your filing deadline is three weeks out.

This is not manufactured scarcity. It is the honest constraint of a forensic discipline where you cannot cut corners and still hand a court something that survives cross-examination. But I would be lying if I said the queue did not also tell you something important about where this market is going. Two regulatory regimes are driving almost all of it, and they have one feature in common that nobody is talking about clearly enough.

**Both are won and lost on evidence of what the website actually did and no-one has any tools which surface that (until now)

Let me explain why, because once you see it you cannot unsee it, and it changes how you should think about every property you operate or litigate against.

Why is CIPA suddenly everywhere?

The California Invasion of Privacy Act - CIPA, California Penal Code sections 631, 632 and 638.51 et seq. - is a 1960s wiretapping statute. It was written for telephone calls. It prohibits the interception of a communication without the consent of all parties, and it carries statutory damages of up to five thousand dollars per violation. On a website with meaningful traffic, "per violation" is the phrase that turns a technical footnote into an existential number.

The plaintiff bar worked out, somewhere around 2021, that a great deal of routine website instrumentation looks an awful lot like interception. Session-replay tools that record keystrokes, mouse movement, scroll position and form-field state. Chat widgets where a third-party transcription provider is silently on the line. Tracking pixels and analytics SDKs that exfiltrate interaction data to a party the visitor never knew was there. The theory is that the third-party technology provider is the unlawful eavesdropper, and the website operator aided and abetted the wiretap.

This is not new either, back in the early 2000s both NebuAd (in the US) and Phorm (EU) were found to be intercepting communications for behavioural profiling and recent CJEU judgments have categorically shown that the website publisher has a joint liability with the platforms engaging in the tracking.

The case law has been a genuine fight, and that is exactly the point I want you to hold onto. The Ninth Circuit revived a session-replay claim in Javier v. Assurance IQ. District courts have gone both ways since. Several recent defence wins - including a closely-watched summary judgment involving a session-replay vendor - turned on a deceptively narrow question:

Did the third party read the communication in transit, or did it merely store the data and reassemble it into a replay afterwards?

Read that again, because it is the whole game. Courts narrowing CIPA have leaned on the distinction between intercepting a communication as it travels versus capturing it and reconstructing it later. "The events recorded do not become readable content until after they are stored and reassembled," as one court put it.

Here is what every privacy lawyer reading this should already be feeling in their stomach: that is not a legal question. That is a forensic question. Whether a payload was transmitted to a third party in transit, what was in it, whether it was readable at the point of transmission, and whether it left the origin before any consent action was taken - those are facts about network behaviour at runtime. They are knowable. They are capturable. And whoever holds the better capture holds the better case.

What evidence does a CIPA claim actually need?

This is the question I get asked most, by both sides, and the honest answer is that most CIPA matters are being fought with evidence that would not survive a determined challenge.

A screenshot of a network tab is not evidence. A consultant's written description of what they "observed" is not evidence - it is hearsay about a transient event nobody else can reproduce. A cookie scan tells you almost nothing, because cookies are perhaps five to ten per cent of what a modern page does to a visitor, and the CIPA-relevant conduct - the in-transit exfiltration, the pre-submit form capture, the third-party stream routing - mostly happens in places a cookie scanner cannot see.

What a CIPA claim actually needs is a record that establishes, to an evidentiary standard:

  • What fired, and when, relative to any consent action - the pre-consent timeline is decisive
  • The destination party for each payload, attributed to the responsible script with a full call stack, not just a domain
  • The data category captured - keystrokes, form-field values, message bodies, identifiers
  • The consent state at the moment of capture - because consent is the entire statutory question
  • Reproducibility and integrity - so the other side cannot say you staged it, and the court can verify the capture timestamp without trusting you

WebSentinel runs forty-seven discrete detectors against the CIPA surface alone - session-replay deployments, third-party chat transcription, pre-submit form-field exfiltration, service-worker request interception, beacon-on-exit and unload-time exfiltration, cross-domain postMessage content flows, and embedded media that routes the underlying stream to a third party. For each finding it identifies the destination party, the data category, and the consent state at capture time, and where a finding routes to the criminal track it notes the specific subsection engaged and the consent baseline lawful operation would require.

And there is a detail that matters more than any single detector: we scan from a California IP. If your geofencing serves a different configuration to California visitors than to everyone else - and a great many estates do exactly that - then an audit run from Frankfurt or London tells you nothing about your CIPA exposure. The evidence has to reflect what a California visitor actually receives, or it is not evidence of anything a California court cares about. This single point pre-empts the most common defendant deflection: "your tester wasn't in California, so your capture doesn't represent our California experience." Ours does.

Why the evidence is the whole war, on offence and defence

People assume a forensic evidence platform is a plaintiff's weapon. It is not. It is a neutral instrument, and that neutrality is precisely what makes it valuable to both sides - the same way a forensics lab serves prosecution and defence.

On offence, if you are a class-action firm or a regulator, you need natural, unstaged, reproducible evidence that the conduct occurred, who received the data, and that no consent was given. You need it captured in a way that anticipates the "read in transit" defence and answers it with the actual transmitted payload. You need an expert who can stand behind the methodology.

On defence, you need exactly the same forensic depth pointed at your own estate, before opposing counsel does it for you. You need to know what your vendors are actually doing, because in almost every matter I have worked the operator genuinely did not know - marketing deployed a tag through a tag manager without privacy review, engineering shipped an SDK that was never disclosed in the data-flow register, a vendor added a sub-processor without notice, and the tag manager mutated silently after deployment. You need a defensible, timestamped record of your current state, you need the geofenced California view, and in the cases where the evidence is on your side you need to be able to prove the third party never read the communication in transit - which, again, is a forensic claim you can only make if you captured the transit.

The firm that turns up to a deposition with a cryptographically signed, hash-chained, independently anchored capture is in a categorically different position from the one waving a screenshot.

How does WebSentinel produce evidence that holds up?

Three properties, none of which the cookie-banner vendors have, and all of which matter the moment a finding is challenged.

Real-time observation with full attribution. Each page is loaded once in a clean, instrumented browser held at a fixed window size and device-pixel ratio, and observed in real time over a dwell long enough to capture both first-load and delayed conduct. Every network request, script execution, storage write, fingerprint-surface read and consent-surface event is recorded against a single forensic chain, attributed to the responsible script with a full call stack. The engine carries over 380 discrete detection capabilities across fifteen subsystems, each grounded in a specific provision of European, UK or comparable US law.

Signed and hash-chained capture. Every captured record is signed against a per-machine ECDSA-P256 keypair and hash-chained to the previous record, so any tampering after capture is detectable. You cannot quietly add, remove or alter a record without breaking the chain.

Independent anchoring. The session-capture timestamps are anchored via the OpenTimestamps protocol against the Bitcoin-confirmed timestamp calendar. The audit timestamp is therefore verifiable without relying on me, on my servers, or on anyone's good word. A court, a regulator, or opposing counsel can confirm when the capture happened against a public, immutable reference.

This is the part the CMP-derived vendors structurally cannot match, and I want to be precise about why, because it is not a slight against any one of them. The incumbent compliance tools grew out of cookie-banner deployment. Their technical floor is shallow because cookie management was the job. Cookie-jar scrape captures a sliver of what a modern page does; everything beyond it - runtime fingerprinting, sensor access, timing side channels, worker-side network traffic, supply-chain mutations, the in-transit exfiltration that CIPA turns on - is simply invisible to that architecture. And no Consent Management Platform can revoke a third-party consent after the fact, because the consent signal does not travel with the data. Once a payload has flowed to a third party under an initial grant, there is no technical mechanism to call it back due to the "Same Origin" principle. That is a category-wide limitation, not a vendor-specific one, and it is why a tool built to deploy banners cannot produce evidence about what happens underneath them.

The new frontier: how can website tracking be an environmental crime?

Now the part nobody else is talking about, because nobody else can produce the evidence for it.

The EU Environmental Crimes Directive (Directive (EU) 2024/1203) - the directive on the protection of the environment through criminal law - reached its transposition deadline this month. Member-state criminal law implementing it is now coming into force across the EU. It significantly broadens the categories of conduct that constitute a criminal environmental offence, raises the penalties, and reaches conduct that causes, or is likely to cause, substantial damage to the environment, including at scale.

Here is the chain of reasoning, and I have had multiple class-action firms approach me about it since I published my analysis of Chrome's silent four-gigabyte AI model push (which included an environmental impact assessment).

Pre-consent data processing transfers and stores data the visitor never agreed to. That processing is not free. Network data transfer has a measurable energy cost, and that energy has a measurable carbon cost. Using established, peer-reviewed methodology - the transfer-energy figures from Parssinen et al. (2018), "Environmental impact assessment of online advertising", Science of The Total Environment (a defensible mid-band of roughly 0.06 kWh per gigabyte transferred), combined with EU grid-emissions factors (around 0.25 kg CO2e per kWh) - you can put a number on the carbon cost of any given payload. At population scale, the numbers stop being rounding errors and start being measured in thousands of tonnes of CO2-equivalent.

Now layer the two facts together. The pre-consent processing is, in a great many cases, already unlawful under Article 5(3) of the ePrivacy Directive and Articles 5, 6 and 25 GDPR. And it carries a measurable, quantifiable environmental cost at scale. Where unlawful conduct produces substantial environmental harm, you are squarely in the conceptual territory the Environmental Crimes Directive was written to address.

I want to be careful and honest here, because overclaiming would be the fastest way to discredit a genuinely important argument: this is an emerging area of criminal exposure, and the legal theory is novel and as yet untested in court. I am not telling you there is settled case law. I am telling you that the directive is now live, that the underlying processing is frequently unlawful on grounds that are not novel at all, that the environmental cost is real and measurable, and that serious litigation firms are already preparing to test the theory. First mover advantage in a new field of liability is enormous, and the entire theory depends on one thing: evidence. Forensic capture of every pre-consent payload, quantified to an evidentiary standard, with the unlawfulness predicate established and the carbon cost calculated from a method that survives peer review.

That is precisely what WebSentinel Eco produces, and at the time of writing it is the only platform globally, that can. Not because the others are badly run - because they were never built to see the conduct, let alone measure its footprint.

Where does this leave you?

If you operate a digital estate of any meaningful size and you serve California visitors, you have CIPA exposure right now, today, whether or not anyone has filed yet, and the only way to know its shape is to capture what your property actually does to a California visitor. If you are litigating CIPA on either side, the matter will be decided by whose evidence is more reproducible, better attributed, and harder to challenge on the "read in transit" question. And if you are anywhere near the environmental-litigation space, the Environmental Crimes Directive has just opened a frontier where the unlawful-processing carbon argument has no incumbent, no precedent to fight, and exactly one platform that can produce the evidence.

This is why the queue exists, and why I would rather be honest about the constraint than pretend I can serve unlimited demand at the integrity standard this work requires. The evidence is the entire war - on offence and on defence, under CIPA and under the Environmental Crimes Directive - and the supply of credible, court-ready, independently verifiable evidence is, for the moment, scarce.

If you have a matter, get in the queue. Tell me what you need to prove. We will come back with the right product - Enforce, Assess, the continuous SaaS platform, Priority for active CIPA exposure, or Eco for the Environmental Crimes Directive - and a place in line.

I built this for exactly this moment. I just did not expect the moment to arrive quite so loudly.