RETAINERREACH
All articles
July 5, 20268 min readAnalyticsCompliance

Website Analytics for Personal Injury Firms: Optimize, but Get Consent First

By Brittany Winters, Director of Client Relations

Glowing analytics dashboards behind a privacy shield and padlock, illustrating website analytics and cookie consent
TL;DR

Website analytics tools like PostHog show what visitors actually do, so you can fix the pages costing you cases instead of guessing. But behavioral tracking without consent is fueling a wave of California CIPA wiretapping lawsuits, over 1,000 filed in 2025. Run analytics behind a real cookie consent banner, gate the pixels, and disclose it.

If you are not watching what people actually do on your website, you are optimizing blind, but if you turn that tracking on without a cookie consent banner, you are handing California’s plaintiff bar a lawsuit. Both halves of that sentence matter. Analytics is how you stop guessing and start fixing the pages that quietly cost you cases. Consent is how you run it without becoming a defendant. Here is how to do both.

Why analytics is not optional anymore

You can pour money into ads and SEO, but if visitors land on your site and leave without calling, you never find out why. Analytics tells you what a receptionist never could: which pages people actually read, where they bounce, which call to action gets clicks, how far they get in your contact form before they give up, and what a converting visitor does differently from one who leaves. That is the raw material of conversion rate optimization, and without it you are guessing.

Basic traffic counts from something like GA4 tell you how many people came and from where, which we covered in measuring marketing after cookies. Product analytics goes deeper: it shows you the behavior, not just the count.

What PostHog shows you that a page-view counter cannot

PostHog is a product-analytics platform many firms use because it bundles the tools that actually explain behavior:

  • Session replay: watch anonymized recordings of real visits, so you see the exact moment someone rage-clicks a broken button or abandons the intake form.
  • Funnels: see what share of visitors move from landing page, to contact page, to submitted form, and where the drop-off is worst.
  • Heatmaps: see where people actually click and how far they scroll.
  • Event tracking: measure the specific actions that matter, like clicking the phone number or starting a chat.

For a personal injury firm, that is gold. If nine out of ten people abandon your contact form at the phone-number field, no amount of ad spend fixes it, but a five minute form change might double your signed cases. This is the same leak-hunting logic behind the Case Leak calculator.

The catch: the CIPA lawsuit wave

Here is the part most marketers will not tell you. That same behavioral tracking, especially session replay and third-party pixels like the Meta Pixel, is now the target of a huge wave of lawsuits in California.

The vehicle is the California Invasion of Privacy Act, or CIPA, a 1967 anti-wiretapping law written for telephone taps. Plaintiffs argue that recording what a visitor does on your site, or sending their activity to a third party like Meta, is illegal wiretapping when it happens without consent. Reported filings crossed more than 1,000 CIPA lawsuits in California in 2025 alone, part of a surge that legal-industry trackers have been documenting all year. Many begin as demand letters from a small group of serial plaintiffs and their lawyers looking for a quick settlement.

The law here is genuinely unsettled. Courts have split, some cases have been tossed, and California has a bill (SB 690) pending that would carve out ordinary commercial tracking. But unsettled is not the same as safe, and defending or settling one of these is expensive whether or not you did anything wrong. One business owner walked through getting hit with exactly this kind of Meta Pixel claim in a widely shared r/dataprotection thread that is worth reading.

This is general information, not legal advice, and the law is moving fast. Talk to privacy counsel about your specific setup.

Why this hits law firms harder

The irony is thick: you are a law firm, so you are held to a higher standard on exactly this. Two extra reasons to be careful:

  • Your intake forms and chats collect sensitive information, potentially health details about an injury, which makes unconsented capture look worse.
  • Your own advertising is already governed by bar rules, and getting sued over your website tracking is not the headline you want.

You already respect consent on the lead side, which is the whole point of a compliant intake form and TCPA-compliant lead generation. Website analytics deserves the same discipline.

How to run analytics the right way

You do not have to choose between insight and safety. You have to sequence them: consent first, then tracking.

  • Put up a real cookie consent banner that lets visitors accept or decline, and honor the choice.
  • Gate the tracking behind it. Do not load session replay or third-party pixels until the visitor has consented. Tools like PostHog support cookieless and consent-gated setups, and can be self-hosted, which helps.
  • Mask sensitive inputs in session replay so form fields and any health details are never recorded.
  • Disclose it plainly in your privacy policy: what you collect, why, and who it goes to.
  • Prefer first-party, aggregate analytics where you can, and be cautious with third-party pixels that ship data off to another company.

None of this kills the value of analytics. It just means you capture behavior from people who agreed to it, which is still more than enough to find and fix what is leaking cases.

The bottom line

Analytics is how you turn a website from a brochure into a signed-case machine, and skipping it means flying blind. But in 2025 California, running behavioral tracking without consent is its own liability. Do both: instrument the site, gate it behind honest consent, and read the data to fix what is costing you cases. That is exactly how we build and measure sites inside personal injury marketing and SEO, consent first, cases out.

Frequently asked questions

Do I really need a cookie consent banner just to run analytics?

If you run behavioral tracking like session replay or third-party pixels such as the Meta Pixel, you should. A wave of California CIPA lawsuits argues that tracking without consent is illegal wiretapping. A banner that lets visitors accept or decline, with tracking gated behind it, is the baseline. This is general information, not legal advice, so confirm with counsel.

What is CIPA and why is it suddenly a problem?

The California Invasion of Privacy Act is a 1967 anti-wiretapping law now used against website tracking. Plaintiffs argue that recording visitor activity or sharing it with a third party without consent is wiretapping. More than 1,000 such lawsuits were filed in California in 2025. The law is unsettled and courts are split, but defending a claim is costly either way.

Is PostHog safe to use, or will it get me sued?

The tool is not the problem; running it without consent is. PostHog supports cookieless and consent-gated setups, input masking for session replay, and self-hosting, which all reduce risk. Load it only after a visitor consents, mask sensitive fields, and disclose it in your privacy policy. Any analytics tool needs the same care.

What should I actually track to improve my site?

Focus on the path to a signed case: which landing pages convert, where visitors drop off in your contact form, whether people click the phone number, and what converting visits do differently. Funnels, heatmaps, and consented session replay answer those. Fixing one bad form field often beats spending more on ads.

Want this run for your firm?

See exactly where your retainers are leaking — then decide. One firm per metro.

Calculate your case leak