Your tour website can get you sued in California even if you have never had a single customer there. Someone in California opens your site. A tracking pixel fires, one of those little snippets of Facebook or Google code that most travel websites run, and it sends that visitor’s IP address to an ad platform before the visitor has agreed to anything. A California wiretapping law from the 1960s treats that as recording someone without their permission. A cluster of law firms has turned this into a business. They scan travel websites by the hundred, flag the ones whose pixels fire too early, and mail out near-identical lawsuits. Making one go away costs $7,000 to $50,000.
Jeff Ment runs The Ment Law Group, and he has spent the past year defending travel companies caught in exactly this. His clients run from solo travel agents to Tauck, Abercrombie and Kent, G Adventures, and Intrepid, and the website lawsuits are reaching all of them. The cookie version was only the opening. The same firms have since moved on to chat widgets in Florida, copyrighted photos on landing pages, and websites that fail accessibility rules. Every one of these works the same way: a bot finds the problem, a template generates the lawsuit, a settlement demand follows. None of it requires you to have done anything you would recognize as wrong. It requires you to have done nothing.
When your cookie banner does not actually stop the tracking
You added a cookie banner, and you feel covered. But a banner only protects you if the “reject” button actually does something, and on a lot of travel sites it does not. The Facebook pixel loads the moment the page opens, before the banner even appears. Or a visitor clicks “reject” and the pixel keeps firing anyway. Either way, your site is tracking someone who said no. That is the violation. It does not matter that you never looked at the data.
You can find out where you stand with one phone call to whoever built your site. Ask them two things. Does the site fire tracking pixels? And when a visitor rejects cookies, does the tracking actually stop? Most operators have no idea, because they have never asked. If you want that answer to stay true after the next site update, put it in the contract: your designer or platform keeps the site compliant with state privacy law, and covers you if they slip. Have an attorney check that language before you sign it.
Not every kind of website tracking carries this risk. There is a real difference between a Facebook or Google pixel, which ships a visitor’s identity off to an ad platform, and first-party analytics that stay on your own site and hand data to no one. The lawsuits target the first kind. If you run plain analytics with no ad pixels and no retargeting tags, you are in far less danger than a site running a full retargeting stack. The only way to know which one you have is to ask the person who built the site.
Your chat widget can do the same thing in Florida
A small travel agency added an “ask a question” chat box to its website. Nobody used it to spy on anyone. But the chat tool was capable of capturing a visitor’s IP address, and in Florida that capability by itself counts as eavesdropping. The agency paid $7,000 to settle.
Florida built its own version of California’s pixel rule and pointed it at chat tools. If you run live chat, call the chat vendor and ask what the widget captures, and when it asks the visitor for consent. You want consent before a visitor starts typing, not after. You are the one named in the lawsuit, no matter whose tool created the problem.
Other states will follow. The defense does not change. Find out what your tech is doing, find out what your consent step is doing, and get the vendor’s answer in writing.
Photos and accessibility are the next two on the list
A bot scans your website, finds a photo you do not have a license for, and a template letter demands payment. The defense is a paper trail. “The hotel sent it to me” does not hold up if the hotel never had the right to share it in the first place. You probably use destination photos from a DMC, a hotel, or a tourism board, and you probably assume whoever sent them owns them. Sometimes that is true. Often it is not, especially once a photo has passed through two or three hands before it reached you. Two things protect you. Write an image-rights warranty into your supplier contracts, so the supplier carries the risk if the chain breaks. And use your own photography wherever the budget allows.
Accessibility works the same way. The standard is WCAG 2, a set of rules for making a website usable by someone who is visually impaired, navigating by screen reader, or unable to use a mouse. In practice it covers a handful of things you can picture: text and buttons with enough color contrast, alt text on any image that carries meaning, clear labels on form fields, and navigation that works without a mouse. A scanner can flag a site that fails these in seconds, the same scanner-and-template pipeline the cookie firms run. A monitoring service keeps a site compliant for an annual fee far below the cost of one settlement. Bring in a WCAG specialist before your next site relaunch, and have them check the site again on a schedule after that.
Stop assuming your platform is handling it
You probably assume WeTravel, or whoever hosts your website, is taking care of pixel consent or accessibility or chat privacy for you. Some of Ment’s clients assumed exactly that, and found out they were wrong only when the letter arrived. That includes operators in Europe whose GDPR-compliant privacy policies did nothing for them against California’s pixel rules.
“Some of my clients that have gotten snagged are some of the world’s largest tour operators.”
Jeff Ment
So ask. In writing. What does the vendor cover, and what does it leave to you? Your web designer’s contract can require them to keep the site compliant with state privacy and accessibility law. Your platform’s contract can make the platform cover you if its failure becomes a lawsuit against you. An attorney can review either one before you sign.
Assuming the vendor has it handled is one of the more expensive mistakes on this list, and some of Ment’s largest clients have made it. The thing that actually protects you is a contract that says, in writing, whose job it is.
What changes when you read your own site the way a plaintiff firm does
None of this is exotic. It is a cookie banner that does not really block the pixel. A chat widget that grabs an IP address without asking. A photo you cannot prove you licensed. A contact form a blind visitor cannot use. You do not need a lawyer to find any of them. You need one phone call, or one honest read of your own site.
The law firms are still working down their lists. The cookie and photo scanners are still running, and the accessibility lawsuits are just getting started. The operators who stay off those lists are the ones looking at their own sites this month and asking their vendors the uncomfortable questions now, while it still costs nothing but time.
This is one of two ways legal trouble tends to reach you out of nowhere. The other does not come from a stranger’s lawsuit. It comes from a contract you signed yourself: The Contract Clauses That Decide Who Pays When a Trip Goes Wrong.
About Jeff Ment
Jeff Ment is the founder of The Ment Law Group, the country’s largest travel law firm. He counsels travel companies on liability defense, compliance, contracts, risk management, and IATA and ARC matters. His firm’s clients span from one-person travel businesses to some of the largest names in the industry. Jeff brings more than 35 years of industry experience to the work, including earlier roles as a travel agent, tour guide, and airline sales manager. The Ment Law Group has offices in Hartford, Westport, and New York City.
To learn more from Jeff’s work in travel law, visit The Ment Law Group.
For more insights and strategies on building a better tour business, join the community at community.tourpreneur.com.