Protecting guest privacy is essential, and we want to ensure you have the information you need to make informed decisions about how tracking works on your own checkout.
This guide outlines your responsibilities when enabling third-party tracking tools on your website, why consent matters, and where to find reliable legal resources.
Why consent matters
When third-party tracking tools (such as pixels) run in a guest’s browser, privacy laws expect that the guest understands what data is being collected and agrees to it before any tracking begins.
For venues operating in California, the California Invasion of Privacy Act (CIPA) and related case law have shaped expectations around how and when consent should be captured. While the legal position continues to evolve, one theme is consistent: businesses must collect informed consent early in the guest journey and be able to show that consent if required.
Your responsibilities as a venue
To support compliance and reduce risk, venues are responsible for two key actions:
1. Collect consent before running tracking
Guests must agree to tracking before any third-party scripts load in their browser. This consent is typically captured on the website homepage or at another early point in the guest journey, not at checkout. If your checkout is hosted on your own domain and you use the appropriate legal wording, the consent you collect on your website will apply to the checkout too.
2. Store consent for at least 24 months.
You must have records that show when and how a guest gave consent. Keeping this documentation for at least two years is a common expectation reflected in case law and privacy guidance. Storing consent helps demonstrate that you handled guest data responsibly if questions ever arise.
Because these requirements may shift as new decisions are issued, we encourage you to regularly review your setup with appropriate legal professionals to confirm that your consent process is up to date.
The legal landscape
Requirements around third-party tracking in California are informed by:
- The California Invasion of Privacy Act (CIPA)
- Guidance from the California Privacy Protection Agency (CPPA)
It’s important to note that much of the current guidance arises from case decisions rather than a single statutory rule. Because of this, the exact requirements may shift over time, and different legal interpretations may apply depending on circumstance.
For clear, up-to-date advice, we strongly recommend you seek independent legal advice and review the resources available on the California Privacy Protection Agency website.
How ROLLER supports you
ROLLER provides tools that allow third-party tracking to run on your checkout, venues control whether that tracking is enabled, how consent is collected, and which parties receive the data. We recommend using a consent management tool on your website so guests have a consistent, transparent experience.
If you use third-party tracking, we recommend reviewing your website’s consent management approach to ensure guests are informed and able to make clear choices before any tracking occurs.
Where to get help
If you’re revisiting your tracking or consent flow, here are a few practical next steps:
- Review your website’s current consent management tool and placement.
- Confirm your method for storing consent for at least 24 months.
- Speak with your legal advisor for tailored compliance guidance.
- Visit the California Privacy Protection Agency website for the most current updates.
- If you need help understanding how tracking interacts with your ROLLER integration, reach out to your Customer Success Manager or email success@rollerdigital.com.
Your guests’ trust matters, and we’re here to support you as you continue creating joyful, safe and seamless experiences on your website.