There's a conversation happening in credit union marketing departments across the country right now.
It usually starts with an email or a call from the agency. Something about new privacy laws. Something about lawsuits. Something about a compliance package they've put together to make sure your website is protected.
For an additional monthly fee, of course.
And if you haven't already asked the obvious question — here it is:
Who built the website that now needs to be "protected"?
In most cases, the answer is the same agency that just sent you the proposal.
This is the quiet money grab happening in digital marketing right now. Agencies that spent years installing tracking pixels, analytics tools, and advertising tags on your website — tools that are now at the center of a growing wave of lawsuits — are repackaging compliance as a premium service. Something extra. Something you now owe them more money for.
That's not how a real partner operates. And credit unions deserve to know the difference.
Cookie compliance, consent management, and privacy-safe campaign architecture are not new services that require new expertise. They're not add-ons. They're not premium features.
They're the minimum standard for anyone building a website for a federally regulated financial institution.
When a marketing agency installs Meta Pixel, Google Analytics, TikTok Pixel, session replay software, or any other tracking technology on your site, they are making a decision that has legal implications for your credit union. The data those tools collect — IP addresses, browsing behavior, form interactions, ad engagement — flows from your members' browsers to third-party platforms. Under California's privacy laws and a growing number of state equivalents, doing that without proper consent mechanisms isn't just a compliance gap.
It's the basis of a lawsuit.
Any agency worth working with should know this. They should be building compliant consent banners from day one — ones that actually give members a real choice, not a banner designed to make "Accept All" easy and "Reject" buried or impossible to find. They should be vetting every tracking tool before it goes live. They should be writing privacy policy language that accurately reflects what's running on your site.
This is not optional expertise. It is table stakes for anyone running digital marketing for a credit union in 2026.
If your current agency is calling this a new service, they're telling you something important about how they've been operating all along.
We're going to be direct here, because we think credit unions have been patient long enough with vendors who treat compliance as a revenue line.
At Your Marketing Co., cookie compliance and privacy protection are built into everything we do for our retainer clients. Not as an add-on. Not as a separate scope of work. As part of the job.
When we build or manage a credit union's digital presence, consent management is part of the build. Cookie opt-out mechanisms that actually work — where members have a clear, easy choice — are part of the build. Privacy policies that reflect the tools on your site are part of the build. Tracking tools get vetted before they go live, not after a demand letter arrives.
And when the regulatory landscape shifts — when new cases are decided, when new states pass laws, when exposure grows — we bring that to our clients. We don't wait for them to find it in a trade publication and then price out a fix.
That's the difference between a vendor and a growth partner.
A vendor installs what's convenient for the campaign, hands you a bill, and comes back when there's another problem to charge you for solving. A growth partner has your interest in mind from the start — because when you're exposed, the relationship suffers, the members suffer, and the mission suffers.
We're not saying this to pat ourselves on the back. We're saying it because credit unions should expect this from anyone they work with. If your current marketing partner isn't doing this already, as part of what you're already paying, it's worth asking why.
The other thing agencies will tell you is that this is a California issue. That if your credit union doesn't serve many California members, you can relax.
You can't.
Over the last 18 months, more than 1,500 lawsuits have been filed under the California Invasion of Privacy Act (CIPA) alone — a 1967 wiretapping statute that plaintiffs' attorneys have successfully applied to standard website tracking tools. The cases are spreading, the legal theories are being adopted in other jurisdictions, and state legislatures across the country are following California's lead.
Montana and Connecticut both narrowed GLBA exemptions for financial institutions in 2025. Minnesota and Oregon followed. The broad federal shield that credit unions assumed would keep them protected — the Gramm-Leach-Bliley Act's data exemption — is being eroded state by state, and it never fully covered the non-member data your website collects anyway.
The lawsuits aren't theoretical. Here's what's already settled:
Communication Federal Credit Union paid $2.9 million
to resolve a data breach class action in 2025.
First Commonwealth Federal Credit Union paid $1.2 million to settle after a breach exposed nearly 99,000 members — Social Security numbers, account numbers, usernames, and passwords.
Capital One was fined nearly $350,000 by the California Privacy Protection Agency — not for a breach, but for having Meta Pixel and Google Analytics running on its website without proper consent. Federal courts allowed a class action to proceed on the same basis.
And perhaps most alarming: a 2025 ransomware attack on Marquis Software, a marketing and compliance vendor serving over 700 financial institutions, compromised member data from more than 80 credit unions and banks at once. The credit unions didn't get hacked. Their vendor did. The breach notifications still went out under the credit union's name. The reputational damage still landed on the credit union. The class action investigations are aimed at the credit unions.
Your liability doesn't end at your own systems. It follows your data — wherever your vendors and agencies have sent it.
If your marketing agency built your website, runs your digital campaigns, and is now presenting you with a compliance proposal — stop and ask yourself whether that's a partner relationship or a transaction.
A transaction is: we build things, you pay us, problems become new invoices.
A partnership is: we understand the full picture of what it means to market a credit union responsibly, we build with that in mind from the start, and when the landscape changes, we tell you before it costs you.
Privacy compliance, consent management, and protecting your members' data aren't extras. They're part of the work. They always should have been.
Your members trust you with their financial lives. The partner sitting next to you in that work should take that trust as seriously as you do — not as an opportunity to grow their invoice.
If you're not sure what's running on your credit union's website — or whether your current marketing partner has this covered — we're happy to take a look. No pitch. No proposal. Just an honest conversation about where you stand and what a great partnership should look like.
Reach out to the Your Marketing Co. team here.