Key point: Addressing the litigation and regulatory risks regarding tracking technologies requires a balanced approach between legal exposure and business impact, through a close and continuing collaboration between legal, technology, and business stakeholders.
U.S. companies face a massive wave of wiretapping law class action lawsuits and regulatory enforcement actions over online “tracking technologies.” Nearly every company with a website or app uses pixels, SDKs, cookies, session-replay technology, and chat/chatbot tools, putting them in the crosshairs. In California alone, plaintiffs have reportedly filed more than 1,800 lawsuits since 2022 under the state’s two-party consent wiretapping law (the California Invasion of Privacy Act (CIPA)). These laws carry statutory damages (e.g., up to $5,000 per violation under CIPA), which makes them an extremely attractive target for class action plaintiff attorneys. Plaintiffs’ attorneys have also issued thousands of demand letters, the settlement of which has helped build a war chest for funding further litigation.
While court rulings are mixed, these cases have legs — plaintiffs often survive dismissal and reach discovery, and some classes have been certified. In August 2025, a major social media company was found liable by a jury under CIPA and faces enormous statutory damages tied to tens of millions of alleged violations. In this environment, the number of attorneys bringing claims and the pace of filings is likely to increase rapidly.
Simultaneously, state privacy regulators and attorneys general (AG) have been active in this space. On September 9, 2025, the California Privacy Protection Agency (CPPA) announced that it was collaborating with the California, Colorado, and Connecticut AGs to conduct a “sweep” against businesses who are allegedly failing to honor opt-outs tied to tracking technologies used for advertising. This comes in the wake of some high-profile settlements between the CPPA and various organizations related to the failure to implement global privacy controls (GPC), use of “dark patterns,”misconfigured consent management software, and failure to implement opt-outs.
With this backdrop, the article below identifies some trends and new directions concerning tracking technology legal exposure. The article also highlights some potential solutions for mitigating legal impact, and key considerations for striking a balance between legal, technological and business interests concerning tracking technologies. To help mitigate our clients’ risk, we have teamed up with LOKKER to develop an affordable holistic approach combining tech and legal advice to advance these solutions (more information HERE).
Current Tracking Technology Liability Trends and New Directions
Court rulings on key issues in class action litigation drive the success of the litigation and ultimately the “demand” of plaintiff attorneys for making demands and filing additional litigation. Rulings also impact settlement negotiations and the perceived value of litigation. The case law in this area has been mixed, but defendants have recently enjoyed some favorable rulings in the Ninth Circuit:
- Thomas v. Papa John’s Int’l, Inc. (9th Cir. June 18, 2025). The Ninth Circuit affirmed a lower court’s ruling on a motion to dismiss a §631 CIPA (interception of the content of a communication) claim related to the defendant’s use of session replay technology on its website. The court ruled that a party to a communication cannot eavesdrop on a communication to which it is itself a party. The plaintiff failed to plead that the defendant aided and abetted the session replay provider’s violation of CIPA.
- Mikulsky v. Bloomingdale’s, LLC (9th Cir. June 20, 2025). In contrast to Papa John’s, the Ninth Circuit reversed the lower court’s grant of a motion to dismiss against a website owner using third-party session replay technology. Unlike Papa John’s, the plaintiffs in this case had alleged that the defendant aided and abetted the interception of a communication by the third-party session replay provider. Since the complaint alleged the real-time capture of the contents of plaintiff’s communications without her consent, a claim had been stated.
- Gutierrez v. Converse, Inc. (9th Cir. July 9, 2025). In this case, the Ninth Circuit affirmed a lower court’s decision to grant a motion for summary judgment as to CIPA claims against the website operator. Plaintiffs alleged that the website owner aided and abetted the alleged violation of 631 by a third-party chatbot provider. While the chatbot provider had the ability to read the contents of chat communications, the Ninth Circuit agreed that there was no evidence that the third-party chatbot provider read (or attempted to read) the chat messages at issue while in transit. The Ninth Circuit, however, went even further and brought CIPA back to its roots: it ruled that §631(a) only applied to “telephone wire, line, cable, or instruments.”
- ECPA – national exposure wild card
Wiretapping claims have expanded into the federal realm under the Electronic Communications Privacy Act (ECPA), which provides a private right of action and statutory damages of the greater of $10,000 total or $100 per day “for each day of violation.” ECPA is a one-party consent law; meaning that unlike the handful of states with two-party consent wiretapping laws, only one party needs to provide consent for a third party to intercept a communication. So, what is the issue if the website owner provides its consent? ECPA has a “crime-tort” exception that nullifies the consent defense if the communication is intercepted “for the purpose of committing any criminal or tortious act” (under federal or state law). As such, to prevail on a claim, plaintiffs much establish the commission of a tort or a violation of law (or at least an intent to do so).
Plaintiffs have brought several ECPA class action lawsuits against health care entities where a transfer of protected health information (PHI) to third parties through trackers allegedly violated the Health Insurance Portability and Accountability Act (HIPAA). An Illinois federal court, however, recently ruled that certain URL-related information obtained through an advertising tracker did not constitute PHI under HIPAA and granted the defendant’s motion to dismiss. However, courts in the same federal district and in other jurisdictions (e.g., New York, Washington, Minnesota, and Arizona) have allowed cases to proceed based on HIPAA violations past a motion to dismiss.
In addition, in August 2025, two California federal district courts denied motions to dismiss based on the ECPA crime-tort exception where the data at issue was not related to HIPAA. In one case, the court ruled that a financial motivation for the interception of a communication alone does not nullify the crime-tort exception (the dataset in this case included some medical information, but the defendant was not a HIPAA-covered entity). In the other, the court ruled that the defendant’s alleged violation of its own privacy policy was enough to get the plaintiff’s ECPA claim past a motion to dismiss based on the crime-tort exception.
In short, it appears that at least some courts are willing to allow ECPA claims to proceed past the pleadings stage, which provides momentum and settlement value to these cases. However, unlike lawsuits filed in the few states with state two-party consent wiretapping laws, these cases can be filed in federal courts across the nation.
- Regulator interest and enforcement
As mentioned, privacy regulators and AGs have gotten into the tracking technology enforcement gain. The basis of their enforcement, however, is state privacy laws, not wiretapping claims. They are focused on the right to opt out of “selling” and “sharing” of personal information for targeted advertising purposes. The issues they care about include “dark patterns” (e.g., interfaces that drive consumers to particular choices allowing tracking or make it more difficult to effectuate opt-outs) and the efficacy of opt-out processes (the New York AG provided guidance on this topic). On the latter, they have focused on the failure to implement the GPCs, and mistakes “honoring” opt-outs. Regulators have also hired technologists who scan websites for tracking technologies, test opt-out and consent management flows and check to see if personal information transfers are still occurring post-opt out. Plaintiffs are also concerned with these issues, especially failures to effectuate opt-outs, which they argue creates a basis for unfair or deceptive trade practice claims.
In California, the business community views the potential liability of CIPA tracking claims so seriously it has lobbied for legislation excluding certain information transfers from CIPA regulation. California’s SB 690 would amend CIPA to add a “commercial business purpose” exception that eliminates CIPA’s private right of action for such processing. There is strong lobbying on the consumer side of this bill, and it is uncertain if it will pass in its current form (or at all). As of September 10, 2025, it is proceeding as a two-year bill and remains in Assembly committee for further consideration into the 2026 session.
Key Considerations and Solutions for Mitigating Risk
On the surface, tackling tracking technology litigation risk seems simple: obtain consent from website and app users before transferring their personal information to third parties through tracking technologies. In short, this is the approach used in the EU to address the e-Privacy Directive. The reality around compliance is much more complex and nuanced, requiring a careful balance between legal risk mitigation, technological scanning and consent management, and business impacts.
- Assessing your tracker situation – You do not know what you do not know, and what you think you know is always changing.
That describes how the current situation around tracking technologies. Many companies do not have full visibility into which trackers are on their sites, the purposes of their trackers, the classification of their trackers, whether they are needed or used, the functionality of their trackers, or the data flows tied to their trackers.
Even if an organization manages to obtain an accurate inventory for a point in time, their tracking technology situation can change quickly if: marketing, product development, or IT stakeholders add or change tracking technologies; data flows are modified; consent management processes fail; trackers are misclassified; or, the third parties that design the trackers modify their functionality or data flows. All of this becomes more complex for organizations with multiple sites managed by different teams.
As such, it is important to periodically conduct assessments of sites employing tracking technologies. Scanning technologies can provide insights in an automated and consistent fashion over time. This helps legal, privacy and IT teams understand the state of their sites and take steps to manage risk.
- Balancing legal risk against business impact using legal positioning and technology.
The wiretapping case law is currently in flux and nothing is settled. Court splits exist with state and federal districts, and between states and federal courts in other jurisdictions. There is a lot of “gray” when it comes to the obligations of these laws and the details related to a site’s implementation of tracking technology and consent management processes can significantly impact the legal risk of the organization. The solutions for addressing this risk, however, can result in a significant impact to the business objectives, products and services, and revenue of an organization. Studies suggest that this impact can be material. For example, a consumer-facing organization highly reliant on targeted advertising based on its website visitors could expect the effectiveness of their advertising campaigns to decrease if it could only target ads to those visitors who affirmatively opted in. In contrast, the impact to a B2B company in a more traditional industry (e.g., manufacturing) may feel no impact from an EU-style opt-in consent banner.
Ultimately, a sliding scale between legal risk reduction and business impact exists, which can be calibrated to achieve the balance desired by the site owner. From the legal perspective we are trying to position site owners in a way that: (1) makes them a less likely target for class action plaintiff attorneys; and (2) if a demand is made or litigation is filed, provides the site owner with defenses to support their compliance positions.
Technology plays a role here as well. For example, tracking technologies placed on health care provider websites that disclose the URLs of site visitors are attractive to plaintiffs. Plaintiffs believe there is enhanced case value if a site user visits the diabetes page of a health care system and a third-party sends the site visitor diabetes ads. In contrast, if the same user visits a health care site’s diabetes page and the tracking technology only obtains an IP address, the value of the case is decreased (and it may not even be worth pursuing at all for class counsel). Technology exists and can be implemented to definitively prevent URLs from being sent through tracking technologies, and it comes with an audit trail that can be useful evidence when presented to plaintiff attorneys, judges, and regulators.
- Avoiding over-reliance on third-party consent management tools.
The out-of-the box configurations and implementation of consent management tools (CMTs) will often not work. Organizations that trust these tools without verifying them are bound to find themselves in trouble. For example, some CMTs provide default tracking technology classifications – these classifications can be wrong. CMTs designed to suppress data transfers through tracking technologies do not always work for a variety of reasons – they can be misconfigured, the tracking technology could be modified by its owners, or the site owner may fail to place new pixels under the consent management umbrella. With an ever-changing environment, “set it and forget it” does not work. The failure to honor opt-outs due to these failures actually increases legal risk because it could give plaintiffs an additional unfair or deceptive trade practice claim (in addition to their wiretapping claims). This is also where privacy regulators and AGs are focused. It is arguably better to not have a consent management process than a severely broken one – in such cases plaintiffs can still allege CIPA claims due to the CMT’s failure and site owners may also face exacerbating unfair to deceptive trade practice claims.
Our Take
Addressing tracking technology risk is a tricky proposition that requires creative solutions. These issues cannot be tackled solely by attorneys in a vacuum; the assessment and consent management technologies can help but cannot fully address legal risk and balance business impacts. It is important to combine legal and technological solutions to craft risk-based solutions for site owners that involve business stakeholders in the marketing, product development and IT departments. Troutman has developed a series of fixed-fee cost-effective service packages that can help clients achieve their balance. The packages build on each other and organizations have the flexibility to do as much or as little of the work themselves as they would like. These packages provide meaningful values because they enable clients to address and balance their risk for much less than it takes to settle or litigate these demands. You can find more information HERE.
