Tracking technologies in the digital age: A new wave of website tracking litigation

In recent years, the California Invasion of Privacy Act (CIPA) has become a go-to statute for enterprising plaintiffs’ attorneys challenging common website technologies under a 1967 wiretapping statute originally aimed at protecting private phone and telegraph communications from unauthorised interception.

California has long been at the forefront of privacy regulation in the United States, often serving as a bellwether for legislative and enforcement trends nationwide. The plaintiff’s bar has dusted off this nearly 60-year-old law notwithstanding the existence of landmark consumer privacy laws, such as the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), which specifically address how web technologies interact with personal information and have influenced similar legislative efforts across other US states.

The plaintiff’s bar has leveraged CIPA to exploit its private right of action – something that CCPA and CPRA do not provide outside of data breaches – and to advance theories that websites deploy tracking pixels, session replay tools, and similar analytics technologies, including tools like the Google Pixel and Meta Pixel, to collect and disclose user information, characterised by plaintiffs as personal information, without sufficient notice or consent. This collection, plaintiffs argue, constitutes unauthorised “interception” of communications under CIPA.

While courts remain divided, some have allowed these claims to survive motions to dismiss, underscoring the statute’s potential reach in the digital context and emboldening plaintiffs to continue filing complaints. Notably, CIPA allows for a USD 5,000 statutory penalty per violation, and plaintiffs often pursue claims on a per-user or even per-session or per-interaction basis, which can scale rapidly in a class action.

Compounding this trend is CIPA’s broad consent framework. The statute generally prohibits the interception or recording of communications without the requisite consent of all parties, placing consent at the centre of these disputes. Many recent claims focus on allegations that tracking pixels continue to fire (i.e., load on a webpage and transmit data to third parties) despite a user’s attempt to opt-out (e.g., via a consent banner on a homepage), reframing routine implementation issues as statutory violations. In practice, plaintiffs argue that any user accessing a website while located in California could attempt to assert a CIPA claim under these theories, significantly expanding potential exposure.

Against this backdrop, the California Legislature has begun to consider whether CIPA should be clarified or modernised, including through proposals such as Senate Bill 690 (SB 690), which would exempt certain routine commercial tracking activities already regulated under the CCPA/CPRA. Although such efforts have not yet been enacted, they reflect growing recognition that California already maintains a comprehensive privacy framework (i.e., CCPA/CPRA), even as the plaintiffs’ bar continues to test the outer limits of older statutes such as CIPA.

In the interim, businesses – including non-US businesses with operations in the US, or those considering a joint venture or acquisition in the US – should take proactive steps to mitigate CIPA risk by carefully evaluating how tracking technologies are implemented and how consent is obtained. At a high level, this includes deploying pre-collection consent mechanisms that function as a gating tool before any tracking occurs, ensuring users are given clear and affirmative choices to accept or opt-out of tracking, and confirming that no pixels or third-party tools fire in the absence of valid consent.

Scott W. Resnick, Associate, Pryor Cashman LLP*, New York, USA
Email: sresnick@pryorcashman.com