The latest large-scale legal battle regarding consumer privacy is over pixel tracking technology embedded in consumer-facing websites. Plaintiff law firms are filing class action lawsuits alleging that pixel tracking technology on websites violates legacy privacy statutes, such as statutes designed to protect against wiretapping.

Credit unions, FinTechs, and health-care companies are being targeted with increasing frequency. A particularly challenging problem for credit unions and health-care providers is that compliance with federal and state privacy laws, including the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), is not a defense to pixel tracking technology litigation. Conspicuous consent is a key element in pixel tracking litigation.

Pixel tracking technology and legal theories

Although pixel tracking software code can vary, the general use of the technology is to send a third party information about what visitors do on a website. The purpose is to understand the effectiveness of its website’s ads and other user behaviors. Pixel tracking technology is incredibly common.

Class action lawsuits over pixel technology arise when the technology sends information about what the user is doing and information that can be used to identify that user. Legal arguments include a lack of disclosure and consent, and the nature of the sensitive information passed to a third party. These lawsuits have become prevalent because many privacy statutes provide massive statutory damages, causing plaintiff’s law firms to swarm like locusts to this opportunity.

Financial institutions and health-care providers are often unprepared because compliance with financial and health-care privacy statutes does not prevent claims from moving forward.

Recent developments

The initial wave of lawsuits began with claims of violating the California Invasion of Privacy Act (CIPA), a legacy anti-wiretapping statute from 1967. A major recent case is Camplisson v. Adidas Am., Inc. Although this case is still in litigation, it will undoubtedly fuel a new wave of class action lawsuits.

In a broad ruling, the court held that a mere allegation that tracking pixels recorded personally identifiable information, including a visitor’s IP address, is enough for a case to, under CIPA, move forward. While Adidas argued website visitors had consented to the tracking through the site’s terms and conditions and privacy policy, the court found the argument insufficient to dismiss the case.

In particular, the court found that the privacy disclosure was in a footer, making the terms insufficiently conspicuous. In addition, there was no pop-up window or similar method requiring visitors to consent to the tracking. CIPA provides for $5,000 statutory damages per violation, and plaintiffs are not required to prove that the use of the tracking pixels resulted in any actual harm.

Another legacy statute being used, or misused, is the Video Privacy Protection Act (VPPA). The VPPA is a 1988 federal statute passed by Congress in response to the disclosure of VHS tapes that Supreme Court nominee Judge Robert Bork rented from a local video rental store. The statute forbids disclosing certain data about consumers’ video viewing habits, along with identifying information, without their consent. In early 2026, VPPA was successfully used in a class action lawsuit (Carbone v. Limited Run Games, Inc.) that resulted in a $2.72 settlement.

A challenge under the VPPA has gone all the way to the U.S. Supreme Court. In Salazar v. Paramount Global, the Supreme Court is examining the definition of “consumer” under the VPPA. Depending on the result of this case, additional VPPA class action lawsuits may be imminent.

Steps to consider

To reduce the risk of pixel tracking lawsuits, organizations need to ensure that two key goals are met. Users must receive a “clear and conspicuous” notice, likely a pop-up, that accurately provides notice about what data will be shared if the consumer opts in. In addition, the behavior of the site must be controlled so that data is not shared until after the visitor to the site opts in.

Equally importantly, ensure that data sharing is not accidentally enabled prior to user consent. Website administrators should ensure testing of the blocking technology so gaps can be corrected. Credit unions may also wish to discuss with their counsel the advantages and disadvantages of arbitration clauses and class action waivers in the institution’s terms of use.

More to come

Pixel tracking litigation should be treated as both a legal and technological problem. On the legal side, it is important that the disclosures are accurate and presented to a website visitor before any data is sent to a third party. On the technological side, ensure data transmission is blocked until such time as the visitor to the website opts in. Due to the size of the potential awards, the number of these cases will certainly accelerate in the coming years.