There Is No Spoon: How Website Tracking Technologies Spark Litigation

In a global, data-driven world, ubiquitous website-tracking technologies have moved to the forefront of class action privacy litigation. At this session at RIMS 2026, a panel of industry experts examines emerging trends and the scope of legal and regulatory exposure arising from these essential marketing and analytics tools. Speakers included:

• Carolyn Purwin Ryan – Partner & Co-Chair, Litigation, Mullen Coughlin LLC
• Devon Acherman – Global Head, DFIR, LevelBlue
• Dana Cuoco – Assistant Vice President, Northeast Cyber Claims Lead, At-Bay

Pixel Tracking Security & Privacy Assessment

A key component of managing these risks is conducting a comprehensive pixel tracking security and privacy assessment. This process begins with source code analysis to identify embedded trackers such as Meta Pixel, Google Analytics, and LinkedIn Insight Tag. An inventory and configuration review then evaluates the scope of data collection, including form submissions, mouse movements, IP addresses, and potentially personally identifiable information (PII).

Data flow mapping helps determine how information is transmitted and whether it is shared with third parties. These findings support a broader risk assessment, enabling legal counsel to evaluate compliance with privacy and consumer protection laws. In some cases, court-approved experts may also provide testimony and detailed written analyses outlining risks and mitigation strategies.

Sources of Website Tracking Litigation

Website tracking litigation commonly arises from several sources, including:

• Use-of-tracking pixels: Typically deployed to report real-time user activity to third parties for marketing purposes (e.g., Meta Pixel, Google Analytics, LinkedIn, Twitter, Snapchat, TikTok).
• Session replay or recording tools: Generally used for internal purposes such as quality control or customer service, and typically involve little to no sensitive data.
• Chat assistants: Used for automated customer service and sales, such as user consent and potential third-party access.
• Inaccurate or incomplete privacy policies: Failures to fully disclose data practices can increase legal exposure.
• Misconfigured consent management tools: Improper setup may result in noncompliant data collection or sharing.

Third-Party Viewing

A particularly significant issue involves third-party viewing enabled by embedded website technologies. For example, when a hospital loads third-party JavaScript, pixels, analytics scripts, or chat widgets into a patient’s browser, those tools may observe a wide range of user activity. That third-party code can observe browser-wide activity, including:

• Page URL visited
• Referring URL
• search terms entered on the site
• Button clicks
• Form field names and sometimes values
• Appointment request paths
• Provider specialty pages viewed
• Portal login events
• IP address
• Device/browser identifiers
• Cookies or advertising IDs
• Email, phone, name, DOB, zip code, appointment reason, insurance, MRN, or other fields in exposed to the script
  • This information is the particular problem, while the rest is legitimate technical information. An incorrect configuration of tracking tech can overcollect information, and while the tracking technology is not being purposefully malicious, it is collecting sensitive data in the process.

Website Tracking Litigation

The most commonly litigated claim in this space arises under California Penal Code Section 631(a) (CIPA), which broadly prohibits the unauthorized interception or reading of communications in transit without the consent of all parties. Plaintiffs often argue that website tracking tools effectively “read” user communications as they are transmitted, thereby violating the statute. This expansive interpretation has made CIPA a key cause to pursue website tracking claims.

Website Tracking Litigation: Defenses

Defendants have developed several important defenses in response to these claims. Standing is a primary issue, particularly in federal court, where plaintiffs must demonstrate a concrete “injury in fact.” While plaintiffs often assert privacy violations, emotional distress, or loss of value of personal data, defendants have increasingly succeeded in challenging whether such harms meet the required threshold.

Personal jurisdiction is another critical defense, requiring plaintiffs to show that a defendant expressly targeted the forum state. Courts apply varying interpretations of this standard, leading to inconsistent outcomes.

Website Tracking Litigation: Outcomes

• Motions to dismiss: Generally have a low success rate at the pleading stage, as complaints are often drafted in a highly prejudicial manner. Some dismissals are granted based on pleading deficiencies, typically with leave to amend.
• Progression of cases: Only recently have cases advanced beyond discovery into summary judgment and class certification stages.
• Summary judgment: Outcomes have generally favored defendants, particularly where plaintiffs cannot demonstrate that a third party actually read or used data while in transit. Several recent CIPA decisions have turned on this issue. However, exceptions exist, such as Fresco v. FloHealth, where Google’s motion for summary judgment was denied under multiple statutes.
• Class certification: Results have been mixed, with some cases favoring defendants and others allowing classes to proceed, reflecting the evolving and unsettled nature of this area of law.

Trends

CIPA-based decisions have been trending in favor of plaintiffs, with standing, personal jurisdiction, and anonymity all being eroded. The definition of what constitutes the “contents” of a communication has been expanded to include detailed URLs.Claims under health privacy laws such as the California Medical Information Act (CMIA) are also becoming more prominent. Additionally, “trap-and-trace” theories are gaining traction, and more firms are entering the space, contributing to increased filing volumes and higher settlement amounts. Despite this, some favorable developments for defendants remain, particularly under the Electronic Communications Privacy Act (ECPA).

Website Tracking Technology Risk Management

There are several ways to help mitigate litigation risks, including:

• Website scanning and analysis: Conduct regular, comprehensive scans to identify and evaluate all tracking technologies in use.
• Opt-in consent banners: Implement properly configured banners that obtain affirmative consent where required (such as in the UK).
• Privacy policies: Maintain accurate and complete privacy policies that reflect current data practices, include all applicable privacy laws, and are updated at least annually; consider incorporating arbitration language and class action waivers.
• Vendor management: Establish documented contractual limitations on third-party access and data use, with vendor management programs playing an increasing role in regulatory compliance.
• Data minimization tools: Use transmission intermediaries to scrub sensitive data, such as IP addresses, URLs, cookie values, and assigned identifiers, before it is shared with third parties.