Cookie and Pixel Lawsuits: The Rising Legal Risk of Tracking Without Consent

Cookie and pixel lawsuits explained: the laws (CIPA, VPPA, wiretap acts), who gets sued, real cases, costs, and how to cut your risk.


by Riad Us Salehin • 5 July 2026


Cookie and pixel lawsuits are privacy claims alleging a website let trackers share visitor data without valid consent. Plaintiffs sue under old wiretapping statutes like California's CIPA, the federal Wiretap Act, and the VPPA, with per-violation damages that can reach $5,000.

Below: the laws driving this wave, the technologies that trigger it, who gets sued, what it costs, and the fix that removes it.

What Are Cookie and Pixel Lawsuits?

Cookie and pixel lawsuits are privacy claims alleging that a website let trackers collect a visitor's activity without valid prior consent. Private plaintiffs bring these claims, not regulators. The theory is almost always an old wiretapping or eavesdropping statute applied to modern web trackers.

Two distinct paths produce these lawsuits. The first is a formal class action filed in court, seeking damages for every visitor whose data was allegedly intercepted. The second, far more common for small sites, is a demand letter: a notice claiming a specific violation and offering to settle before filing suit.

What plaintiffs typically allege:

  • A tracker (cookie, pixel, or script) captured the visitor's activity or communications
  • The visitor never gave affirmative, informed consent before that capture happened
  • The capture counts as an illegal "interception" or "eavesdropping" under a wiretapping or privacy statute
  • The site shared that data with a third party (commonly Meta, Google, or an analytics vendor) without authorization

This is a private-litigation vector, separate from regulator fines. GDPR and CCPA enforcement actions come from government regulators; cookie and pixel lawsuits come from private plaintiffs using statutes never written with websites in mind. The common cookie consent violations that trigger both types of claims overlap heavily, even though the enforcement path differs.

Why Are Website Tracking Lawsuits Surging Now?

Website tracking lawsuits are surging because old wiretapping laws carry high statutory damages and a specialized plaintiffs' bar has built a repeatable playbook around them. Nearly every website still runs trackers that fire before a visitor consents. A single 2022 settlement legitimized the theory, and volume has grown every year since.

The root causes driving the surge:

  1. Decades-old statutes fit new technology: California's Invasion of Privacy Act dates to 1967. The federal Wiretap Act and the Video Privacy Protection Act (VPPA) date to 1968 and 1988. Courts now decide whether a tracking pixel counts as "wiretapping" under language written before the web existed.
  2. Statutory damages remove the need to prove harm: CIPA allows up to $5,000 per violation regardless of whether the visitor suffered any real loss. That number, multiplied across a visitor class, turns a compliance gap into a large potential liability.
  3. A serial-plaintiff cottage industry has formed: the same individuals and firms file dozens of near-identical demand letters against different sites. Defense counsel calls them "testers," since per-violation damages make volume profitable at modest settlement amounts.
  4. Trackers are everywhere and often fire early: third-party pixels, analytics tags, and chat widgets are standard on most commercial sites. Many load in the page <head> before any consent banner has a chance to render.
  5. A landmark case proved the theory works: In re Facebook Internet Tracking Litigation resulted in a $90 million settlement. It was approved in 2022 and affirmed by the Ninth Circuit in 2024. It targeted tracking of logged-out users through Facebook "Like" buttons on third-party sites between April 2010 and September 2011. The Ninth Circuit recognized that unauthorized monetization of user data is a concrete economic harm, clearing the standing hurdle that once blocked these suits. The settlement also forced Meta to sequester and destroy the collected data, the first nationwide data-deletion injunction of its kind, and it gave the plaintiffs' bar a proven template against smaller, less-defended targets.

Which Laws Are Used to Sue Over Website Tracking?

Four legal tracks drive cookie and pixel litigation, each with a different target, protected class, and damages structure. Private lawsuits use state and federal wiretapping statutes and the VPPA; regulators use GDPR and CCPA separately.

LawWhat it targetsWho it protects / whereStatutory damagesDepth covered below
CIPAWiretapping, eavesdropping, and pen-register/trap-and-trace theories applied to trackersCalifornia visitors, but reaches any business with California trafficUp to $5,000 per violationWhat is CIPA
Federal and state wiretapping laws"Interception" of communications via session replay, chat, and pixelsVaries by state; some require two-party consentStatutory, varies by statuteFederal and state wiretapping laws
VPPASharing video-viewing data with third parties, often via tracking pixelsAny "consumer" of video content, US-wide$2,500 liquidated damages per violationThe VPPA
GDPR / CCPA (regulator track)Consent-collection failures, unauthorized data sale or sharingEU/UK visitors (GDPR); California consumers (CCPA)Regulator-imposed fines, not per-violation private damagesGDPR, CCPA, and the regulator track

California Invasion of Privacy Act (CIPA)

CIPA is a 1967 wiretapping and eavesdropping law that has become the single most common vector for website tracking suits. Plaintiffs bring claims under Section 631 (wiretapping), Sections 632 and 632.7 (eavesdropping on confidential communications), and Section 638.51 (pen register and trap-and-trace devices). Each carries up to $5,000 in statutory damages per violation. A reform bill, SB 690, would narrow CIPA and could remove the private right of action for pen-register claims. It passed an Assembly committee on July 1, 2026, but is not yet law and is still being amended. Businesses should not count on relief from it. See what is CIPA for section-by-section depth.

Federal and State Wiretapping Laws

The federal Wiretap Act (part of the Electronic Communications Privacy Act) was the basis of the $90 million Facebook settlement. Several states also layer their own two-party-consent wiretapping statutes on top. These theories frame session replay, live chat, and pixel tracking as illegal "interception," since the tool captures a communication as it happens. Defenses turn heavily on consent timing and the visitor's standing to sue. See website wiretapping lawsuits for the full theory.

The Video Privacy Protection Act (VPPA)

The VPPA is a 1988 federal law, passed after a newspaper published a Supreme Court nominee's video-rental history. It is now repurposed against websites and media companies that share video-viewing data with third parties, typically through the Meta Pixel. It carries $2,500 in liquidated damages per violation. Salazar v. Paramount Global is pending at the Supreme Court on who counts as a VPPA "consumer," with a decision expected later in the 2026 term. See what is the VPPA for the full mechanics.

GDPR, CCPA, and the Regulator Fine Track

Private lawsuits and regulator enforcement are two separate tracks that both stem from tracking without consent. In the EU and UK, GDPR and ePrivacy consent failures draw fines from data protection authorities. See the biggest GDPR fines and the GDPR enforcement tracker for those cases. In the US, the California Attorney General and the California Privacy Protection Agency enforce the CCPA, covered in CCPA enforcement cases. A site can face both tracks at once for the same tracking failure.

Which Website Technologies Trigger These Lawsuits?

Any script that collects or shares visitor data before consent can trigger a claim, but a handful of technologies show up repeatedly. The shared root cause across all of them: the tracker fires and sends data before the visitor has a chance to consent.

  • Third-party advertising pixels (the Meta Pixel and Google's tags): fire on page load to track conversions and retarget visitors, often before any banner renders.
  • Analytics and cookies (Google Analytics and similar): log page views and behavior, and plaintiffs argue this is "interception" when it happens pre-consent.
  • Session replay and keystroke capture (session replay lawsuits): records every scroll, click, and keystroke. Courts describe this as a more direct communications capture than passive analytics.
  • Chat widgets and contact forms: capture a visitor's typed messages in real time, which plaintiffs frame as intercepting a private communication.
  • Site search bars wired to analytics: send search queries, sometimes containing personal or sensitive terms, to third-party analytics platforms.
  • SDKs embedded in mobile apps: the same theory extends to app-based tracking, as in Rodriguez v. Google, where data kept flowing after a user opted out.
  • AI chatbots: the newest frontier, since a chatbot that "listens" to and logs a visitor's questions raises the same consent-timing issue as a chat widget.
  • Third-party embeds that load without consent: fonts and widgets like Google Fonts and reCAPTCHA can transmit visitor data before any consent choice is made.

A real example from a small ecommerce site: a family-owned online store received a $25,000 CIPA demand letter. A couple of pixels had fired before its cookie consent banner finished loading. The site already had a GDPR-style opt-in banner installed, but its presence did not matter because the trackers fired before the visitor made a choice.

Who Is Getting Sued? (And Why "I'm Not in California" Is No Defense)

Every kind of site that runs third-party trackers is a potential target, not just big tech companies. Serial plaintiffs specifically target small and mid-sized businesses. CIPA and wiretapping theories can reach a business with no California office as long as it has California visitors.

Sectors that show up repeatedly in filings:

  • Healthcare providers and wellness apps: hospitals, health systems, and apps handling health, therapy, or reproductive-health data face the sharpest scrutiny, since courts treat health data as inherently sensitive. Frasco v. Flo Health is the clearest example: a jury found Meta violated CIPA Section 632 for obtaining Flo Health users' confidential ovulation and menstrual-cycle data. See cookie consent for healthcare for the provider-specific rules.
  • Retail and ecommerce: small stores are common demand-letter targets precisely because they are less likely to fight back in court.
  • Media and streaming: sites sharing video-viewing data face VPPA exposure specifically, as in the pending Salazar v. Paramount Global case.
  • Finance: Ingraham v. Capital One shows financial sites face elevated risk when a tracker transmits sensitive data like credit scores or income bands to a third party.

A defendant does not need a California office or even US headquarters to face a CIPA claim. The statute reaches any business whose website is visited by California residents. 2026 case law confirms this applies to national companies: Crypto.com, Capital One, and AEG have all faced these claims. The small-family-business demand letter above, for a company with no special California presence, shows the same reach at the opposite end of the size spectrum.

How Much Do Website Tracking Lawsuits Cost?

Statutory damages stack fast in a class action: CIPA allows up to $5,000 per violation and the VPPA allows $2,500 per violation. A class of thousands of visitors can push exposure into the millions. For most small businesses, the more common reality is a settlement-seeking demand letter, typically between $15,000 and $40,000.

The two cost paths work differently:

  • Formal class actions multiply per-violation statutory damages across every affected visitor. That math produced a $425 million jury verdict in Rodriguez v. Google in September 2025 and the $90 million Facebook internet-tracking settlement.
  • Demand letters target individual small businesses before any suit is filed. They typically cite $5,000-per-violation exposure and demand a settlement in the $15,000-to-$40,000 range, calculated to undercut the cost of litigating even a winnable case.

That "pay or litigate" calculation is the core of the demand-letter economics. Settling a $15,000 to $40,000 demand is often cheaper than the legal fees required to fight it, even when the underlying claim is weak. That gap is exactly what makes the model profitable for serial plaintiffs regardless of the merits.

The Cases Driving the Trend: Real Website Tracking Lawsuits

Real cases show both how far this theory reaches and how unsettled the law still is. Courts have gone both ways within months of each other, often on nearly identical facts.

CaseLaw / theoryOutcomeLesson
In re Facebook Internet Tracking LitigationFederal Wiretap Act$90 million settlement, approved 2022, affirmed by the Ninth Circuit in 2024, plus a first-of-its-kind data-deletion orderRecognized data monetization as economic harm, cleared the standing hurdle, and set the template plaintiffs still use
Rodriguez v. GoogleState-law privacy claims over app tracking$425 million jury verdict, September 3, 2025. Compensatory only, no punitive damagesTracking that continues after a user opts out is a jury-tested loser for defendants
Frasco v. Flo HealthCIPA Section 632 (eavesdropping)Jury found Meta liable, August 2025. Flo Health settled mid-trialHealth-app data shared via a pixel or SDK draws the sharpest judicial scrutiny
Garcia v. AEGCIPA Section 638.51 (pen register)ECPA claim dismissed, pen-register claim survived, May 2026Cookies firing before the consent banner renders defeat a "we have a banner" defense
Ortiz v. Foris Dax (Crypto.com)CIPA Section 638.51 (pen register)Wiretapping dismissed, pen-register claim survived, May 2026. Court found the theory applies to internet trackingThe pen-register theory is gaining ground in some federal courts
Ingraham v. Capital OneCIPA and wiretappingTracking claims survived, May 2026Sites transmitting FICO scores, income bands, or credit outcomes face elevated exposure
Sisti v. Bosley, Inc.CIPA Section 631, Article III standingDismissed with prejudice, April 2026. No standing, plus valid clickwrap consentA genuine clickwrap consent flow is still the strongest available defense
Castro v. SBE Restaurant GroupCIPA pen register and related claimsFour of five claims survived in California state court, April 2026State courts let these claims proceed more readily than federal courts

Two patterns decide these 2026 rulings. First, clickwrap consent, an affirmative click, beats browsewrap consent, implied by continued browsing, in nearly every case above. Trackers that fire before a visitor's choice is recorded are the fact pattern that keeps showing up on the losing side.

Second, courts now sort claims by data sensitivity and by forum. Financial and health data draw the sharpest scrutiny, as with the FICO scores in Ingraham and the ovulation data in Frasco. Routine browsing metadata increasingly fails the Article III standing test in federal court, as in Sisti. California state courts let these claims proceed more readily than federal courts. The same facts can therefore produce opposite outcomes depending on where the suit is filed.

How Do You Reduce Your Website Tracking Lawsuit Risk?

The single highest-impact fix is blocking every non-essential tracker until a visitor gives affirmative consent. Pre-consent firing is the fact pattern behind nearly every case above. A complete risk-reduction program covers seven steps.

  1. Inventory every cookie, pixel, script, and SDK running on the site, and know exactly when each one fires relative to page load.
  2. Block non-essential trackers until the visitor gives affirmative prior consent: this is the fix that would have stopped the $25,000 CIPA demand described earlier. The pixels fired before the banner loaded, not because no banner existed.
  3. Use a real opt-in consent banner with genuine accept and reject options, not a browsewrap notice that implies consent from continued browsing. 2026 case law consistently favors clickwrap over browsewrap.
  4. Keep consent logs as proof of a good-faith compliance effort. A documented consent record is evidence a court or opposing counsel has to reckon with.
  5. Align your privacy and cookie policies with actual data practices, so the required policy documentation matches what your trackers actually do.
  6. Push compliance obligations to vendors by contract, so third-party scripts you embed carry the same consent-respecting behavior you commit to.
  7. Have a demand-letter response plan ready before one arrives, covering who reviews it, what gets audited immediately, and when outside counsel gets involved.

A consent management platform handles steps one through four in one workflow, instead of piecing them together by hand.

How Consently Blocks Trackers Until You Have Consent

Consently is a consent management platform that scans your site for every cookie, pixel, script, and iframe. It blocks the non-essential ones until a visitor gives explicit opt-in consent, which addresses the pre-consent firing pattern behind most tracking lawsuits.

Consently's automatic full-site scan detects cookies, trackers, scripts, and iframes, including third-party pixels and embeds. Its auto-blocking stops non-essential ones from loading until the visitor actively consents. Script and iframe blocking close the exact gap that let the pixels fire before the banner rendered in the ecommerce example above.

Every consent choice is stored in an exportable consent log, your audit trail proving a good-faith compliance effort rather than a browsewrap afterthought. Consently also ships GDPR opt-in and CCPA opt-out templates with automatic geotargeting, so the right consent model displays by region.

A cookie banner helps reduce this specific risk. It is not a substitute for legal advice, and it does not undo a backend data sale that happens outside the browser. Start free to scan your site and see exactly what is firing before consent.

FAQs

What is a pixel lawsuit?

A pixel lawsuit is a privacy claim alleging a tracking pixel, most often the Meta Pixel, shared a visitor's activity without valid consent. These suits typically rely on CIPA, the VPPA, or federal wiretapping law.

Is website tracking legal?

Website tracking is legal when the visitor gives affirmative prior consent. It becomes a legal risk when a tracker captures or shares data before that consent. Plaintiffs then frame the capture as illegal interception under statutes like CIPA, the Wiretap Act, or the VPPA.

Can a small business really be sued over website tracking?

Yes. Serial plaintiffs specifically target small and family-owned businesses, since they are less likely to fight a demand letter in court. A small ecommerce store, for example, received a $25,000 CIPA demand after pixels fired before its consent banner loaded.

Can I be sued under CIPA if my business is not in California?

Yes. CIPA reaches any business whose website has California visitors, regardless of where the company is headquartered. National companies with no special California presence, including Crypto.com and Capital One, have faced these claims.

Does a cookie consent banner protect me from these lawsuits?

Only if it actually blocks trackers before they fire and logs the visitor's choice. A banner that loads after pixels have already fired offers no defense, since 2026 rulings like Garcia v. AEG turn specifically on trackers activating before the consent opportunity existed.

What is a serial plaintiff or "tester" in these cases?

A serial plaintiff, or "tester," is an individual who files many near-identical demand letters or lawsuits against different websites. Per-violation statutory damages make that volume profitable even at modest settlement amounts.

How much can a website tracking lawsuit cost?

Statutory damages run up to $5,000 per CIPA violation and $2,500 per VPPA violation, which can reach millions in a class action. Most small businesses instead face a demand letter in the $15,000-to-$40,000 range.

Are these lawsuits only about the Meta Pixel?

No. Any third-party tracker can trigger a claim, including Google's tags, session-replay tools, chat widgets, and analytics scripts. Meta Pixel suits are the largest cluster, but the underlying theory applies to any pre-consent tracker.

What should I do if I get a demand letter?

Do not ignore it. Get counsel promptly and audit your site's trackers immediately to confirm or rule out the alleged violation. Preserve your consent logs as evidence of your compliance posture.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.