What Brands Should Know About a Growing Number of Data Privacy Lawsuits Linked to Google Analytics & Meta Tracking

I’m happy to be the bearer of the super fun news that more and more businesses (large and small alike) are getting demand letters from aggressive plaintiff firms for wiretapping & older data privacy laws, such as CIPA.

Recently, lawsuits have been filed trying to apply language from these older privacy laws to the modern digital era, alleging that tracking users via third-party tools on websites can violate those statutes.

The lawsuits generally allege that tracking tools such as Google Analytics, Google Ads, Meta tracking, session replay tools, and others collect user information without sufficient notice or consent, especially when data is transmitted to a third party.

The gist: If your website fires tracking (like Google Analytics or the Meta pixel) before a user opts in or out on your cookie banner, you might be at risk. 

Yes, this is how a lot of websites operate and…. 

No, you don’t have to be physically in the state of California or one of these states with data privacy and wiretapping laws to be at risk.    

So we went on a fun deep dive for you into what is going on and your options.

Also, I want to give a shoutout to a good friend of mine, Victor Huynh (owner of a B2B Digital Marketing Agency that focuses on industrial manufacturers in California), who helped answer a lot of my preliminary questions about this topic. 

Please note: We aren’t a law firm, and none of this should be construed as legal advice. This is our practical POV based on what we’re seeing in the market and in recent case activity, but your legal team should weigh in on what makes sense for your business. 

Tl;dr – Executive Summary

Sorry to create anxiety you didn’t need but… A lot of businesses are getting hit with these lawsuits and demand letters right now. Almost every agency we know (which is a lot) has at least 1 client who has gotten one of these.

Case law/precedent – Appears to be unsettled and is still developing at both state and federal levels. There are a few appellate and federal cases that could help clear up some of the confusion, but at the moment, we still have more confusion than clarity. And while that uncertainty may help shape future defenses, it does not stop companies from being sued now under CIPA and related privacy theories.

Solution – Not necessarily straightforward; you’ve got to make the right decision for you based on your legal team, your company, and your risk tolerance for stuff like this. Below, we’ve laid out some of the common paths we’ve seen so far.

How big a risk? With statutory damages often capped at $5,000 per violation, this can add up quickly. Plaintiffs often argue they do not need to prove traditional financial harm, but standing, damages, and how courts count “violations” are still being fought over.

What Is CIPA?

CIPA is the California Invasion of Privacy Act. Enacted in 1967 to address wiretapping and other privacy-related conduct, the law helped make California an “all-party consent” state in a number of communications contexts. Naturally, when the law was enacted, its primary goal was to protect privacy in conversations and communications, not modern website analytics.

That being said, California isn’t alone in having laws designed to protect against the tracking or recording of information without consent, as Florida, Massachusetts, and Pennsylvania have similar laws in place in some contexts. In other cases across the country, the Electronic Communications Privacy Act (ECPA) is also being used at the federal level in website-tracking litigation.

How Many of these cases are there?

It’s hard to quantify how many demand letters have actually been sent, but here’s a stab at scoping this:

More than 5,000 wiretapping-related lawsuits have been filed, and plaintiffs likely send 10-15 pre-litigation demand letters for every lawsuit. So that would mean 50,000+ demand letters have likely been sent. (source)

Businesses have already paid more than half a billion dollars to settle lawsuits over these cookie issues. (source)

A law firm that specializes in helping companies defend against these cases has some helpful graphics showing where the majority of these lawsuits are originating from + what industries they are targeting. 

States Where These Are Being Filed 

Cases by Industry Group:

For the most up-to-date versions of these graphics & data, visit https://www.fisherphillips.com/en/resources-and-innovation/trackers-and-maps/wiretapping-litigation-map 

What You Need to Know About How Courts Have Ruled

While much of this is still not firmly decided as these cases work through the courts and appeals, here are some key learnings based on how courts have ruled so far and how brands are reacting to that risk.

An explicit consent structure should be strongly considered, where users are told what kinds of tracking are happening and can make a real choice.

Many brands are choosing not to fire non-essential tracking until a user gives consent, especially as courts continue to scrutinize what happens before banner interaction.

Implied consent and bare-bones opt-out approaches have been getting a lot more scrutiny, especially when the banner or privacy policy doesn’t align with the actual tracking behavior.

Privacy policies and terms & conditions still matter, but on their own, they may not be enough if they don’t accurately reflect what is happening with your data collection tools.

First-party data collection may improve the factual setup in some cases, but it is still not a guaranteed solution.

Make your cookie banner clear, visible, and hard to miss. 

Make sure your consent tool actually enforces the choice the user makes.

Biggest Questions You Might Be Asking

I’ve gotten a demand letter from a lawyer saying they might sue for CIPA violations… is that real or a scam?

Ugh. Unfortunately, there’s a chance it’s real, and different companies are dealing with it differently. If you get one of these, talking to a lawyer is likely a step you’ll want to take. If you don’t have a lawyer, feel free to reach out to ours: whitcomblawpc.com

I haven’t gotten a weird lawsuit in my inbox. Do I need to worry?

It’s hard to tell, BUT large and small businesses alike seem to be targeted in these lawsuits.  It appears many industries are being targeted, but one of the biggest appears to be retail websites (source). 

Ok…so shouldn’t we just get compliant so we can avoid aggressive plaintiff firms for now?

Potentially, unless someone has already recorded the issue before those changes are made. Also, getting “squeaky” clean might mean losing a substantial amount of tracking data, which may or may not outweigh the financial risk for your organization.

What, realistically, are our options as it relates to data tracking going forward?

Here’s the gamut of stuff we’ve seen so far; some companies are also doing a mix of a few of these:

Take a more conservative approach to tracking by updating your terms, privacy disclosures, and consent setup, and by holding back non-essential tracking until a user opts in.

Use a tool like Termly to set up different tracking conditions and rules based on where a user is coming from, especially in states with stricter privacy laws. The trick here is keeping up with state laws, court rulings, and platform behavior as they continue to change.

Set up a first-party tracking tool on a server you own, so that it’s technically first-party instead of third-party data. Just note that this may improve the factual setup, but it is not a guaranteed shield from privacy claims.

Delete all tracking from your website to minimize this risk.

Do nothing, wait for case law to become more settled, and hope you don’t get one of these lawsuits in your inbox.

So, What Should You Do? 

Since this isn’t 100% settled, it will be up to each brand or business to decide appropriate next steps as this continues to evolve. We strongly encourage you to consider getting legal input on your specific risk and next steps.

Here are a few good potential next steps:

If you don’t already have one, implement a consent banner on-site.

Ensure your privacy policy & terms and conditions pages are up to date. 

Evaluate and inventory all third-party tracking currently in place.

If you want to reduce your potential risk, consider setting non-essential tracking to fire only AFTER the user gives consent.

Work to remove any sensitive information from collected data, such as names or PII, in URLs for form fills. Some courts have been more skeptical of claims in which no sensitive data was transmitted, but the issue remains debated and highly fact-specific.

Consider first-party tracking tools, but see this as a possible risk-reduction step, not a guaranteed legal solution.

About the Author

Leave a Reply

Your email address will not be published.

You may also like these