Perhaps no use case better exemplifies the rapidly evolving privacy law landscape in the US than the legal framework surrounding companies’ use of cookies, pixels, and other web trackers.
Gone are the days where marketing and business teams could unilaterally decide to use web trackers on their online platforms without input from legal departments. The potential litigation risk should give all companies a reason to pause and closely evaluate their website tracking practices.
It’s not just that companies must pay attention to newer state privacy laws that directly regulate the use of such technologies through broad definitions of personal data and opt-out obligations related to “sales” and “targeted advertising.” They also need to account for a renewed interest from the Federal Trade Commission in this area that is indirectly leading to new substantive privacy requirements through a recent emphasis in recognizing “unfair” privacy practices.
Regulated industries—such as those that fall under the purview of the Health Insurance Portability and Accountability Act—also must evaluate how the deployment of these web tools may implicate the specific rules they need to follow. On top of that, state attorneys general are taking an interest in this topic, self-regulatory guidelines still apply, and industry leaders can drastically change how the technology itself operates.
These developments are creating challenges for the industry. Even if companies do everything right in terms of complying with regulatory obligations, they may find themselves at the receiving end of a lawsuit alleging their use of web trackers violates state privacy laws.
These lawsuits often rely on the California Invasion of Privacy Act and other state wiretapping laws, alleging companies are violating of these laws by impermissibly recording consumers’ activity through their use of pixels and other web trackers without appropriate consent.
While these laws weren’t necessarily intended to apply in this context, plaintiffs have had some success with these theories of liability. A recent ruling from the US District Court for the Southern District of California denied Kohl’s Inc.’s motion to dismiss the CIPA claims filed against it, holding that the plaintiff plausibly pleaded its allegation against the retail company.
The accusations centered on Kohl’s’ installment of a third-party cookie on its website, which allegedly allowed the third-party to “eavesdrop” and “intercept” in real-time the chats between Kohl’s’ website users and its customer service representatives without the consent of the plaintiff.
In Moody v. C2 Educational Systems, the US District Court for the Central District of California found C2’s use of TikTok software, which collects user data and matches it with data already acquired and accumulated by TikTok in a process known as “fingerprinting,” falls under CIPA’s prohibition against pen registers and trap and trace devices.
In some cases, plaintiffs have relied on the Video Privacy Protection Act to bring cases against companies that use web trackers in videos. The VPPA is a longstanding federal law from the Blockbuster video store era that prohibited the wrongful disclosure of video tape rental or sale records but is now being used by plaintiffs in the web tracker context.
A recent lawsuit against Meredith Corp. alleged the company violated the VPPA by embedding a tracking pixel on its website that contains videos, thereby disclosing online users’ personally identifiable information to the third party operating the pixel without consent.
The court ultimately dismissed the case, finding that the information collected by the pixel didn’t constitute personally identifiable information under the VPPA’s definition. But plaintiffs’ firms continue to file VPPA violation class actions.
The modest success that plaintiffs have had in these cases, and the general uptick in the volume of these cases, are driving companies to re-evaluate their web-tracker practices. In fact, the threat of litigation is, in some ways, causing companies to adopt privacy practices that go beyond their baseline regulatory compliance obligations.
For example, even though the US doesn’t have a general requirement for websites to implement a cookie banner for their use of third-party web trackers, some companies may adopt one. A cookie banner potentially may be the best way to dissuade plaintiffs from bringing web-tracker-related lawsuit against them, under the idea that these companies meet the proper consent standard under the relevant wiretapping laws.
Companies that previously had been more passive about their use of third-party web trackers may choose to engage in data mapping exercises to understand where exactly these trackers are being utilized and what benefit, if any, they’re deriving from them.
They ultimately may decide to continue using them and assume the cost associated with potential litigation. But this is a decision-making process that companies should proactively consider, instead of waiting for a lawsuit to engage in this cost-benefit analysis.
Even if company leaders have concluded that they’ve taken reasonable steps to comply with regulatory obligations in this space, or they are willing to ignore potential regulatory risk, these decisions require extra diligence and consideration given the looming threat of potential private litigation.
The cases are Esparza v. Kohl’s, Inc., 2024 BL 90124, S.D. Cal., 23-cv-01988-AJB-KSC, 3/18/24; Moody v. C2 Educ. Sys., 2024 BL 257119, C.D. Cal., 2:24-cv-04249-RGK-SK, 7/25/24; Martin v. Meredith Corp., 2023 BL 52336, S.D.N.Y., 22cv4776 (DLC), 2/17/23.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Kirk Nahra is partner at WilmerHale and co-chairs its artificial intelligence practice and its cybersecurity and privacy practice.
Ali Jessani is a senior associate at WilmerHale focused on privacy, cybersecurity, and other regulatory risks related to data protection.
Amy Olivero is an associate at WilmerHale focused on data privacy, artificial intelligence, cybersecurity, and regulatory compliance.
Arabi Hassan contributed to this article.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.