In 2024, plaintiffs across the United States filed various class action cases related to web tracking technology employed by companies to enhance user experience on their websites and to improve the efficacy of their advertising. Tools like pixel systems on websites and in emails, chatbots, and session replay are used by companies to collect and analyze user activity and to tailor the digital experience to the user. Plaintiffs, however, have challenged these practices under myriad legal theories on the grounds that the collection of this data, shared with third parties, is nonconsensual and an illegal breach of user privacy. Increasingly, these cases are brought in different jurisdictions, whereas previously they were concentrated in California to take advantage of various wiretapping and anti-hacking statutes in the state. Some of these cases have made it past the motion to dismiss stage of litigation, but whether these cases will be successful still remains to be seen, as many cases have proceeded to settlement or arbitration or remain in discovery.

Companies use various web tracking systems to collect consumer data and optimize user experience on their websites. Pixel systems and session replay software are common web tracking devices at issue in these lawsuits. A pixel is an invisible snippet of code embedded in a website that tracks user activity. Session replay software records user interaction with a website and creates a reproduction of the user experience for the website host. A newer topic at issue in lawsuits this year is email pixel tracking, also known as “spy pixels.” Email tracking pixels are similar to web pixels but are embedded in emails rather than websites. These tracking systems can record data such as clicks, pages visited, keystrokes, scrolls, and information entered into forms. Also, trackers may collect user-specific data, such as IP addresses, location, operating system, or browser type, typically used for targeted advertising. These tracking systems are often developed by third-party vendors and sold or provided to companies for installation on their websites. In addition to those web tracking tools, companies are increasingly offering chatbots to users to help personalize their experiences. A chatbot is a computer program installed on websites that simulates human conversation with users, often for customer service purposes. These technologies have been used routinely by companies in virtually all industries to improve how the websites function and assist users in utilizing the sites.

The cases implicating these web tools raise a variety of legal theories and claims, including state law claims in a variety of jurisdictions. Common law claims recurring in web tracking lawsuits include the California Consumer Privacy Act (CCPA); state wiretapping laws, such as the California Invasion of Privacy Act (CIPA), the Massachusetts Wiretap Act, and Arizona’s Telephone, Utility and Communications Service Records Act (TUCSRA); and anti-hacking laws, like the California Computer Data Access and Fraud Act (CDAFA). In 2024, courts have been particularly receptive to web tracking challenges brought under CIPA, but less receptive to the newer theories raised under TUCSRA. But that does not mean that other creative theories raised under different state privacy and wiretapping laws are not on the horizon in 2025.

In the remainder of this post, we provide an overview of the specific state laws that plaintiffs use to bring lawsuits against companies that utilize these kinds of web tools as well as some of the developments in the biggest cases on this topic in 2024. We are happy to answer any questions you may have about this trend.

I.  Statutes Involved in Web Tracking Class Action Litigation

a.  Privacy Statutes

California Consumer Privacy Act: The California Consumer Privacy Act (CCPA), enacted in 2018, creates a cause of actions for: “Any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information ….” Cal. Civ. Code § 1798.150. The CCPA imposes certain duties and responsibilities on businesses collecting sensitive personal information. See id. §§ 1798.100, 1798.135. In 2024, the definition of “sensitive personal information” in the CCPA was amended to include “consumers’ neural data” and to specify that “personal information” can exist in various formats, such as “abstract digital” formats. These amendments, enacted through A.B. 1008 and S.B. 1223, went into effect on January 1, 2025.

Colorado Privacy Act: The Colorado Privacy Act (CPA) went into effect in July 2023, and you can see our previous coverage on the law here. The law provides Colorado consumers with the right to opt out of “the processing of personal data … for the purposes of: (A) [t]argeted advertising; (B) [t]he sale of personal data; or (C) [p]rofiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.” C.R.S.A. § 6-1-1306(1)(a). Beginning on July 1, 2024, organizations that fall under the CPA became required to allow consumers to opt out of the sale and use of personal data using a “universal opt-out mechanism” (UOOM). Similar UOOMs either are being contemplated or will be effective in 2025 or 2026 in Connecticut, Texas, Delaware, Montana, and Oregon.

b.  State Wiretapping Laws

California Invasion of Privacy Act: Plaintiffs challenging web tracking practices this year have included claims under Sections 631 and 632 of the California Invasion of Privacy Act (CIPA). In order to receive damages under CIPA, a plaintiff must show that there was a violation of the privacy rights provided under the statute. No other separate showing of injury is required, and CIPA provides $5,000 of statutory damages for each violation of the statute. CIPA’s Section 631 punishes any person who (1) “intentionally taps, or makes an unauthorized connection” mechanically with any “telephone or telephone wire, line, cable, or instrument,” Cal. Penal Code § 631(a)(1); (2) willfully and without consent “reads, or attempts to read, or to learn the contents of” any intentionally tapped message, id. § 631(a)(2); (3) “uses, or attempts to use … any information so obtained,” id. § 631(a)(3); or, as relevant to the cases described below, (4) “aids, agrees with, employs, or conspires with any person … to unlawfully do … any of the acts or things mentioned above,” id. § 631(a)(4).

Massachusetts’ 1968 Wiretap Act: The Massachusetts Wiretap Act of 1968 makes it a crime to “willfully commit[] . . . an interception[] . . . of any wire or oral communication,” Mass. Gen. Laws ch. 272, § 99(c)(1). The Act defines a “wire communication” as “any communication made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception,” id. § 99(b)(1). This Act, like the wiretap statutes in some other states, like California, Maryland, and Washington, D.C., includes both civil and criminal penalties. This feature of certain wiretap statutes may present particular challenges for companies defending against even innocuous allegations of web tracking.

Arizona’s Telephone, Utility, and Communications Service Records Act of 2006: The Arizona Telephone, Utility, and Communications Service Records Act of 2006 (TUCSRA) was modeled on the federal Telephone Records and Privacy Protection Act of 2006. Originally, the law prohibited the practice known as “pretexting,” where data brokers would fraudulently gain access to telephone records by posting as a customer. In 2007, Arizona expanded the Act to include public utility records and communication service records to protect these additional records from pretexting. See 2007 Ariz. Sess. Ch. 210, § 2 (H.B. 2726 (May 14, 2007)); see also A.R.S. T. 44, ch. 9, art. 20. Accordingly, the Act now prohibits “knowingly procur[ing],” among other things, “communication service record[s],” which include “subscriber information, including name, billing or installation address, length of service, payment method, telephone number, electronic account identification and associated screen names, toll bills or access logs, records of the path of an electronic communication between the point of origin and the point of delivery and the nature of the communication service provided, such as caller identification, automatic number identification, voice mail, electronic, paging or other services,” and doing so through “fraudulent, deceptive or false means.” A.R.S. §§ 44-1376, 44-1376.01.

c.  Anti-Hacking Laws

California Computer Data Access and Fraud Act: The Computer Data Access and Fraud Act (CDAFA) is also known as California’s Anti-Hacking Law. Under this statute, a person can be liable if they knowingly access a computer system or data without permission. Liability can also arise if the person uses the data to wrongfully control or obtain money, property, or data or takes or copies that data without permission.

II.  Example Cases

 a.  Healthcare Litigation

2024 has seen more cases in more states against healthcare entities challenging their use of pixel technology on their websites. As we saw last year, there were multiple cases in 2024 filed in California that employed CIPA and CCPA claims to challenge the collection of user data without explicit consent. In one example, M.G. v. Therapymatch, No. 23-cv-4422, 2024 WL 4219992 (N.D. Cal. Sept. 16, 2024), a California federal district court granted in part and denied in part a motion to dismiss in a data privacy lawsuit brought by a patient challenging the use of pixel technology on the company’s patient portal website. Plaintiff alleged that the web tracker at issue intercepted his communications with defendant provider, which included the “mental health conditions he searched, the treatment he was seeking, provider preferences, and appointment details.” Id. at *1. Importantly, even though the web tracker offers owners an “opt-in Internet Protocol (IP) anonymization feature,” defendant provider did not enable that feature. Id. Plaintiff originally filed a class action that included several claims, including CIPA, CCPA, and California Medical Information Act (CMIA) claims. Id. at *2. The court permitted all but plaintiff’s CMIA claim to go forward. Id. at *8. As of January 21, 2025, a motion to dismiss plaintiff’s third amended complaint is pending.

The trend of suing healthcare entities using state wiretap laws also reached the Supreme Judicial Court of Massachusetts for the first time, in Vita v. New England Baptist Hospital, 243 N.E.3d 1185 (Mass. 2024). See Massachusetts Supreme Court Narrows Scope of State’s Wiretapping Law. In that case, plaintiff alleged that defendants New England Baptist Hospital and Beth Israel Deaconess Medical Center violated the Massachusetts Wiretap Act by employing third-party web trackers on their websites to track user browsing activity on the hospitals’ websites. According to the plaintiff, she had browsed “information available to the public on the hospitals’ websites regarding doctors … medical symptoms, conditions, and procedures” and the hospitals’ use of the software unlawfully intercepted protected “wire communications” without her consent. Id. at 1188. The Supreme Judicial Court of Massachusetts rejected plaintiff’s theory, concluding that the term “communication” in the Act was ambiguous as applied to plaintiff’s “interactions with the hospitals’ websites.” Id. at 1194. It further found that the Act’s legislative history demonstrated concerns about “a different type of surveillance,” not the web tracking that plaintiff challenged. Id. at 1195. To broaden the definition of “communication” to capture the conduct plaintiff challenged, the court opined, an amendment to the wiretap act would be required. Id. at 1204.

On the national stage, we also saw an offensive response to increasing scrutiny on healthcare providers’ use of web tracking technology in American Hospital Association v. Becerra, 2024 WL 3075864 (N.D. Tex. Jun. 20, 2024). In response to concerns about the dissemination of individually identifiable health information (“IIHI”), which triggers potential obligations under the Health Insurance Portability and Accountability Act and its implementing regulations, the Department of Health and Human Services (“HHS”) issued a guidance document that expanded the IIHI definition to cover circumstances where “an online technology connects (1) an individual’s IP address with (2) a visit to a[n unauthenticated public webpage] addressing specific health conditions or healthcare providers.” Id. at *2. The American Hospital Association (AHA), along with other hospital plaintiffs, sued HHS in 2023 seeking to enjoin the government’s enforcement of the guidance, which plaintiff said was a rule promulgated without notice and comment and unduly restricted hospitals’ ability to rely on third-party technologies used to analyze their websites and communicate health information. Just before summary judgment briefing, HHS revised its original guidance, softening its language, noting that the guidance did not have the force and effect of law, and further, “insinuate[d] that information can become IIHI if the individual’s reason for visiting an [unauthenticated public webpage] relates to their personal healthcare.” Id. at *2. In June 2024, a Texas federal district court ruled in plaintiffs’ favor, holding that the restrictions in HHS’ guidance on the use of web tracking technologies were unlawful in that the restrictions facially violated HIPAA’s “unambiguous definition of IIHI.” Id. at *11.

b.  Retail Companies

Email marketing: A smattering of class actions filed at the end of 2023 and in the first half of 2024 challenge the practice of embedding “spy pixels” in marketing emails, alleging a violation of Arizona’s TUCSRA. Two cases, each filed around the same time in Arizona federal court, raised the same claim based on similar facts against different retailer defendants. Each case resolved before the court could rule on motion to dismiss. In Carbajal v. Gap, Inc., plaintiff filed a class action alleging that, each time she opened an email from the Gap, the company had “procured information identifying her and disclosing when she opened and read … [the] email” without her consent. Compl. ¶¶ 17–18, Carbajal v. Gap, Inc., 24-cv-1056 (D. Ariz. May 7, 2024), ECF No. 1. According to the plaintiff, Gap’s use of email pixels violated TUCSRA’s prohibition on knowingly procuring a communications service record without consent. See id. ¶¶ 70–77 (citing A.R.S. § 44-1376.01). The case was settled before a motion to dismiss was filed. See Not. of Settlement, Carbajal v. Gap, Inc., 24-cv-1056 (D. Ariz. Nov. 29, 2024), ECF No. 22. In Dominguez v. Lowe’s, as well, plaintiff voluntarily dismissed the case after defendants filed a motion to dismiss. See Not. of Voluntary Dismissal, Dominguez v. Lowe’s, 24-cv-1030 (D. Ariz. Sept. 26, 2024), ECF No. 24.

Another case filed around the same time, however, was dismissed by the court for failure to state a claim. Entertaining yet another class action challenging retailer email pixel use, in Carbajal v. Home Depot U.S.A., Inc., the court held that TUCSRA applies to “communication service providers,” which are “businesses such as internet service providers that deliver actual communication services to subscribers, rather than retailers engaged in selling goods and services who communicate with customers by email.” 2024 WL 5118416, at *3 (D. Ariz. Dec. 16, 2024). Moreover, the court held, the statute’s use of the term “subscriber information” indicates protection for “subscribers and customers from the unauthorized procurement of their records maintained by telephone companies, public utilities, and communication service providers.” Id. at *4. As the court in Vita v. New England Hospitals did, however, the Arizona court suggested that the Arizona legislature could expand TUCSRA to cover the conduct plaintiff had alleged (although concluding that it had not yet done so). Id.

Plaintiffs also filed class actions alleging TUCSRA violations in other states to varying results. In Mills v. Saks.com LLC, plaintiff (an Arizona resident) filed a class action complaint in the Southern District of New York, justifying the venue on the grounds that defendant is domiciled in the State of New York. See Compl. ¶ 12, Mills v. Saks.com LLC, 23-cv-10638 (S.D.N.Y. Dec. 6, 2023), ECF No. 1. Defendant moved to dismiss for lack of subject matter jurisdiction and failure to state a claim. Mills v. Sacks.com LLC, No. 23-cv-10638, 2025 WL 34828, at *2 (S.D.N.Y. Jan. 6, 2025). The court granted defendant’s motion, reasoning that plaintiff had failed to demonstrate concrete injury for standing purposes. Id. at *6. On the court’s read, her bids for injunctive relief and for damages attendant to defendant’s alleged (1) procedural violation, (2) “intrusion upon [plaintiff’s] seclusion,” or (3) other analogous harms failed to pass Article III muster. Id. at *3–*6. Nevertheless, the court opined on the merits, invoking the reasoning in Carbajal v. Home Depot to conclude that defendant’s use of email pixels “falls outside the scope of the Arizona Statute.” Id. at *6.

Website pixels: Claims against retailers based on other state laws this year were more successful. In Esparza v. Kohl’s, Inc., a judge in the Southern District of California granted in part and denied in part a motion to dismiss plaintiff’s class action claims under CIPA, CDAFA, and California’s common law cause of action for intrusion upon seclusion. 723 F. Supp. 3d 934 (S.D. Cal. 2024). There, plaintiff challenged the retailer’s use of third-party pixel technology in its chat feature, which plaintiff said resulted in the installation of a “persistent cookie” on every class member’s device and “de-anonymizes website visitors.” Id. at 938. While the case was ultimately settled in June 2024, the court had previously held that plaintiff’s CIPA and CDAFA claims could go forward. This case and Therapymatch seem to point to CIPA as a particularly difficult claim to challenge on a motion to dismiss.

c.  Session Replay

In another case out of the Southern District of California, session replay software took center stage. In Price v. Carnival Corporation, plaintiffs sued the cruise company over its use of third-party embedded recording software on its website, which plaintiffs said collected “information about the user’s system, including their device, browser, operating system, and location, as well as all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry …, and numerous other forms of a user’s navigation and interaction through the website.” 712 F. Supp. 3d 1347, 1353 (S.D. Cal. 2024). Plaintiffs raised claims under the Federal Wiretap Act, the federal Computer Fraud and Abuse Act (CFAA), CIPA, the Maryland Wiretapping and Electronic Surveillance Act, the Massachusetts Wiretap Act, and the Pennsylvania Wiretapping and Electronic Surveillance Control Act, as well as claims under each aforementioned state’s common-law prohibitions on invasion of privacy. Id. at 1354. Defendant moved to dismiss, and the court granted in part and dismissed in part. Id. at 1364. The claims under the Federal Wiretap Act and each state analogue and the invasion of privacy claims went forward. Id. at 1361, 1363. The CFAA claim was dismissed, but with leave to amend “to the extent that Plaintiffs may do so in good faith.” Id. at 1364. This is not the only session replay case we saw dismissed this year that involved claims based on a variety of statutes across different jurisdictions.¹

¹ See, e.g., In re TikTok, Inc., In-App Browser Privacy Litig., MDL No. 2948-A, 2024 WL 4367849 (N.D. Ill. Oct. 1, 2024) (including claims under the Federal Wiretap Act, CIPA, and California’s Unfair Competition Law (UCL), as well as wiretapping and eavesdropping statutes in Florida, Illinois, and Pennsylvania); In re: BPS Direct, LLC and Cabela’s LLC, Wiretapping, 702 F. Supp. 3d 333, 345 (E.D. Pa. 2023) (listing plaintiffs’ allegations that defendants had violated the Federal Wiretap Act, CFAA, CIPA, California Statutory Larceny, UCL, and various state wiretapping statutes from Maryland, Massachusetts, Missouri, and Pennsylvania).