Data Privacy Risks: How to Prevent Costly Data Privacy Class Actions
Dealing with data privacy risks should be a top priority for businesses. But with the number of tracking litigations on the rise, many organisations need to rethink their approach. In this article, we’ll explore the steps you can take to avoid data privacy class actions.
Before we jump into that, Most of the insights in this article are drawn from Jodi Daniels’ session from Privacy4Marketers. Watch her talk to learn actionable tips on protecting your business from data privacy class action lawsuits:
Overview: Digital pixel lawsuits in the US
Data privacy class actions have focused on companies that track users and their interactions without consent and share data with third parties.
These lawsuits focus on several key legal concepts. These include:
- Wiretapping: Interception without consent.
- Pen Register: Captures outgoing communications.
- Trap and Trace: Captures incoming communications.
- VPPA: Video Privacy Protection Act
In a select number of states, two-party consent is also required. This means that both sides (the company and the customer) must agree before any tracking can take place.
The states that have seen the most litigation are:
- California (CCPA & CIPA).
- Pennsylvania (Wiretap Act).
- Florida (Two-party consent).
CCPA data breach lawsuit due to tracking pixels
The 2018 California Consumer Privacy Act (CCPA) is the comprehensive privacy law in the US.
We’ve recently seen the first example of a CCPA lawsuit related to the use of tracking pixels. The class action alleges that Capital One’s handling of third-party tracking tools, such as Google Analytics and Facebook’s Meta Pixel, violated the CCPA and CIPA.
Within CCPA, there is a provision that if an unencrypted data breach occurs, there is a private right of action. This case is attempting to prove that Capital One’s use of pixels to capture and share unencrypted information with third parties is a data breach.
If this progresses, it’s likely the floodgates will be opened for similar data privacy class actions.
Examples of tracking technologies at issue
Several tracking technologies create data privacy risks. Some examples are listed below:
- Targeted advertising – Collecting and using identifiable information without permission can cause compliance issues.
- Session replay tools – Capturing personal information during a user’s session is a breach of CCPA.
- Chatbot providers – Chatbots are powered by external companies. If information is shared with these third parties without notice, it can cause many different litigation issues.
- Analytics trackers – Analytics tools may try to use collected data to identify users, causing compliance issues. Without the use of GA4 privacy features, you might find yourself at odds with legislation.
There are many examples of scenarios where these technologies cause issues for businesses. Retailers have been sued under CIPA, for instance, for using session replay technology. Similarly, chatbots have caused issues when live chats have been intercepted by criminals.
Data sharing from healthcare companies even attracted attention from the Federal Trade Commission (FTC). Providers would use advertising pixels that shared identifiable information about healthcare workers and their patients.
This was collected and shared by social media partners, who would add it to their entire profiles. The FTC classed this as a breach of information.
The key takeaway is that no industry is secure. It’s important to address any data privacy risks before it’s too late.
What happens
When a violation occurs, a company typically receives a letter from a plaintiff firm. This states a violation of one of the laws (such as CIPA) and includes a settlement amount.
But when you receive one of these letters, what should you do? We’ve listed some steps below:
- Contact your privacy or legal team.
- Work with a privacy attorney who specialises in these pixel litigation matters.
- Decide if settling or litigating is the preferred course of action.
- Determine your mitigation measures for future claims.
How companies can manage the risk
To avoid data privacy class actions, it’s important to follow some risk management strategies. Aim to have the least amount of trackers on your site possible. The more you have, the greater the data privacy risk.
Alongside this, follow the risk management strategies listed below:
- Obtain Explicit Consent (cookie banners, opt-ins).
- Vendor Management (audit third parties).
- Transparent Disclosures (update privacy policies).
- Ongoing Monitoring (review technologies regularly).
In EU/UK cookies banners are required. Legislation such as GDPR obligates you to gather a user’s consent before gathering data.
Things aren’t as simple in the US, where there is no law for non-sensitive information. State privacy laws don’t require users to opt in (unless for sensitive, precise geolocation, or kids’ data). While you do need to offer users an opt-out, you don’t need to offer a cookie banner.
How should you handle pixel litigation?
It depends on who you ask. Legal professionals give different answers based on their view of risk, their comfort with risk, and the business involved. Some of these answers include:
- Introduce a GDPR style opt-in to gather explicit consent.
- Provide a notice with the ability to manage cookies/pixels.
- Balance the risk of a claim/litigation with revenue lost from restricted data collection.
If you go down the route of using cookie consent banners and software, how can you manage pixels and digital trackers effectively? One of the first steps should be building a cookie consent team.
Handling the cookie consent process is much easier with the right knowledge and know-how. Build a team filled with privacy and legal professionals, marketing teams, and employees with other relevent skills.
Make sure the team is involved as pixels change and new websites come on board so that everything is properly categorised
There are some crucial steps to take when setting up your cookie banner. Equally, there are some common mistakes that can cause issues. Let’s explore the dos and don’ts of managing a cookie banner.
Dos
It’s not enough to simply inform users that you use cookies. Instead, you need to carefully list all the cookies used by category and function. Choose from privacy-compliant CMPs to do so.
Consider the mobile experience
Mobile users must be able to read your privacy policy in the same way as desktop users. Consider how you can provide the best user experience possible. Avoid unnecessary clutter and ensure page elements are properly optimised for mobile users.
Explain all the consent options available
Users must be able to accept, reject, and manage consent. The overall rule of thumb is one click to opt in and one click to opt out. It’s harder to remain compliant if the ability to manage settings is tricky.
Don’ts
Using dark patterns
A dark pattern is when a website is structured to exploit users into behaving in a certain way. A common example is using a darker ‘accept’ button on your cookie banner to encourage users to click.
Other examples include:
- Different size fonts (bigger text for ideal choice).
- Using border boxes around preferred text.
- Unequal options (accept as a button, reject as a link).
- Banners that continue to prompt until a user accepts.
To avoid data privacy class actions, make sure you avoid these tactics. Use the same font, colours and keep designs symmetrical. Provide training in data privacy for marketers and dev teams so that they can identify dark patterns more easily.
Blocking the homepage/forcing users to accept
If you force users to accept cookies to access your site, it becomes difficult to argue that consent is ‘freely given.’ Offer users a clear choice.
Not promoting your banner regularly
Users’ preferences change over time. Make sure to give users the option of updating their preferences regularly.
Testing is essential for making sure your consent banner is working as it should be. Can users reject rather than simply opt out of cookies? Is everything working correctly, or did something break? Answering these questions is essential for avoiding data privacy risks.
Remember, under CCPA, users can apply a ‘Global privacy control’. This is a browser setting that notifies a website of a user’s privacy settings. Your website must listen for this signal and adjust its data collection appropriately.
To manage data privacy class actions, you need a cookie governance roadmap. Consider the following areas:
- Knowing the laws that apply to your business.
- Categorising cookies/pixels in your set-up.
- Creating a cookie/pixel governance program.
- Implementing cookie consent software.
- Performing a tracker audit to make sure pixels are firing as they should.
- Reviewing privacy and cookie notices to ensure they’re up-to-date.
- Training your team on all the parts of your cookie program. Making sure your cookie program adapts alongside legislation.
Wrapping up
Data privacy risks aren’t going away; pixel lawsuits, privacy laws, and enforcement will continue. Stay on top of the news and make sure you have a comprehensive cookie governance plan in place.
Check out our blog post if you’d like to learn more about how privacy laws differ globally.
Jodi Daniel
Jodi Daniels is the founder and CEO of Red Clover Advisors, a privacy consultancy that streamlines compliance and builds customer trust. She’s a national keynote speaker, co-host of the She Said Privacy / He Said Security Podcast, and co-author of the Wall Street Journal and USA Today bestseller Data Reimagined: Building Trust One Byte at a Time.
- How to Run a Google Tag Manager (GTM) Audit - 26/11/2025
- How to Run a Web Analytics Audit: Examples & Tools - 30/10/2025
- How to Run a Cookie Audit: Examples and Tools - 23/10/2025