As websites continue to implement data collection and tracking technologies on visitors, data privacy litigation has surged by 52.27%. In 2023, the top ten privacy settlements totaled $1.32 billion, jumping to $2.01 billion in 2024. Lawsuits focus on the unauthorized collection of private digital data by website owners, including financial details, health information, browsing activity, location data, and personal communications.
This occurs when website operators integrate third-party tracking technologies, including cookies and pixels, to collect vast amounts of user data, like browsing behavior, interests, and interactions across websites. Specifically, cookies store small data files in your browser while pixels transmit information when a page loads.
Together, these trackers create a digital fingerprint that allows companies to track and re-identify users across platforms. With this data, companies implement targeted advertising, content recommendations, and algorithmic personalization, shaping the way users experience the internet.
Wiretap claims are on the rise
As companies intercept and transmit user interactions, such as clicks, searches, and messages, courts have increasingly viewed these practices as potential wiretap violations.
In fact, wiretap litigation has become one of the fastest-growing areas of privacy law, with over 1,560 lawsuits filed across 28 states since 2022. California’s stringent privacy laws and strict consent requirements have driven 83% of these cases under the California Invasion of Privacy Act (CIPA) § 631(a).
Under CIPA § 631(a), intercepting or accessing electronic communications without authorization is prohibited. The law explicitly prohibits tapping, reading, or attempting to obtain the contents of a message without the consent of all parties involved. Additionally, it forbids the use or distribution of unlawfully acquired data and holds companies accountable for facilitating or participating in such practices.
What’s fueling the rise in wiretap litigation?
The increase in wiretap cases can be traced to the Ninth Circuit’s ruling in Javier v. Assurance IQ, LLC (May 31, 2022). In this case, Florentino Javier sued Assurance IQ, LLC and ActiveProspect, Inc. under CIPA § 631(a), alleging that when he visited Assurance’s website to obtain an insurance quote, his interactions were intercepted and recorded without his prior consent using third-party tracking software called TrustedForm.
The Ninth Circuit ruled in favor of Javier, stating that companies must obtain prior consent before intercepting user communications and cannot justify tracking retroactively through buried privacy policies.
With Javier as precedent, plaintiffs’ attorneys have been able to challenge increasingly common digital surveillance practices, making wiretap litigation one of the most pressing privacy risks at the moment.
This might interest you: Fisher Phillip’s digital wiretapping litigation map displays a full view of digital privacy litigation filed across all 50 st ates alleging a privacy claim involving the use of digital tracking technologies.
Suing third-party tracking providers: a growing trend
While wiretap cases have traditionally been focusing on website operators, there has been a growing trend of lawsuits targeting third-party tracking providers, instead.
In February 2024, Facebook was ordered to pay a $90 million settlement in In Re Facebook Internet Tracking Litigation, Case Nos. 22-16903 & 22-16904 (9th Cir. Feb. 21, 2024), which may partially explain why this trend has gained momentum.
In this case, Facebook was found liable for using cookies to track the internet activity of logged-out social network users who visited third party websites containing Facebook “Like” button plugins.
So why are litigators shifting to suing tracking providers instead of website operators? There are 3 key advantages:
- Established precedent: Cases like In Re Facebook Internet Tracking Litigation have already set a foundation, making it easier to argue liability for companies engaged in unauthorized tracking.
- Deep pockets & higher collectibility: Tech giants like Google and Facebook have the financial resources to pay significant settlements, making them more attractive defendants.
- Massive class sizes: These cases often involve millions of users, dramatically increasing potential payouts and making them highly lucrative for firms pursuing class action litigation.
Four case examples
As wiretap litigation gains momentum, several cases from 2024 illustrate how courts are handling claims against third-party tracking providers.
Here are four examples:
Doe, et al. v. Hey Favor Inc. (N.D. Cal. Jan. 17, 2024)
Plaintiffs sued Meta and TikTok, alleging that their tracking technologies embedded in Hey Favor’s website and app unlawfully collected sensitive health information without user consent.
Additionally, the lawsuit named Meta, TikTok, and FullStory, a web analytics company, which plaintiffs claimed played a role in capturing and processing user data. In January 2024, the court dismissed the claims against FullStory for lack of personal jurisdiction, citing insufficient evidence linking the company to harm suffered by California users, but granted plaintiffs the opportunity to amend their complaint.
By July 2024, after plaintiffs presented additional evidence of FullStory’s California connections and data practices, the court denied FullStory’s motion to dismiss, allowing the case to proceed. Additionally, Meta and TikTok failed to establish that users had consented to the data collection, so the case against them was allowed to proceed.
Smith, et al. v. Google, LLC (N.D. Cal. June 3, 2024)
Plaintiffs claimed Google Analytics and Google Tag were used to collect sensitive financial data from tax preparation platforms like H&R Block, TaxAct, and TaxSlayer, violating federal and state privacy laws. They alleged that Google’s tracking tools intercepted personal financial details, including income levels, deductions, and tax return information, without users' knowledge or consent.
Google argued that users had consented through the tax platforms' privacy policies, but the court rejected this defense, ruling that there was no clear evidence of informed consent specific to the transmission of tax data. The court also emphasized that Google could still be held liable under CIPA § 631, regardless of its role as a third-party vendor, because the law does not exempt service providers from wiretap violations.
Given the plausible allegations of surreptitious data collection, the court allowed the case to proceed.
Doe, et al. v. Google LLC (S.D. Cal. July 22, 2024)
Plaintiffs accused Google of unlawfully tracking and monetizing private health data collected through its tracking tools on healthcare provider websites. They alleged that embedded code linked to Google Analytics, Google Ads, and Google Display Ads intercepted patient communications and redirected sensitive health information to Google’s servers for advertising purposes.
However, the court dismissed the case, ruling that plaintiffs failed to provide concrete evidence that Google intentionally intercepted private health information. The judge noted that just because Google’s tracking tools were present on a website did not necessarily mean they were collecting or misusing sensitive data.
Additionally, the plaintiffs’ claims relied on hypothetical scenarios rather than direct evidence of how private health information was intercepted and used. Without clear proof of intent or harm, the case was thrown out entirely.
Griffith, et al. v. TikTok, Inc. (C.D. Cal. Sept. 9, 2024)
In one of the first 2024 class certification rulings in an adtech case, plaintiffs sued TikTok and Bytedance, alleging that their tracking pixel collected data from non-TikTok users on third-party websites, violating federal and state privacy laws. The lawsuit challenged TikTok’s ability to monitor and record user activity across external sites without explicit consent.
The court denied class certification, ruling that plaintiffs failed to show commonality and typicality under Rule 23. It found that privacy expectations and data collection varied widely across different websites and users, making a class-wide determination difficult. Additionally, the court noted that because each website implemented TikTok’s tracking tools differently, the level of intrusion and potential harm would need to be assessed individually rather than through a uniform legal standard.
Key takeaways for plaintiffs attorneys
To maximize the chances of class certification, attorneys should focus on defining a distinct class with clear parameters.
Recent rulings have shown that overly broad classes, such as "all Facebook users in the US,” often face certification challenges. Instead, narrowing the class to users of specific websites where tracking technology is implemented helps avoid procedural issues and strengthens the case.
This trend toward targeting third-party tracking companies presents new opportunities for plaintiffs’ attorneys. As courts increasingly scrutinize digital surveillance practices, the ability to pinpoint specific violations and affected user groups has become crucial.
Darrow’s advanced AI-powered Legal Intelligence Platform allows our Legal Intelligence team to conduct thorough wiretap investigations that identify the precise websites where tracking occurs, the specific trackers involved, the content being shared, and the associated identifiers. This ensures that all wiretap cases we uncover include the specific user groups that are affected, allowing us to find the most qualified plaintiffs for the case.
Additionally, we can assess user consent to tracking, including the implementation and acceptance of cookie banners or a website’s privacy policy. This targeted approach not only minimizes the procedural challenges associated with broad class definitions but also strengthens the evidentiary foundation of the case.
Partner with Darrow on your next data privacy case.
This might interest you:
Partner with Darrow to grow your practice
