7 Recent CIPA Court Decisions — What They Mean for Your Website
CIPA litigation is still accelerating. Hundreds of lawsuits have been filed in the last year alone — and courts are issuing decisions at a pace that makes it genuinely hard to keep up. We analyse the seven most significant decisions from April–May 2026, pulled from public court records and legal reporting, written for website owners not lawyers.
The Landscape Right Now
CIPA litigation targeting website tracking is not slowing down. Plaintiff law firms have filed claims by the hundreds — some estimates put total CIPA demand letters and complaints at over 50,000 since 2022 — and courts across federal and California state courts continue to issue decisions at a pace that would require a full-time legal team to monitor. We are not a law firm, and this is not legal advice. What we are is a team that tracks these cases specifically because every decision teaches website operators something concrete about what puts them at risk.
The seven decisions covered in this issue were all handed down between April 20 and May 22, 2026. They involve industries ranging from hair restoration and streaming media to entertainment venues, financial services, and healthcare. Taken together, they show that the legal landscape is genuinely mixed — but the single most consistent variable separating winners from losers is not industry, not company size, and not which law firm they hired. It is whether tracking started before the consent banner rendered.
The Good: Two Clean Dismissals
Both dismissals in this batch share a common thread — they succeeded because the defendant had either meaningful consent infrastructure or because the plaintiff could not establish concrete harm. Both offer practical blueprints.
This is the cleanest defence win in the batch — dismissed with prejudice, meaning the plaintiff cannot refile. Two independent grounds each would have been sufficient on their own, which is what made this result so decisive.
Ground one — standing: The data collected through third-party tracking pixels — browsing behaviour, device identifiers, general usage patterns, and the fact the plaintiff scheduled a hair transplantation consultation — was not sufficiently sensitive to constitute a concrete privacy injury under Article III. The court drew a sharp line: the mere fact that a pixel transmitted data to a social media platform does not equal harm. The plaintiff also could not show monetary loss because he had never attempted to sell the allegedly disclosed information.
Ground two — consent: Bosley had a properly structured sign-in agreement requiring users to affirmatively accept terms of service before accessing the site. Those terms disclosed and covered the tracking at issue. The plaintiff had accepted before any of the tracking occurred. This gave the court two completely independent reasons to dismiss — a much stronger position than relying on consent alone or standing alone.
On the ECPA claim, the court found the crime-tort exception did not apply because the plaintiff could not plausibly establish that health data had been disclosed in violation of HIPAA.
Two layers of protection are significantly better than one. A site with a properly functioning consent mechanism that requires affirmative acceptance before tracking starts — and that discloses the tracking clearly in terms the visitor accepted — is in a dramatically stronger position than one relying solely on arguing that browsing data is not sensitive enough to cause harm. Both arguments are available to you. Use both.
The Pluto TV ruling is notable less for its outcome — dismissed — than for the detailed standing framework the court laid out, which is becoming increasingly influential in similar cases.
The court drew a sharp distinction between tracking data that is genuinely sensitive (medical information, financial data, highly personal communications) and the routine behavioural metadata that ad-targeting pixels typically collect on a free streaming platform. Vague allegations that pixels collected "personal information" were not enough. Plaintiffs must identify specific, sensitive data that was actually disclosed to establish a concrete injury.
For a free streaming service where visitors browse content without logging in or entering personal details, the court found the standing bar was not met. This reasoning has now been cited in multiple other cases and is becoming a reliable first line of defence for businesses whose websites handle ordinary consumer browsing rather than financial applications or healthcare data.
The sensitivity of data on your site matters enormously for your risk profile. A media site or content blog that uses GA4 and an advertising pixel faces materially different litigation risk than a financial services site, healthcare portal, or eCommerce checkout page. The standing framework from this case suggests courts will scrutinise what data was actually captured — not just whether pixels were present. Sites handling sensitive categories should treat their risk level as significantly elevated.
The Bad: Three Split Decisions — Each With a Clear Warning
The three split decisions in this batch all follow the same structural pattern: the federal wiretapping claim (ECPA or CIPA §631) was dismissed, but the pen register claim under CIPA §638.51 survived. This pattern is becoming the dominant outcome in this litigation wave — and the pen register theory is consistently more dangerous because it requires less from plaintiffs.
This is the case that every website operator with a consent banner should read carefully. AEG is a major entertainment company — they had a cookie consent banner. They still lost on the pen register claim. Here is why.
What went right: The ECPA federal wiretapping claim was dismissed — the party exception applied, meaning AEG could not be held liable for its own third-party tools under the federal statute. The plaintiff's injunctive relief request was also dismissed because she admitted she would never return to the site.
What went wrong — and why it matters for you: AEG had a cookie consent banner, but its third-party cookies activated the moment a user landed on the site — before the banner rendered, before the user had any opportunity to reject. The court found this was sufficient for the CIPA §638.51 pen register claim to survive.
Read that again: AEG had a consent banner. It was not enough, because the tracking started before the visitor could interact with it. A consent tool that appears a half-second after your pixels have already fired is not a consent tool — it is a disclosure notice. The court treated it that way.
This decision is the clearest judicial statement yet that pre-consent script firing — however briefly — creates CIPA pen register exposure even when a consent banner is present. The AEG gap is the gap that plaintiff firm scanners are specifically looking for when they identify litigation targets. If your consent banner is cosmetic rather than technically blocking, you have the same exposure AEG had.
The Crypto.com ruling produced the same split outcome as AEG, but its significance is different — it contains the most thorough federal court analysis yet of whether CIPA's pen register provision applies to internet tracking at all.
Why §631 was dismissed: The plaintiffs failed to allege with any specificity what communications of theirs were actually intercepted. The court was clear: claiming that you browsed a website and that the site's cookies were capable of collecting certain categories of information is not the same as alleging that your personal communications were intercepted. Plaintiffs who do not describe their actual on-site activities — search terms entered, forms submitted, specific clicks made — give courts nothing to work with on the contents element of §631. This is a pattern worth noting: vague complaints are getting dismissed on §631 with some regularity.
Why §638.51 survived — and why this matters more: The court ruled that CIPA's pen register provision does apply to internet tracking. Its reasoning was grounded in the fact that CIPA borrowed its pen register definition from a federal statute that Congress had explicitly expanded in 2001 to cover internet-based tracking. Nothing in the California statute limits it to telephone devices. This is the most thorough judicial endorsement of the pen register theory in a federal court to date.
Note: several California state courts have reached the opposite conclusion using different statutory interpretation, finding that the pen register sections only apply to telephone lines. The split between state and federal courts on this point remains unresolved — it is currently before the California Court of Appeal.
The pen register theory is gaining judicial traction at the federal level. Sites that assumed the §638.51 theory was too novel to win should update that assumption. The standard advertising pixel — a tracking tool that captures IP addresses, device identifiers, and URL sequences — is precisely what the pen register provision describes. This ruling does not end the legal debate, but it strengthens the plaintiff playbook significantly.
The Capital One ruling sits in the bad column, but it deserves a significant asterisk: this case is genuinely distinguishable from most of what standard business websites will face, and understanding why helps you assess your own position accurately.
The tracking at issue was not routine browsing behaviour. Capital One's website allegedly transmitted to third-party services: customers' employment status, citizenship information, bank account type, credit card application status and approval/denial outcomes, FICO score segments, and income bands — along with names, email addresses, and phone numbers. This is not analytics data. This is the most sensitive personal and financial information a consumer can share with a financial institution.
The court's willingness to let significant claims proceed here is entirely consistent with the standing framework from the Pluto TV case. That case said routine browsing data on a free streaming platform is insufficient for standing. Capital One's situation is at the opposite end of the sensitivity spectrum. The lesson is not "financial sites are doomed" — it is "the sensitivity of data on your site is the primary variable in assessing litigation risk."
If your site handles financial data, health information, or data associated with application decisions, your risk profile is significantly elevated. Healthcare portals, insurance quote forms, loan applications, mortgage pre-qualification tools — any site where sensitive personal information is entered and third-party trackers are present should treat CIPA exposure as a P1 risk, not a theoretical one.
Does your site have the AEG gap?
ConsentPixel — Privacy · Verified scans your site the way plaintiff firm scanners do — a fresh session, no cache, checking which scripts fire before your consent banner renders.
The Ugly: The Ruling That Should Concern Every Website Operator
These two cases are not new — but they deserve their own section because they represent the litigation trajectory that most concerns eCommerce operators, and because the Ninth Circuit's June 2025 reversal in Bloomingdale's moved the law meaningfully in the plaintiff's direction.
Bloomingdale's (Ninth Circuit, June 2025): The Ninth Circuit reversed the district court's dismissal and allowed the case to proceed. The court found that plaintiffs adequately alleged FullStory intercepted the "contents" of communications — names, addresses, and credit card information entered during checkout — while in transit, not merely after transmission. The "real-time interception" element that defendants typically argue defeats §631 claims was satisfied by FullStory's keystroke and form capture capabilities during checkout. The case is now in discovery.
Nike (C.D. Cal., ongoing): Court found FullStory could be characterised as a third-party eavesdropper rather than a tool operating on Nike's behalf. The focus was on the real-time nature of the capture — FullStory receiving keystrokes and interactions as they occur, not after the session concludes. The aiding-and-abetting theory under §631 survived dismissal.
These cases matter because they establish that session-replay tools running on checkout pages, where visitors enter billing information, shipping addresses, and payment details, represent the highest-risk configuration in CIPA litigation. The courts are consistently treating checkout keystroke capture as more legally exposed than general browsing analytics — and both Bloomingdale's and Nike are major, sophisticated organisations that presumably had legal teams reviewing their privacy posture. Neither had consent-gated their session-replay tools on checkout pages.
Hotjar, Microsoft Clarity, Lucky Orange, FullStory, or any heatmap or session-replay tool on a checkout, account login, form submission, or quote request page — with California traffic and no prior consent — is the highest-risk configuration in CIPA litigation today. These cases have been proceeding for two years. They have not settled cheaply. They involve major retailers. The exposure is real and well-documented.
The Patterns: What Is Working and What Is Not
Across all seven decisions, plus the broader body of CIPA case law tracked on our CIPA Lawsuit Tracker, four patterns emerge clearly.
| What your site does | Outcome pattern in court | Risk level |
|---|---|---|
| Consent banner with technical pre-consent blocking No tracker fires before banner interaction |
Strong defence — consent argument available | Low |
| Consent banner without script blocking Trackers fire before banner renders (the AEG gap) |
Pen register claims survive despite banner — AEG pattern | High |
| No consent mechanism at all Trackers fire immediately for all visitors |
Both §631 and §638.51 claims frequently survive | Very high |
| Session-replay on checkout pages Hotjar, Clarity, FullStory etc. on billing/address forms |
Highest risk — Ninth Circuit and multiple courts allowing claims to proceed | Critical |
| Routine analytics (GA4) on content/marketing pages No financial, health, or form-input data involved |
Standing challenges increasingly successful — but pen register theory active | Moderate |
| Affirmative sign-in consent + terms disclosure Tracking disclosed in terms visitor accepted before access |
Strong defence — Bosley blueprint, two independent grounds | Low |
| Sensitive data + third-party trackers Financial applications, health portals, insurance quotes |
Standing challenges fail — Capital One pattern, claims survive | Critical |
The single most consistent variable
It is not industry. It is not the specific tracker used. It is not even the legal theory. The single most consistent variable separating businesses that get dismissed from businesses that face trial is this: did tracking start before the visitor had an opportunity to consent?
Every case where a consent mechanism provided a meaningful defence featured either affirmative sign-in consent before any tracking began, or a functioning consent banner that technically blocked scripts until the visitor interacted with it. Every case where a consent mechanism failed to provide a defence featured either no mechanism at all, or a mechanism that displayed while trackers were already running.
What to Do Right Now — Based on This Month's Cases
The pattern across these seven cases translates directly into a prioritised action list. Here is what the case outcomes tell you to do first.
Priority 1 — Verify your consent banner is actually blocking scripts, not just displaying them. The AEG case is the most actionable decision in this batch. Open your website in an incognito browser, open DevTools, and go to the Network tab. Reload the page. Before you interact with the consent banner, look at what has already fired. If Google Analytics, Meta Pixel, Hotjar, or any other tracker appears in the network waterfall — your consent banner is cosmetic. You have the AEG gap.
Priority 2 — Remove session-replay tools from checkout, login, and form pages immediately. Even with consent in place, the Bloomingdale's and Nike cases make it clear that checkout keystroke capture is the highest-risk category in current CIPA litigation. Use URL exclusion settings in Hotjar, Clarity, or whichever tool you use to permanently exclude /checkout/, /my-account/, and any form-heavy pages from session recording scope.
Priority 3 — If your site handles sensitive data, treat your CIPA exposure as elevated. The Pluto TV dismissal and the Capital One survival together define the risk spectrum. Routine content browsing is lower risk. Financial applications, health portals, insurance or mortgage tools, and any site where visitors enter sensitive personal information carry significantly higher exposure regardless of whether a consent banner is present.
Priority 4 — Document your consent. The Bosley win was partly based on the defendant's ability to demonstrate that users had affirmatively accepted terms including consent to tracking before the tracking began. A timestamped consent log — showing when each visitor consented, what they were shown, and what they agreed to — is the evidence base for a consent defence. Without it, you cannot use it in court even if consent did occur.
The take from June 2026: the gap between a banner and a defence
The cases in this batch confirm what has been building in CIPA jurisprudence for two years: having a consent banner and having a functioning consent defence are not the same thing. The AEG case makes that explicit. The Bosley case shows what the alternative looks like — a consent mechanism that actually blocked tracking until the visitor accepted, combined with an affirmative agreement that disclosed the tracking. Two independent grounds. Dismissed with prejudice.
The litigation is not slowing. The pen register theory is gaining traction. The session-replay exposure on checkout pages is as clear as case law gets. The actionable response is technical, not legal — it is closing the pre-consent firing gap.
We will publish the next CIPA Case Watch issue covering decisions from June 2026. Subscribe to be notified when it goes live — or check our CIPA Lawsuit Tracker for the full case database.
Is your site firing before consent? — Free scan →