Live tracker — updated monthly
CIPA Lawsuit Tracker 2026
Every known California Invasion of Privacy Act (CIPA) case targeting websites for session replay tools, tracking pixels, and analytics scripts. Settlements, rulings, and active cases — sourced from public court records and legal reporting.
📅 Last updated: June 8, 2026 · Next update: July 2026
50K–100K
Total CIPA claims filed since 2022 (lawsuits + demand letters + arbitration)
$5,000
Statutory damages per violation — no proof of harm required
$30M+
Total publicly disclosed settlement value tracked on this page
28
US states with similar wiretapping statutes being applied to websites
29
Named cases tracked on this page (updated monthly)
In re Sutter Health Tracking Pixel Litigation
N.D. California · Class action · April 2026
✓ Settled
§631
Sutter Health agreed to a $21.5 million settlement to resolve claims it violated privacy laws by deploying third-party tracking pixels on its patient portal and marketing website, transmitting protected health information to third-party vendors without patient consent. Settlement provides $90 per class member. The healthcare sector faces elevated CIPA exposure due to the sensitivity of medical data.
$21.5M
Settlement value
🏥 Healthcare portal
Google Analytics
Third-party pixels
Doe v. Los Angeles Times Communications LLC
C.D. California · Class action · Pending final approval
✓ Settlement pending
§638.51
The LA Times agreed to a $3.85 million settlement over claims that tracking technologies on its website and mobile app collected California visitors' information without consent between January 2023 and December 2025. Class members who submitted valid claims by May 20, 2026 are eligible for pro-rata cash payment. Final approval hearing scheduled June 26, 2026.
$3.85M
Settlement value
📰 News website
Web trackers
Doe v. Inova Health System
E.D. Virginia / C.D. California · Class action · April 2026
✓ Settled
§631
Inova Health settled for $3.1 million over claims that tracking pixels on its healthcare website transmitted patient data to third-party vendors without HIPAA authorisation or consumer consent. Part of the broader wave of healthcare pixel litigation affecting hospitals and health systems nationwide.
$3.1M
Settlement value
🏥 Healthcare portal
Shah v. Fandom Inc. (GameSpot)
N.D. California · Class action · December 2025
✓ Settled
§638.51
Fandom agreed to a $1.2 million settlement over claims that GameSpot deployed unauthorized third-party trackers without prior consent to track California visitors. Legal commentators describe this case as "the blueprint for thousands of pending pixel lawsuits" — it established that a consent banner dismissal without explicit Accept does not constitute valid consent.
$1.2M
Settlement value
🎮 Gaming website
Pen register trackers
Mikulsky v. Bloomingdale's — FullStory
Ninth Circuit · June 20, 2025
Plaintiff wins
§631
Ninth Circuit reversed dismissal and allowed the case to proceed. The court found plaintiffs adequately alleged that FullStory intercepted the "contents" of communications — names, addresses, credit card information entered during checkout — while in transit, not merely post-transmission. The "real-time interception" element was satisfied by FullStory's keystroke and form capture capabilities. Now in discovery.
FullStory
🛍 E-commerce checkout
Saleh v. Nike, Inc. — FullStory
C.D. California · 2024–2025
Plaintiff wins
§631
Court found FullStory could be characterised as a third-party eavesdropper rather than a tool of Nike. The focus was on the real-time nature of the data capture — FullStory receiving keystrokes and interactions as they occur, not after the session concludes. The case survived dismissal on the aiding-and-abetting theory under CIPA § 631.
FullStory
👟 E-commerce
Camplisson v. Adidas America, Inc.
S.D. California · November 18, 2025
Plaintiff wins
§638.51
Case survived on the § 638.51 pen register theory. The court noted "most cases in this and other districts have also recognised that website-based trackers can plausibly constitute a pen register." Significant precedent for retail e-commerce sites using standard advertising pixels. The case demonstrates the viability of the pen register theory even as other courts reject it.
Tracking pixels
Heerde v. Learfield Communications
C.D. California · 2024
Plaintiff wins
§631
Court found a viable CIPA theory where search terms typed on a university athletics website were transmitted in real time to third-party vendors via analytics scripts. The "real-time transmission of content" (the search query itself) distinguished this from passive data collection. Survived on the aiding-and-abetting theory. Significant precedent for sites with search functionality and analytics.
🔍 Search terms captured
Analytics pixels
D'Antonio v. Cable News Network, Inc. (CNN)
S.D. New York · 2026
Plaintiff wins
§638.51
A SDNY judge denied CNN's motion to dismiss a CIPA class action over third-party trackers on CNN.com. The court found the plaintiff had established Article III standing — the aggregation of tracking data into comprehensive user profiles bears a close relationship to traditional privacy torts. The court also rejected CNN's argument that trackers collected only routing information rather than communication content.
📺 News website
Data broker matching
Greenley v. Kochava, Inc.
S.D. California · 2023 (leading precedent)
Plaintiff wins
§638.51
Foundational case establishing that an SDK embedded in apps could constitute a pen register under CIPA. Court rejected the defendant's argument that an SDK was categorically not a pen register. This ruling opened the door to a broad range of claims against advertising SDKs, fingerprinting technologies, and cross-site tracking tools. Still considered the most important § 638.51 precedent in website tracking litigation.
📱 Mobile SDK
Device fingerprinting
Torres v. Prudential Financial, Inc.
N.D. California · April 17, 2025
🛡 Defendant wins
§631
Summary judgment for the defendant. The court held that CIPA § 631 requires evidence that a party actually read or attempted to read communication contents while in transit — mere data capture during a session is insufficient. Session replay software that reassembles data only after transmission does not satisfy the real-time interception requirement. One of the most significant defendant-friendly rulings to date — narrows § 631 liability substantially.
Session replay software
💼 Financial portal
Thomas v. Papa John's International — FullStory
Ninth Circuit · June 18, 2025
🛡 Defendant wins
§631
Ninth Circuit affirmed dismissal. Papa John's was a party to its own visitors' communications — a party cannot "eavesdrop" on its own conversation. The direct party exception under CIPA § 631 bars direct liability. However, the court noted the plaintiff had not pleaded the aiding-and-abetting theory against FullStory specifically, leaving that avenue open in future cases — and plaintiffs have since pivoted to this theory.
FullStory
🍕 Restaurant / E-commerce
Khamooshi v. Politico LLC
N.D. California · October 2, 2025
🛡 Defendant wins
§638.51
CIPA § 638.51 pen register claim dismissed for lack of Article III standing. The collection of generic device and browser metadata — IP addresses, device type, browser version — did not constitute the kind of "embarrassing, invasive, or otherwise private" information necessary to establish a concrete injury. The Popa v. Microsoft standing framework applied. Metadata alone is insufficient — plaintiffs need more sensitive data collection to establish standing.
Browser metadata
Analytics trackers
Graham v. Noom, Inc. — FullStory
N.D. California
🛡 Defendant wins
§631
Court found FullStory was a direct party to communications when recording user sessions, not a third-party interceptor. As a service provider integrated into Noom's infrastructure and operating as Noom's agent, the party exception applied — FullStory was not an independent eavesdropper. Illustrates how vendor configuration and contractual relationship significantly affect the legal outcome.
FullStory
💊 Health / wellness app
Balabbo v. Wildflower Brands
Los Angeles Superior Court · 2026
🛡 CIPA dismissed
Privacy claim survives
Mixed ruling. The court dismissed CIPA pen register and wiretapping claims, finding CCPA/CPRA governs website data collection and the legislature could not have intended to criminalise under CIPA practices it carefully regulated under CCPA. However, a common law invasion of privacy claim survived — the capture and transmission of credit card and medical data to third parties could be a highly offensive intrusion. CIPA CCPA preemption argument gains traction.
Session replay
🛍 E-commerce
Licea v. Old Navy (Gap Inc.)
C.D. California
🛡 Defendant wins
§631
Court ruled that Old Navy could not "eavesdrop" on its own chat communications — it was a party to the conversation, not a third-party interceptor. Live chat tools deployed by the website owner itself fall under the party exception. Important precedent for first-party chat and customer service tools. Plaintiffs have since focused on third-party chat providers (Intercom, Drift, Zendesk) to avoid this exception.
💬 Live chat widget
🛍 Retail website
Byars v. Hot Topic, Inc.
C.D. California
🛡 Defendant wins
§631
The chat tool at issue was found to be an extension of the business itself — not an independent third-party interceptor — and therefore the party exception applied. Lawsuit dismissed. Reinforces the principle that integrated chat tools operating as the business's own agent do not create CIPA § 631 liability, unlike third-party vendors that independently receive and process the communication data.
💬 Chat tool
Rodriguez v. Autotrader.com, Inc.
C.D. California · April 4, 2025
🛡 Defendant wins
§638.51
Dismissed with prejudice for lack of standing. The court was skeptical of "tester-style" pleading — a plaintiff who visits a website specifically to document a CIPA violation "cannot claim an injury when her expectations were ultimately met." Courts are increasingly scrutinising whether serial CIPA plaintiffs have suffered genuine harm, applying stricter Article III standing analysis. Significant for defendants in serial plaintiff cases.
🚗 Automotive marketplace
Maghoney v. Dotdash Meredith (VeryWellHealth)
N.D. California · 2025–2026
⏳ Active litigation
§631
Plaintiff alleges he visited VeryWellHealth.com in December 2024, entering search terms related to symptoms and treatment of sexually transmitted infections, and that the site's advertising platform intercepted and transmitted this sensitive health data — including specific search terms, navigation history, and device metadata — to third-party advertisers in real time without consent. Case highlights particular risk for health and wellness websites with search functionality.
🔍 Health search terms
Ad platform tracking
Frasco v. Flo Health, Inc.
N.D. California · 2025
⏳ Class certified
§631
Class action certified in 2025. A California subclass was certified for claims under CIPA § 632 (confidential communications). The case involves a health tracking app that allegedly shared sensitive reproductive health data with advertising platforms. One of the first CIPA class certifications in the femtech space — may set precedent for health app developers and their analytics integrations.
📱 Health tracking app
Analytics
Washington v. Flixbus, Inc.
S.D. California · June 5, 2025
⏳ Active litigation
§631
Motion to dismiss denied on June 5, 2025. The case proceeds on claims that Flixbus's website chat tool intercepted customer communications and transmitted them to a third-party vendor without disclosure or consent. The ruling adds to a growing body of cases where integrated chat tools with third-party backends are found to create viable CIPA § 631 exposure distinct from pure first-party chat tools.
💬 Chat tool (third-party backend)
🚌 Travel website
In re Meta Pixel Tax Filing Cases
N.D. California · Multi-district litigation
⏳ MDL ongoing
§631
§638.51
Multi-district litigation targeting tax preparation companies (H&R Block, TaxAct, TaxSlayer) for deploying Meta Pixel on their tax filing portals, allegedly transmitting sensitive financial data to Meta without user consent. The cases combine CIPA § 631, § 638.51, and the Electronic Return Originator agreement violations. One of the highest-profile ongoing CIPA matters — decision could set binding precedent for all financial and tax services websites.
💰 Tax filing portal
Diaz v. Paramount Skydance (Pluto TV)
Federal Court · April 20, 2026
🛡 Defendant wins
Dismissed
§631
Dismissed for lack of Article III standing. The court drew a sharp distinction between genuinely sensitive data (medical, financial, personal communications) and routine behavioural metadata from ad-targeting pixels on a free streaming platform. Vague allegations that pixels collected "personal information" were insufficient — plaintiffs must identify specific sensitive data actually disclosed. This standing framework is now being cited across multiple districts as a reliable first-line defence for non-sensitive content sites.
Garcia v. Anschutz Entertainment Group (AEG)
Federal Court · May 5, 2026
⚠️ Split decision
§631 Dismissed
§638.51 Survived
ECPA federal claim dismissed under the party exception. However, the CIPA pen register claim survived because AEG's third-party cookies activated immediately when users landed on the site—before the consent banner appeared and before any opt-out opportunity existed. The court emphasized that a consent banner shown after tracking has already begun functions only as a disclosure notice, not as valid consent. A significant warning for organizations whose trackers fire before user interaction with consent tools.
Tags: Consent banner gap • Pen register • Pre-consent firing • Third-party cookies
Ortiz v. Foris Dax, Inc. (Crypto.com)
Federal Court · May 21, 2026
⚠️ Split decision
§631 Dismissed
§638.51 Survived
The court dismissed the Section 631 wiretapping claim because plaintiffs failed to adequately describe their actual website activities. However, the §638.51 pen register claim survived in one of the most comprehensive federal analyses yet addressing whether CIPA's pen register provision applies to internet tracking technologies. The court concluded that it does, noting that California adopted a federal pen register definition that Congress had already expanded to encompass internet-based tracking in 2001. This represents one of the strongest federal endorsements of the pen register theory to date.
Tags: Pen register • Third-party tracking • Internet tracking theory
Ingraham v. Capital One Financial Corp.
Federal Court · May 22, 2026
⚠️ Significant claims survived
Sensitive Data
Multiple claims survived where plaintiffs alleged transmission of highly sensitive information to third-party services, including employment status, citizenship, bank account type, credit application approval and denial outcomes, FICO score segments, income bands, names, email addresses, and phone numbers. The court distinguished the case from routine browsing-data disputes due to the extraordinary sensitivity of the information involved. Consistent with the standing analysis in Diaz v. Paramount, the decision reinforces that defendants face greater difficulty challenging standing when sensitive personal or financial information is allegedly disclosed.
Tags: Financial data • Sensitive data • Application data • Third-party transmission
📋 Methodology & sources
Cases on this tracker are sourced from public court records, legal news publications (Inside Class Actions, Fisher Phillips, Troutman Pepper Privacy+Cyber+AI blog, Baker Donelson, Jackson Walker, Spencer Fane), and class action settlement databases (Top Class Actions). We include cases where a CIPA claim was a central allegation — not every case where CIPA was tangentially mentioned.
Outcome definitions: "Settlement" means a monetary settlement was reached. "Plaintiff wins" means the case survived a motion to dismiss or summary judgment in the plaintiff's favour and proceeds. "Defendant wins" means the case was dismissed. "Pending" means active litigation with no final outcome.
Coverage limitation: The vast majority of CIPA claims are resolved privately through demand letters, arbitration, or confidential settlement before any public filing. This tracker captures only publicly known cases — estimated to represent a small fraction of total CIPA activity. The true claim volume is estimated between 50,000 and 100,000 since 2022.
Updates: This tracker is reviewed and updated monthly. Last updated May 2026. To report a case we've missed, email hello@consentpixel.com.
Legal disclaimer: This tracker is for informational purposes only and does not constitute legal advice. Case summaries are simplified for a non-legal audience. Consult a qualified attorney for advice on your specific situation.