Wiretapping Lawsuits: Are Your Website Pixels Illegal?
There is a new front in the war on privacy: website tracking pixels. Plaintiffs’ attorneys are filing class-action lawsuits alleging that tools like the Meta Pixel and Conversions API (CAPI) constitute illegal wiretapping under state privacy laws. For auto dealers and financial institutions subject to the FTC Safeguards Rule, this is not just a marketing problem; it is a data protection crisis.
The Legal Foundation: CIPA Section 631
Most of these lawsuits rely on the California Invasion of Privacy Act (CIPA), specifically Section 631(a). Originally written to prevent physical wiretapping, the statute prohibits any person from willfully intercepting or reading the contents of a communication “while the same is in transit” without the consent of all parties. Critically, CIPA provides statutory damages of $5,000 per violation, and plaintiffs do not need to prove actual injury to collect.
Plaintiffs’ attorneys prefer CIPA over the Federal Wiretap Act (18 U.S.C. 2511) for two reasons. First, the federal statute requires only one-party consent; since the website operator consents to the pixel, that typically satisfies federal law. Second, federal claims require proof that the interception was for a “criminal or tortious purpose,” a high bar when the stated use is marketing analytics. CIPA has neither of these hurdles.
How the Meta Pixel Actually Works
The Meta Pixel is a JavaScript snippet that loads when a visitor reaches your site. It captures browser events (page views, button clicks, form field inputs) and transmits that data to Meta’s servers in real time. The key legal issue: the pixel can capture keystrokes as a user types into a form field, sending partial data to Meta before the user ever clicks “Submit.” This means a consumer’s name, phone number, or email address may be transmitted to a third party without their knowledge or consent.
The Conversions API (CAPI) operates server-side rather than in the browser, but plaintiffs argue it creates the same problem: customer data flows to Meta without explicit prior consent from the consumer.
The “Pen Register” vs. “Interception” Distinction
A critical legal debate in these cases centers on which section of CIPA applies. “Interception” claims under Section 631 focus on the content of what was typed. “Pen register” claims under Section 638.51 focus on routing information like IP addresses and URLs visited. In Greenley v. Kochava (2023), a federal court held that software, specifically an SDK, can function as a pen register. That ruling opened the floodgates, because it bypassed the harder “content” requirement entirely. However, the theory is facing pushback: in Sanchez v. Cars.com (2025, L.A. Superior Court), the court dismissed the case, ruling that CIPA’s pen register provisions do not apply to standard IP address collection.
Auto Industry and Related Cases
The automotive sector has already been targeted. In Rodriguez v. Autotrader.com, Inc. (2025, C.D. Cal.), the court dismissed the case with prejudice, holding that “tester” plaintiffs who visit websites specifically to find violations lack a reasonable expectation of privacy. American Honda Motor Co. settled with the California Privacy Protection Agency in 2025 for $632,500 over “dark patterns” in its cookie consent banners.
Healthcare pixel lawsuits provide a warning of what can happen when sensitive data is involved. Kaiser Permanente settled for over $46 million in 2024 over pixel tracking on authenticated patient pages. Advocate Aurora Health settled for $12.25 million in 2023, and Mass General Brigham settled for $18.4 million in 2022. While dealership data is not HIPAA-protected, it is financial data protected under FTC Safeguards, and the litigation playbook is the same.
FTC Enforcement: Pixels Are Already on the Radar
The FTC has taken enforcement action against companies for pixel-based data sharing. In 2023, GoodRx was charged under the Health Breach Notification Rule for sharing health data with Meta and Google via pixels. BetterHelp, also in 2023, was charged with sharing mental health data of 7 million users with Facebook and Snapchat through tracking pixels. Monument and Cerebral faced similar actions in 2024. While these cases targeted healthcare data, the enforcement theory, that pixels constitute unauthorized data sharing, applies equally to financial data under the Safeguards Rule.
The Safeguards Rule Connection
Under 16 CFR Part 314, you are responsible for the “integrity and confidentiality” of customer information. The Rule’s definition of “customer information” covers any nonpublic personal information a consumer provides to obtain a financial product or service. When a consumer fills out a credit application or trade-in form on your website, that data is covered. If your pixels are transmitting that data to Meta or Google before the consumer consents, you have a data leakage problem that violates the Safeguards Rule’s core mandate.
Building a Compliant Tracking Infrastructure
1. Pixel Audit: Inventory every tracking script on your site. Most dealers are surprised to find 15 to 30 scripts they did not know about, placed by marketing agencies, chat widgets, and third-party integrations.
2. Consent Management Platform (CMP): Implement a CMP such as OneTrust, Cookiebot, or Usercentrics that actually blocks scripts until the visitor provides affirmative consent. The banner must offer a real “Reject All” option, not just “Accept” and “Manage Preferences.”
3. Google Consent Mode v2: Unlike traditional pixels that are binary (on or off), Google’s Consent Mode v2 uses “cookieless pings” when consent is denied. These pings send anonymous signals (device type, timestamp) without storing cookies. Google then uses modeling to recover approximately 70% of conversion data while respecting the user’s preference. This is the direction compliant tracking is heading.
4. Privacy Policy Updates: Your privacy policy must explicitly name every third party receiving data from your site, what data they receive, and for what purpose.
The Broader State Privacy Landscape
CIPA is not the only risk. The California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and Colorado Privacy Act (CPA) all impose consent requirements for data sharing with third parties. Auto dealers operating across state lines face a patchwork of obligations. The safest strategy is to implement consent-first tracking universally rather than trying to geo-target compliance.
The plaintiffs’ bar is actively targeting businesses with non-compliant tracking. The financial exposure, $5,000 per violation under CIPA alone, can reach seven figures quickly when multiplied across website visitors. Clean up your pixels now, or budget for litigation later.
