Listen to this post

Litigation targeting website tracking technologies—such as cookies, pixels, session replay, and analytics tools—remains a major risk for businesses in 2025 and beyond. Courts continue to shape the boundaries of liability, consent, and compliance, with California and federal courts issuing several pivotal decisions this year. The legal landscape is evolving, with new theories, defenses, and legislative proposals emerging.

I. Litigation Trends and Statutory Theories

A. Ongoing Surge in Lawsuits

  • Numerous monetary demand letters, lawsuits and arbitration proceedings continue to involve allegations that website tracking tools violate privacy and wiretap laws, particularly the California Invasion of Privacy Act (CIPA), U.S. federal Wiretap Act, and U.S. federal Video Privacy Protection Act (VPPA). The volume of court actions and arbitration proceedings remains high, with California courts handling the majority of cases.
  • Plaintiffs are expanding their focus to include generative artificial intelligence (AI) and chatbot tools, arguing that these systems “listen” to, or repurpose, user inputs without appropriate consent.

B. Theories of Liability and Defenses

  • Plaintiffs allege that session replay, chat features, cookies, pixels, and analytics tools constitute unauthorized “recordings” or “interceptions” of website communications.
  • Claims often implicate third-party software providers as alleged co-interceptors, raising questions about third party liability and data sharing practices.
  • Federal courts are increasingly requiring plaintiffs to show that they have standing to bring a claim in federal court because they suffered from an injury-in-fact, meaning an injury that is concrete, specific, and can be traced to the defendant’s conduct. If a plaintiff bringing a privacy-related claim cannot show concrete harm, in which the injury has a close relationship to a traditionally recognized harm, the plaintiff does not have standing to bring a claim. Thus, dismissals in California federal courts are more likely, making it a more favorable venue because of the heightened Article III standing requirement.

II. 2025 Case Law Developments

A. California and Federal Court Decisions

  • Sanchez v. Cars.com, Inc. and Aviles v. LiveRamp, Inc. (CA Superior Courts, Feb. 2025): Both courts rejected the theory that web beacons or pixels tracking IP addresses constitute illegal “pen registers” or “trap and trace” devices under CIPA.
  • Rodriguez v. Autotrader.com, Inc. (C.D. Cal. Jan. 2025): The court dismissed CIPA claims brought by a “statutory tester,” holding that someone who visits websites to initiate litigation cannot claim a privacy injury.
  • Ninth Circuit Precedent: For the last several years, the U.S. Court of Appeals for the Ninth Circuit has reviewed several class actions alleging that session replay and chatbots violated CIPA. The Ninth Circuit has expanded CIPA’s reach to internet communications and session replay technologies, but courts remain divided on what constitutes “contents” and who is liable as a third-party eavesdropper.
  • Frasco v. Flo Health (N.D. Cal. Aug. 2025): a unanimous jury found that Meta violated CIPA Section 632 by intentionally eavesdropping on plaintiffs’ confidential communications without consent. Plaintiffs alleged Flo Health, the developers of a sexual and reproductive health app, shared personal information with Meta and Google without their consent, including menstrual cycle timing, preferred birth control methods, and details about sexual activity. The app allegedly recorded user interactions that were then intercepted by the SDKs and collected by Meta and Google for advertising, marketing, and research and development purposes. The jury sided with the plaintiffs, and the court denied Meta’s renewed motion for a judgment as a matter of law. The court ruled that Meta captured user communications with the Flo Health app in real time. It didn’t matter that Meta only captured user communications; under the CIPA, capturing one party’s communications is sufficient. The court also found that a physical device was not necessary to fall within the statute — and even if it were, a user’s phone would qualify. Additionally, it noted “Meta actively encouraged app developers to incorporate its SDK into their apps” and acted to “restrict the acquisition of health information … only on the heels of bad press about its practices.” Further, the court held that Meta’s privacy policy did not include sufficient disclosures and Flo Health’s policy expressly assured its users that it would not share their personal information with Meta in any way.

B. Circuit Splits and Standing

  • Courts are split on how to interpret other parts of CIPA. There is ongoing disagreement among courts about what constitutes “contents of communications” and who qualifies as a third-party eavesdropper. The Ninth Circuit and district courts have debated, for example, whether a vendor providing tracking technology is a third-party eavesdropper (liable under CIPA) or merely an “extension” of the defendant (not liable).
  • The Second and Sixth Circuits are split as to who qualifies as a “consumer” under the VPPA, affecting the scope of pixel-based litigation.
  • Courts increasingly require plaintiffs to show individualized, concrete harm to establish Article III standing, resulting in more dismissals at the pleading stage.

C. Notable Ongoing and Emerging Trends

  • Plaintiffs continue to combine claims under CIPA §§ 631 and 632.7 with “trap-and-trace” allegations under § 638.51.
  • The use of generative AI and chatbots are now subject to similar legal theories as traditional website tracking tools.
  • Recent trends favor defendants where only metadata (like IP addresses) is collected, and where plaintiffs cannot show concrete harm.
  • Affirmative consent mechanisms and privacy disclosures are increasingly central to defense strategies.

III. Legislative Developments

California Senate Bill 690, which was intended to exclude routine commercial tracking from CIPA’s scope, failed to advance in 2025 and is now a “two-year bill.” This leaves businesses with continued uncertainty and exposure to litigation risk. We can expect that if this bill passes, it will not go into effect until 2027. Further, the language regarding retroactive application has since been removed.

IV. Practical Implications and Risk Mitigation

  • Consent remains central: Courts are willing to entertain arguments that plaintiffs consented to tracking via privacy policies/notices or cookie banners, but defendants must show clear, affirmative consent.
  • Standing and harm: Plaintiffs must allege concrete, individualized harm; mere statutory violations or routine collection of IP addresses are increasingly insufficient in California federal court.
  • Third party management: Businesses should pass down compliance obligations to analytics and advertising software providers by contract.
  • Monitor litigation and legislation: Stay informed with respect to ongoing cases and legislative proposals, especially in California and other states with active privacy litigation.

V. Key Takeaways for 2025 and Beyond

  • The volume of website tracking litigation remains high, but courts are increasingly scrutinizing the sufficiency of plaintiff allegations and requiring concrete harm.
  • Recent decisions in California state courts may signal a narrowing of liability, but federal courts and courts in other states remain divided.
  • The legal landscape is unsettled, with new technologies (AI, chatbots) and evolving state legislative proposals shaping future risk.
  • Businesses should prioritize clear affirmative consent mechanisms, robust privacy disclosures, and regular audits of tracking technologies.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Heidi Salow Heidi Salow

Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations…

Heidi counsels clients on a wide range of privacy, cybersecurity, and artificial intelligence laws, regulations, and standards, including the CCPA, FERPA, EU AI Act, EU and U.K. GDPR, HIPAA, FCRA, GLBA, and NIST frameworks, as well as various U.S. state laws and regulations touching on healthcare and financial privacy, artificial intelligence, biometrics, and information security. She draws on a notable background as one of the first U.S. attorneys focused on data privacy and cybersecurity, as well as experience as a corporate executive. Heidi previously held executive roles at two large multinational corporations, Thomson Reuters and Leidos.

Read more about Heidi Salow
Show more Show less
Photo of Paloma Acosta Paloma Acosta

Paloma represents manufacturers and other private companies in product and personal injury claims, including cases involving high exposure and catastrophic injuries. The more complex the case, the better: she’s passionate about working with highly technical matters with a team of expert witnesses. While…

Paloma represents manufacturers and other private companies in product and personal injury claims, including cases involving high exposure and catastrophic injuries. The more complex the case, the better: she’s passionate about working with highly technical matters with a team of expert witnesses. While Paloma supports clients nationwide, she most often handles California-based matters for national and international companies, including overseeing all California products cases for a global leader in infection prevention solutions and services.

In addition, Paloma has ample experience in employment law, including wage and hour class actions, PAGA representative actions, and wrongful termination matters. While much of her current practice is toxic tort-focused, she continues to handle the sort of employment matters that she first cut her teeth on as a new attorney. Paloma frequently represents clients in wage and hour class action suits.

Paloma preps every case as though it will be tried to verdict. Her goal is for clients to never feel forced to accept a less-than-ideal settlement, and she builds solid defenses that mean clients never need to fear trial. Paloma works on massive, multi-year cases, always with a focus on how each decision and piece of evidence will influence an eventual trial strategy.

As a young attorney, Paloma knew she had a gift for managing conflict and personalities and collaborating toward solutions. It made litigation a natural fit, and she began her legal career litigating for plaintiffs for five years—an experience that continues to shape her practice. Paloma understands how plaintiffs’ counsel thinks and operates, as well as the concerns that drive their decisions, and she builds her own strategies with this in mind.

In 2024, Paloma joined Husch Blackwell to help build the firm’s San Diego team. After a decade of litigation in the state, she’s deeply familiar with the judges and local rules, making her a true asset in California courts. Known for building close, long-term relationships with clients, Paloma prioritizes open communication so that clients are fully informed and intrinsically involved in strategic development.

Read more about Paloma Acosta
Show more Show less
Related Posts
Privacy Litigation Image
U.S. Privacy Litigation Update: September 2025 Decisions
October 21, 2025
Healthcare blog post image
Healthcare Website Tracking: Lessons from Four Recent ECPA Rulings
September 22, 2025
Privacy Litigation Image
U.S. Privacy Litigation Update: August 2025 Decisions
September 16, 2025