Can Lawsuits Curb Website Event Tracking Use?

As easy as it is to insert the Meta Pixel or other website event tracking code into a webpage, organizations need to examine carefully the information they are collecting and tracking. Litigation to date has identified at least three important ways that the trackers can easily violate state and federal privacy laws, such as the CIPA (California Invasion of Privacy Act), the VPPA (Video Privacy Protection Act), and various common law claims. Depending on the organization’s industry alignment, some lawsuits allege violations of more than one of these acts, as well as, other state-based privacy laws. For instance, an organization that streams health content and sells associated medications may be violating both VPPA and laws that prevent the unauthorized release of health-related information. Approximately three years after the filings of some of the first website event tracking lawsuits, we are compiling a volume, albeit thin, of caselaw. In this article, we will examine the outcomes of several influential cases and their effects.

Jane Doe V. GoodRx Holdings, Inc., Criteo Corp., Meta Platforms, Inc., and Google LLC., Case 3:23-cv-00501-LB (N Dist CA 2023), a class action suit which settled in November 2024 for $24.5 million, revolved around the use of the Meta Pixel and two other website event tracking codes to collect data on individuals using the various websites owned by GoodRx. Plaintiffs contended that the software code used by the defendants collected information covered by HIPAA and which fell into the categories of both Personally Identifiable Information (PII) and Protected Health Information (PHI). The complaint alleges:

Through Advertising and Analytics Defendants’ tracking technology incorporated on the GoodRx Platform, including software development kits (“SDK”) and tracking pixels, Defendants Google, Meta, and Criteo knowingly and intentionally intercepted Plaintiff and Class members’ personal information, including health information relating to their medical conditions, symptoms, and prescriptions, communicated through the GoodRx Platform.

The Complaint alleges twelve claims of harm under CIPA, the California Confidentiality of Medical Information Act, the California Consumers Legal Remedies Act, the California Business and Professional Code, and common law privacy claims, as HIPAA does not create a private right of action under which an individual may sue. Complaints of HIPAA violations are filed and pursued by the Health and Human Services Office for Civil Rights.

For customers of video streaming services, there have been several website event tracking lawsuits filed under the Video Privacy Protection Act which originated as a law providing consumers protection from having their video cassette rental choices exposed. The Act, which has been expanded to include video streaming platforms (depending on the circumstances of the case), was at the center of Burdette, et al. v. FuboTV, Inc., et al, 2024 IL LA001460, settled for $3.4 million in July 2025. Plaintiffs in Burdette claimed that television streaming service FuboTV:

[C]ollected, stored, used, distributed, or retained Personally Identifiable Information in the form of information that identifies a Person as having specific videos or services from a video tape service provider and/or other personal information or data in violation of the Video Privacy Protection Act, 18 U.S.C. § 2710 et seq. (“VPPA”).

As with Doe v GoodRx above, FuboTV chose to settle the suit rather than allow the case to go to trial, providing us with the most recent case we have seen under VPPA.

Another recent case involving Meta Pixel and violations of the VPPA was Salazar v National Basketball Association, 119 F 4th 533 (2024), provided an expansive interpretation of the VPPA and applied such to the case and ruled in the plaintiff’s favor. Not happy with the outcome of the lower court decision, the NBA has filed a Petition for Writ of Certiorari with the US Supreme Court, hoping for a chance to argue this case before the ultimate referees. Interestingly, the same plaintiff filed a similar lawsuit against Paramount Global where the Sixth Circuit disagreed with the Second Circuit decision and applied a narrow definition of the VPPA, handing the plaintiff a loss (SCOTUS Petition).

While the case law continues to grow, we are starting to see key questions emerge regarding the use of website event tracking code and how organizations can avoid legal trouble and still get the most for their marketing budgets. Is it sufficient to simply offer an opt-in consent function on the landing page or is the current opt-in/opt-out/customize cookies banner enough? Should only anonymized data be tracked by excluding the collection of names, addresses, email addresses, phone number, birth dates and gender? Should monetary transaction information be prohibited from collection entirely? None of these questions have been answered by the cases we have seen come through the courts; and the likelihood that the courts will make that determination is potentially low. What more likely will happen is that organizations will more carefully choose how, where, and when to deploy tracking code to minimize their legal exposure while still collecting our data.