The growing use of tracking technologies, such as cookies, pixels, web beacons and chatbots, has and will continue to lead to increased scrutiny from regulators and courts. Their focus has been on how companies describe tracking practices and the choices they offer consumers, including for advertising and analytics.
Common website and mobile application practices are scrutinized under various laws, including wiretap laws like the California Invasion of Privacy Act (CIPA), and privacy laws like the CCPA and HIPAA. Complicating the legal landscape, statutes and court rulings are often inconsistent or even directly contradictory.
This article explores legal and regulatory developments around use of tracking technologies, and offers practical compliance and operational measures to implement to avoid potential liability.
See this four-part series on tracking technologies: "Privacy Regulation, Enforcement and Risk" (Jan. 17, 2024), "A Deep Dive on What They Are and How They Work" (Jan. 31, 2024), "A 360‑Degree Governance Plan" (Feb. 21, 2024), and "Compliance Challenges and Solutions" (Apr. 17, 2024).
Legal and Use Overview
How Tracking Technologies Are Used
Websites and mobile apps commonly use tracking technologies – software (a script or code) loaded on a user's device and/or embedded within an application – such as cookies, web beacons or tracking pixels, session replay scripts, chatbots and software development kits (SDKs) to track and collect information from users when they interact with a website or mobile app.Mobile app developers regularly use SDKs with preprogrammed functions – such as advertising and analytics – that are integrated into the application and operate in the background.
Tracking technologies may be used in the first-party context, where user data is collected by the provider of the application or website directly, or in the "third-party" context, where a user is tracked by a third party, often Google or a social media company, such as X or Meta. In some cases, the third party's own software is automatically loaded on the device, and the information flows straight to that party. These third parties may use the information from the device for analytics – e.g., anonymizing the data and providing an analysis to assist companies in tracking which pages are most visited – or targeted advertising, or even to sell personal data relating to the user.
Information from tracking technologies may be retained for differing periods. For example, many "necessary" cookies are automatically deleted at the end of a session, while pixels or gifs may be retained for longer periods or even indefinitely.
Applicable Laws
Over the past few years, there has been an uptick in litigation and enforcement actions tied to tracking technology use, though it remains an unsettled area of law, especially in two-party consent states where plaintiffs' attorneys claim tracking technologies are illegally wiretapping or eavesdropping on consumer conversations without appropriate notice or consent.
In the U.S., state privacy laws regulate how personal data can be used to create "profiles" of individuals, e.g., to analyze or predict an individual's economic situation, preferences, interests, behavior, health, location or movements. Companies must be able to identify whether their use of tracking technologies falls within these cases and permits individuals to opt out of sales, targeted advertising and profiling in certain jurisdictions. In some cases and jurisdictions, express consent may even be required.
Several other privacy laws and regulations, as well as older common law or court-created legal theories, are experiencing a renaissance with the accessibility and widespread use of tracking technologies, namely the Electronic Communications Privacy Act of 1986, Video Privacy Protection Act (VPPA), state wiretapping laws (e.g., CIPA), HIPAA, and common law torts like invasion of privacy and negligence.
See this two-part series on website-tracking lawsuits: "A Guide to New Video Privacy Decisions Starring PBS and People.com" (Mar. 29, 2023), and "Takeaways From New Dismissals of Wiretap Claims" (Apr. 5, 2023).
New Laws, Enforcement and Litigation Risks
Regulators continue to focus on the large volume of personal data collected by tracking technologies as well as the failure of some companies to transparently provide notice to consumers. Courts continue to see an influx of tracking technology cases expanding the litigation risk of companies.
More State Laws Require Users to Opt Out of Sales
In 2025, seven additional states will join California and Colorado in requiring certain browser signals to be honored that permit users to opt out of "sales" of personal data and targeted advertising, with two more states joining the list in 2026. To comply with state law requirements, companies must implement consumer preference centers and recognize universal browser mechanisms, such as Do Not Track and Global Privacy Control. These new obligations join existing state law imperatives, like the completion of data protection impact assessments (DPIAs) that must be conducted whenever a company processes personal data for the purpose of targeted advertising or profiling, or if the processing presents a heightened risk of harm to consumers.
See "Advertising Opt‑Outs Drive New Privacy Strategies in 2025" (Dec. 18, 2024).
A Warning Shot
Bringing new enforcement emphasis on Global Privacy Control (GPC), the California AG settled its first-ever enforcement action against Sephora, Inc., in 2022. The AG alleged that Sephora failed to disclose to consumers that it was selling their personal data by allowing third-party companies (i.e., Google Analytics) to install tracking software on their website and in the app so that third parties could monitor consumers as they shop. Further, according to the AG, Sephora failed to process consumer requests to opt out of the sale of their personal data via user-enabled GPCs in violation of the CCPA.
The risk and potential liability for privacy violations related to tracking practices have grown significantly since the Sephora action. Companies that violate laws applicable to tracking technologies face not only monetary penalties, and brand rehabilitation and operational costs, but also the loss of public trust.
See "Lessons From California's First CCPA Enforcement Action" (Sep. 28, 2022).
Enforcement Expanded to SDKs
The California AG expanded its enforcement actions to SDKs when it announced a settlement in June 2024 with Tilting Point Media, LLC, the developer and publisher of the mobile app game "SpongeBob: Krusty Cook-Off" (SpongeBob App). The AG alleged that Tilting Point incorrectly configured third-party SDKs embedded in the SpongeBob App to collect and disclose personal data for targeted advertising without the necessary consent. The settlement included a $500,000 civil penalty and injunctive relief requiring a SDK governance program.
See "Navigating Evolving Mobile App Privacy Issues" (Mar. 5, 2025).
Texas AG Continues Enforcement Trend
The enforcement trend that began with Sephora continues in 2025 with the Texas AG's first lawsuit enforcing the state's Data Privacy and Security Act (TDPSA). In its complaint filed January 13, 2025, against Allstate Corporation and five of its subsidiaries (Allstate), the AG alleges that Allstate developed an SDK and paid third parties millions of dollars to integrate the SDK into their own apps so that Allstate could process several types of data, including mobile phone geolocation data, trip attributes, GPS points and metadata. Further, according to the complaint, the personal data was collected without notice or consent, Allstate's online privacy policies failed to disclose that it was selling personal data (instead, it stated the opposite), and it did not provide consumers with a mechanism to opt out.
The State of Texas seeks more than $1 million in monetary relief, including $7,500 per TDPSA violation, along with other fines and penalties, including attorneys' fees and court costs. In addition to the monetary relief, and an arguably worse penalty, the State of Texas is seeking an injunction, including a mandate that Allstate deletes or otherwise destroys all data obtained.
VPPA Is No Dinosaur
Courts continue to see cases involving tracking technologies filed under the VPPA and federal and state wiretapping laws. Circuit splits in several jurisdictions motivate plaintiffs' firms to file these types of claims (even in cases that appear fairly frivolous).
The U.S. Court of Appeals for the Second Circuit, in its October 2024 decision inSalazar v. National Basketball Association, likely expanded the VPPA's application. Salazar alleged that he signed up for a free online newsletter offered by the NBA, and that he visited the NBA's website, where he watched video content. He claimed that the NBA violated the VPPA by disclosing his video watching history and Facebook ID to Meta via the Facebook Pixel.
According to the Second Circuit, the personal data that plaintiff exchanged to sign up for the newsletter was "not insignificant" and was valuable to the defendants as it included the plaintiff's email address, IP address and device cookies. Notably, the Second Circuit stated, "The VPPA is no dinosaur statute. Congress deployed broad language in defining the term 'consumer,' showing it did not intend for the VPPA to gather dust next to our VHS tapes. Our modern means of consuming content may be different, but the VPPA's privacy protections remain as robust today as they were in 1988."
While the Second Circuit noted that this ruling was "narrow," VPPA plaintiffs and courts likely will cite this decision and its broad interpretation in future filings, as evidenced by a Southern District of New York January 2025 decision. In Berryman v. Reading International, Inc., the plaintiffs asserted VPPA class claims against a movie theater chain operator alleging the chain's website utilized the Meta Pixel to transmit visitors' personal data to Facebook, including movie trailers they watch and tickets they purchase. The court rejected the defendant's argument that it was not a "video tape service provider" under the VPPA insofar as the term applied to the defendant's website. The court heavily relied on Salazar, which, according to the court, "emphasized the breadth of [the] [VPPA's] statutory scheme" applies even where an entity does not "deal exclusively in audiovisual content."
See "Unpacking the Second Circuit's Bombshell VPPA Ruling" (Nov. 13, 2024).
Courts Grapple With Novel Legal Theories in Wiretapping and Pen Register Cases
The end of 2024 and the beginning of 2025 also have seen an increase in wiretapping and pen register lawsuits, particularly in two-party consent states, such as California and Pennsylvania. In these cases, courts continue to grapple with novel theories and arrive at both consistent and contradictory rulings.
In 2024, plaintiffs' attorneys continued to argue the new theory that the collection and disclosure of IP addresses or similar information about website visitors violates CIPA's "pen register" provision. These arguments were largely bolstered by the Southern District of California's decision to deny a defendant's motion to dismiss in Greenley v. Kochava, in which it determined that where an SDK allegedly collected app user location data "surreptitiously," it was a "pen register." Following Greenley, at least four Califonria district courts have similarly denied motions to dismiss such claims under CIPA.
On February 18, 2025, the Southern District of New York, however, granted a defendant's motion to dismiss against a plaintiff's CIPA pen register claim, offering support to defendants facing such claims. The court held in Gabrielli v. Insider, Inc. that the disclosure of an IP address does not bear a close relationship to the common law public disclosure of private facts and instrusion upon seclusion invasion of privacy torts. The court also held that alleging a violation of CIPA's "pen register" provision is the kind of statutory violation that is "divorced from any concrete harm," i.e., the mere disclosure of non-sensitive web browsing information of the plaintiff is not proof that the plaintiff suffered a particular and concrete harm arising out of a purported privacy violation.
The California Superior Court, on January 27, 2025, also dismissed a CIPA claim without leave to amend. In Sanchez v. Cars.com Inc., the "tester" plaintiff alleged that Cars.com deployed a tracking beacon on her device that recorded and transmitted her IP address to a third-party service provider when she visited the website without her knowledge or consent. The court rejected the claim, stating that CIPA was designed to address telephone wiretapping – not routine website tracking. This decision marks one of the first definitive judicial interpretations to find that CIPA's scope was never intended to regulate standard website analytics.
See "Google's Wiretap Cases Highlight Evolving Privacy Transparency Standards" (Jan. 24, 2024).
Tracking Health Data
HHS Guidance Leaves Enforcement Uncertain
In December 2022, the Department of Health and Human Services (HHS) issued guidance (Guidance) regarding tracking technologies. While the Guidance attempts to set clear lines, it leaves some gray areas. It provides that tracking technologies on a generic web page, like a home page, are not presumed to collect protected health information (PHI), but tracking technologies on a web page addressing a specific disease, or in a patient portal, for example, would be considered to collect PHI if users visit the page for their own use (rather than, for example, general research). Although the Guidance lacks clarity, once it was issued, numerous covered entities removed tracking technologies from many of their pages.
The Guidance was challenged in 2023 as overly broad and beyond the authority of HHS. In June 2024, a district court in Texas agreed, and HHS has stated it will not appeal the judgment. Other courts, however, have not agreed with the Texas district court's ruling and have permitted class action claims against covered entities alleging that use of tracking technology on health-related websites violates HIPAA and is actionable under certain state laws. The conflicting rulings leave covered entities uncertain about the legal and regulatory risks of using tracking technologies.
State Laws Add Complications
Further complicating matters are U.S. states' consumer health data laws in Washington, Nevada and New York. These statutes prohibit geolocation tracking in certain contexts and require consent in order to collect any other consumer health data or disclose that information to third parties. The definition of "consumer health data" under the statutes is very broad. The net effect may be that companies can easily cross an unseen line. For example, it could be argued that a connected vehicle that tracks geolocation or a cell phone should either shut off tracking or receive explicit consent whenever the individual is near a health facility. To extend this logic further, the law would apply to passengers in a car even if the manufacturer receiving geolocation data did not know the passenger was present. There are a plethora of potential scenarios where companies must choose between compliance with the law or continuing in business.
See "Addressing the Operational Complexities of Complying With the Washington My Health My Data Act" (Apr. 3, 2024).
Practical Compliance Measures
To minimize risk related to use of tracking technologies, counsel and compliance professionals should consider taking the following actions.
Map Data
A thorough and regularly updated "data map" is essential to mitigate liability. This data map should include a list of all tracking technologies, including their purpose and uses, types of information, retention, and whether they are first-party or third-party. Other personal information collected should also be included, e.g., geolocation. Often the process to create a data map will begin by identifying relevant personnel/departments that maintain data or determine their uses. Once personnel are identified, a survey of such personnel can capture information about relevant uses and disclosures of personal data. This information may then be loaded into either standard data collection software, such as a spreadsheet, or may utilize a web-based platform, which are offered by various third-party providers.
A critical element in creating a data map is to make sure that specific individuals remain responsible for completing the map, and that those driving the process follow up regularly.
Conduct DPIAs
Once a data map is completed, counsel should review each use of tracking technologies and determine whether it creates risk. For those uses and disclosures that are not per se illegal, but pose a risk to privacy, the company should conduct a DPIA to determine whether the activity is appropriate. For example, a company may undertake geolocation tracking in a state where it is permitted, but where such tracking also could lead to potential reputational harm to the company or unanticipated disclosures or uses.
DPIAs will start with completion of a survey, often by those proposing a new use case. The survey will ask about the following:
- use case;
- types and volume of data collected;
- purpose of the processing;
- vendors and other third parties involved;
- internal resources involved in the processing;
- any benefits and potential risks of the use to individuals, the company and the public; and
- mitigation measures available and to be used.
Once the survey is complete, a policy team (including the chief privacy official) should review the survey, determine its legality, weigh risks and benefits, and determine whether a use case is to be approved, approved with changes or rejected.
It is helpful to have counsel oversee the initial survey to promote its consideration as attorney/client privileged. Documentation of the ultimate determination may also be subject to privilege, but should be prepared with the expectation of disclosure to regulators and others.
See "Unifying Risk Assessments: Breaking Silos to Enhance Efficiency and Manage Risk" (Jan. 29, 2025).
Address Consumer Requests – Utilize Cookie Banners and GPCs
Companies will also need to implement processes for individuals to opt out of tracking technologies and make other requests as required by law. This includes honoring universal opt-out mechanisms, such as GPCs. Often, tracking technologies will collect information such as IP addresses that are not easily connected to a specific individual, and therefore cannot easily be deleted or modified based on a webform or other standard method of collecting consumer requests. For that reason, cookie banners and GPCs may be the only methods used to operationalize state law requirements to honor consumer opt-out requests.
See "Why Companies Unintentionally Fail to Honor Opt-Outs" (Aug. 16, 2023).
Execute DPAs
Companies should execute a data processing agreement (DPA) with any vendor or other third party receiving personal data. The DPA should meet requirements of state privacy laws as well as industry-specific statutes like HIPAA and the Gramm-Leach-Bliley Act, limit certain uses of personal information (e.g., for sales or targeted advertising) and set requirements for the security of data. Often, template forms are developed with input from counsel (to assure compliance with regulatory requirements) as well as IT security (to promote overall security of data). Compliance officers and counsel should understand which provisions are open to revision (and perhaps have back-up language) and know what terms are "must-haves." A few examples of must-haves may be requirements for reporting of breaches within a specific time frame, indemnification for loss of personal data and compliance with consumer data requests.
See "Key Terms and Negotiation Issues in Data Processing Agreements" (Sep. 13, 2023).
Update Notices
Once a thorough data map is complete, companies should review and update their privacy notices to make sure that they meet statutory requirements and are complete and accurate. Failure to do so may result, not only in violation of state statutes, but regulatory review by the FTC and other federal agencies as well as potential claims by individuals. A privacy notice should be included on the company's webpage (with a link in a footer on each page), and, in states like California, a notice should be provided at the time of collecting personal data. Notices will vary greatly depending on which laws apply, but often will include specific rights of individuals for each relevant state as well as a table laying out categories of personal data, their uses, disclosures and retention schedule. A separate table may be required to address any personal data that is sold, used for profiling or disclosed for purposes of targeted advertising. In California, and in countries where privacy laws apply to employees, a separate notice is often used to address business contact and employee information.
Train Employees and Vendors
As with all significant policies, employees and vendors must receive training to assure that the company complies with its own public statements and internal policies. Usually, companies will train their own employees and use DPAs that require all downstream vendors to train all of their employees who have access to personal information. Training should be completed prior to an employee or contractor accessing personal information, and updated training should be required on a regular basis (usually annually) thereafter. While training should include an overview of applicable laws, it also must be focused on relevant policies of the company. For example, training may state that consumers have certain rights (like deletion, correction, etc.) with respect to their data under state privacy laws, but the training will further address the specific methods for receiving, processing and documenting those privacy requests. For larger companies, training may vary based on job description, and those involved in receiving or processing consumer data, or who are otherwise involved in compliance efforts, should receive additional, intensive training.
Originally published by Cybersecurity Law Report, 12 March 2025
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.