In the rapidly evolving digital landscape, the use of cookies and other tracking technologies has become increasingly widespread, raising legal questions that courts across the country continue to grapple with. Plaintiffs have invoked a variety of federal statutes, each with its own requirements and judicial interpretations.
This article examines how federal courts have addressed claims brought under key federal privacy statutes, highlighting the emerging legal trends that both plaintiffs and defendants must navigate in online tracking litigation.
See "Managing Tracking Technologies and Their Privacy Dilemmas in 2025" (Mar. 12, 2025).
The Wiretap Act
The Wiretap Act has proven to be a popular vehicle for cookie-based tracking litigation, though circuit splits have created uncertainty about its reach. The law, in 18 U.S.C. § 2520(b) and (c)(2), prohibits the intentional interception of electronic communications, offering injunctive relief, attorney's fees and potentially substantial damages – either actual damages or statutory damages of $100 per day or $10,000, whichever is greater. This remedial scheme has made the Wiretap Act a frequently invoked statute in tracking technology litigation.
Exception for Parties to the Communication
The Wiretap Act's application has generated disagreement among circuit courts, particularly regarding whether entities that simultaneously copy or redirect user communications qualify as "parties" exempt from the Wiretap Act's prohibitions. This exemption provides, in 18 U.S.C. § 2511(2)(d), that it is not unlawful for a person to intercept communications where that person is a party to the communication or where one of the parties has given prior consent to such interception, unless the interception is for an unlawful purpose.
Wiretap Act claims involving the use of cookies often center on alleged copying of "GET" requests – the browser command that retrieves webpage content – from a user's browser to third-party websites. Consequently, these claims raise the question of whether a company that simultaneously duplicates such requests constitutes a "party" to the communication within the meaning of the Wiretap Act, or whether such duplication represents a prohibited interception.
The Ninth Circuit has limited who it considers a party to the communication, holding that simultaneous duplication of GET requests constitutes a prohibited interception. In In re Facebook, Inc. Internet Tracking Litigation, the court held that "simultaneous, unknown duplication and communication of GET requests do not exempt a defendant from liability under the party exception." The court explained that "[p]ermitting an entity to engage in the unauthorized duplication and forwarding of unknowing users' information would render permissible the most common methods of intrusion, allowing the exception to swallow the rule."
By contrast, the Third Circuit has taken a more exception-expansive approach. In In re Google Inc. Cookie Placement Consumer Privacy Litigation, it held that defendant Google and defendant advertising services were "the intended recipients of the GET requests" and thus "were parties to the transmissions at issue," exempt from liability under the Wiretap Act. The court determined that the complaint's allegations "support only the conclusion that the defendants acquired the plaintiffs' internet history information by way of GET requests that the plaintiffs sent directly to the defendants." It noted "that the defendants deployed identifier cookies to make the information received from GET requests associable and thus trackable."
See this two-part series "CIPA Jury Verdict Against Meta": Privacy Litigation Strategies and Lessons (Sep. 3, 2025), and Compliance Takeaways and the Wiretap Litigation Landscape (Sep. 24, 2025).
Protection for Communicative Content
Beyond the party exception, courts have also grappled with whether cookies and other tracking data constitute "contents" of communications protected by the Wiretap Act. In a case involving tracking cookies placed on children's computers, In re Nickelodeon Consumer Privacy Litigation, the Third Circuit held that if URLs reveal "substantive information" about web browsing activity, they then qualify as protected content. The court concluded that "substantive" URL information conveys more than mere "dialing, routing, addressing, or signaling information."
The Ninth Circuit has reached a narrower conclusion, distinguishing search URLs that contain the substance of a web query from URL referrer headers showing Facebook IDs and web address information. In In re Zynga Privacy Litigation, the court held that "'contents' refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication."
Judging an Interception "Contemporaneous With Transmission"
The Wiretap Act's "contemporaneous with transmission" requirement for interception has further limited its application. Courts applying this standard often require that the alleged interception occurs during transmission, not while the communication is in electronic storage. This requirement has created a temporal window during which tracking activities must occur to violate the Wiretap Act – an analysis that has become increasingly technical as tracking technologies evolve.
Practical Implications
These requirements and circuit splits have significant implications for companies operating nationwide, as cookie-based tracking practices that are lawful in one jurisdiction may create liability in another. Technical details often determine outcomes. Practitioners must evaluate both applicable circuit precedent and specific technical implementations when assessing compliance requirements or litigation exposure under the Wiretap Act.
Although not a federal law, courts – e.g., in Brodsky v. Apple Inc.– have held that the analysis for a claim brought under §631(a) of the California Invasion of Privacy Act (CIPA) is the same as the federal Wiretap Act. However, practitioners should note that the Wiretap Act is a one-party consent statute while CIPA requires all-party consent, and thus reinforces the need to evaluate applicable precedent when deploying tracking technologies.
Nevertheless, as tracking technologies continue to evolve, the Wiretap Act will likely remain at the center of privacy litigation, with its application shaped by the resolution of circuit splits and the sophistication of the tracking technology at issue.
See this four-part series on tracking technologies: "Privacy Regulation, Enforcement and Risk" (Jan. 17, 2024), "A Deep Dive on What They Are and How They Work" (Jan. 31, 2024), "A 360‑Degree Governance Plan" (Feb. 21, 2024), and "Compliance Challenges and Solutions" (Apr. 17, 2024).
The Stored Communications Act
While plaintiffs frequently invoke the Stored Communications Act (SCA) in cookie-based privacy litigation, courts have limited its applicability through narrow readings of the statute's core elements. To prevail on an SCA claim, plaintiffs must establish that defendants (1) intentionally accessed without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeded an authorization to access that facility; and thereby obtained, altered, or prevented authorized access to a wire or electronic communication while it is in electronic storage in such system.
Strict Readings of the Facility Requirement
The threshold requirement for a "facility" has blocked many cookie-based SCA claims, with courts rejecting the notion that personal computers or mobile devices qualify as "facilities" under the SCA. The Third Circuit's decision in In re Google exemplifies this approach, concluding a personal computer "is not a 'facility through which an electronic communications service is provided.'"
Plaintiffs attempting to characterize their browsing data as being in "electronic storage" have faced an equally challenging hurdle. Courts have interpreted "electronic storage" to require temporary, intermediate storage incidental to transmission – a requirement that permanent cookie storage on hard drives generally does not meet. As the court observed in In re DoubleClick Inc. Priv. Litig., "indefinite existence" on hard drives is "the opposite of 'temporary.'"
More Courts Grant Standing
Despite these limitations, plaintiffs pursuing SCA claims have fared better on the question of standing. Since the Supreme Court's decision in Spokeo, Inc. v. Robins, federal courts have generally found that SCA violations give rise to concrete injuries sufficient to establish Article III standing. In In re Facebook, the Ninth Circuit recognized that the SCA codifies substantive privacy rights, the violation of which constitutes a concrete and particularized injury. This finding has allowed some claims to survive initial standing challenges, only to later fail on the merits due to the restrictive interpretations of the statute's substantive requirements.
The disconnect between the SCA's standing threshold and its substantive limitations reflects a broader tension in privacy litigation. While courts increasingly recognize privacy violations as cognizable injuries, they remain reluctant to extend decades-old statutes to modern tracking technologies without clear congressional direction. These restrictive interpretations have limited the SCA's applicability in cookie-based privacy litigation to narrow circumstances where plaintiffs can demonstrate temporary storage and unauthorized access to a qualifying facility.
See "Lessons From the Trenches: Winning Strategies for Defeating Pen Register Lawsuits" (Jun. 12, 2024).
Practical Implications
The SCA is a challenging basis for cookie-based privacy claims. Courts have consistently interpreted the definition of facilities narrowly, making it difficult for plaintiffs to succeed in these cases. Litigants should consider venue choices carefully, as the precedent regarding standing, cognizable harm and what services qualify as a facility will impact litigation strategy.
The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) has proven to be an awkward fit for cookie-based privacy claims, primarily due to its focus on economic harm. Originally designed to combat computer hacking, the CFAA, in 18 U.S.C. § 1030, requires plaintiffs to demonstrate "damage" or "loss" aggregating to at least $5,000 – a threshold that often thwarts cookie-based claims.
Damage Claims Rejected
Courts have rejected arguments that the unauthorized collection or disclosure of personal information through cookies constitutes compensable "damage" under the CFAA. The Third Circuit's decision in In re Google showcases this approach, finding that plaintiffs' showing that browsing history information had market value was insufficient because they alleged "no facts suggesting that they ever participated or intended to participate in the market they identify, or that the defendants prevented them from capturing the full value of their internet usage information for themselves."
Similarly, allegations that cookies "damaged" computers have been rejected, as plaintiffs have been unable to quantify any actual harm to their devices. In Mount v. PulsePoint, Inc., the court found that plaintiffs could not satisfy the CFAA's monetary threshold because they had not "paid for Safari" nor "pled any facts from which [the court] could infer that the alleged 'impairment' to their browsers caused quantifiable damages."
Challenges to Establishing Loss
The CFAA's definition of "loss" has created an equally challenging barrier. The CFAA, in 18 U.S.C. § 1030(e)(11), defines "loss" to include costs of responding to an offense, damage assessment, data restoration and lost revenue from service interruption. Since cookies rarely require users to spend time or money fixing their devices or result in service interruptions, plaintiffs have been unable to establish the requisite economic harm. As the court in In re DoubleClick observed, "[U]sers may easily and at no cost prevent [the defendant] from collecting information by simply selecting options on their browsers" or opting out.
Practical Implications
Unlike the Wiretap Act and SCA, which protect privacy interests regardless of economic impact, the CFAA's damage and loss requirements create a barrier to cookie-based privacy claims. Absent significant financial consequences from cookie placement, the CFAA will likely remain a peripheral statute in online tracking litigation.
The Video Privacy Protection Act
While earlier privacy statutes have shown limited adaptability to cookie technology, the Video Privacy Protection Act (VPPA) has seen significant litigation growth in the era of Meta Pixel and similar tracking technologies. Originally enacted in 1988 to protect video rental records, courts have interpreted the VPPA to apply to some modern video tracking practices.
The Evolution of Video Service Providers
The VPPA, in 18 U.S.C. § 2710(b)(1), prohibits video tape service providers from knowingly disclosing PII about their consumers. Courts, such as in In re Hulu Priv. Litig., have extended the VPPA to online video providers, recognizing that "Congress was concerned with protecting the confidentiality of private information . . . regardless of the business model or media format involved." This judicial willingness to apply the VPPA to digital contexts has made it increasingly relevant in the age of streaming media.
Companies have attempted to defend against these claims by arguing that they are not "video tape service providers," particularly when video sharing is peripheral to their core business. Courts have developed a functional test, examining whether the defendant's product or service is "substantially involved in the conveyance of video content" and "significantly tailored to serve that purpose." In In re Vizio, Inc., Consumer Privacy Litigation, the court applied this approach, finding that a manufacturer of smart televisions with integrated streaming software qualified as a video tape service provider where the software was designed to seamlessly deliver content from multiple streaming platforms and the defendant charged consumers a premium specifically for this capability.
Defining PII As an "Ordinary Person" Would
In 2025 and a few years prior, litigation centered on the use of Meta Pixel, a tracking technology that, when deployed on webpages showing videos, transmits a user's Facebook ID along with video-viewing history. This technology has raised questions about what constitutes PII under the VPPA. The Second, Third and Ninth Circuits have adopted an "ordinary person" standard under which PII is limited to the information that would allow an ordinary person – rather than a "sophisticated technology company" – to identify a consumer's video-watching habits. The Second Circuit, applying this test in Solomon v. Flipps Media, Inc., found that video titles and Facebook IDs transmitted via Meta Pixel do not constitute PII because they are embedded within complex code strings that an ordinary person could not readily decipher to identify specific individuals' video-watching habits.
By contrast, the First Circuit in Yershov v. Gannett Satellite Info. Network, Inc. applied a broader "reasonable foreseeability" standard, under which PII includes information that is "reasonably and foreseeably likely to reveal which . . . videos [the plaintiff] has obtained." A district court in the Circuit, applying this standard in Belozerov v. Gannett Co., found that a Facebook ID transmitted via tracking pixel constitutes PII because it is "a unique identifier that allows anyone to discover the user's identity."
Questions About Subscribers and a "Knowing Disclosure"
Another contested issue involves the meaning of "subscriber" under the VPPA. Courts are divided on how to construe the term. The Sixth Circuit and several district courts have taken strict views, requiring that plaintiffs subscribe specifically to receive audio-visual materials rather than merely subscribing to a defendant's products generally. Under this interpretation, when plaintiffs have alleged they subscribed to online newsletters that incidentally contained videos or video links, courts have generally held that such subscriptions do not trigger VPPA liability.1 However, the Second and Seventh Circuits have adopted a broader interpretation, holding that subscribing to any goods or services – including non-audiovisual newsletters – from a video provider suffices to confer subscriber status under the VPPA.2
Another litigated question has been whether website operators "knowingly disclose" PII when they install Meta Pixel on their sites. Defendants have argued that they lack the requisite knowledge because they do not know whether their users are Facebook users. Additionally, the Meta Pixel triggers the sharing of a Facebook ID through the user's browser rather than directly from defendants' websites. Courts have rejected this technical distinction, however. As the court in Czarnionka v. Epoch Times Ass'n, Inc., reasoned, "By installing the Pixel, Defendant opened a digital door and invited Facebook to enter that door and extract information from within."
Practical Implications
The VPPA has shown broader applicability to modern tracking technologies than other pre-internet privacy statutes. While the SCA, Wiretap Act and CFAA have encountered significant interpretive limitations in cookie-based litigation, courts have more readily applied the VPPA to video tracking through Meta Pixel and similar technologies. The statute's protection of identifiable viewing habits, rather than specific technical processes, has proven less dependent on particular technological implementations than the more technically specific provisions found in other privacy laws. As such, businesses should pay careful attention to data transmitted via tracking technologies when video players are embedded into a webpage and be sure to get consent before viewing data is transmitted as a matter of prudence.
Moving Forward
Strong and robust governance is a critical measure to mitigate the litigation and regulatory risks surrounding tracking technologies. Before deployment, legal teams should have a clear technical understanding of how data flows through their technologies, which will then support an assessment of how laws governing tracking technologies apply to the technology's precise operation. Governance and compliance measures should also include clear consent-gathering mechanisms and transparent disclosures to help mitigate liability arising from claims rooted in insufficient notice and consent.
Vendor oversight is essential to reducing the risk of legal claims, as are regular technical audits to confirm that tracking tools do not transmit data and communications without the business's knowledge. Finally, privacy impact assessments and detailed recordkeeping help organizations not only identify and mitigate risks early but also demonstrate a responsible compliance program when placed under regulatory or legal scrutiny.
Footnotes
1. See, e.g., Salazar v. Paramount Glob., 683 F. Supp. 3d 727 (M.D. Tenn. 2023), aff'd, 133 F.4th 642 (6th Cir. 2025); Carter v. Scripps Networks, LLC, 670 F. Supp. 3d 90 (S.D.N.Y. 2023); and Brown v. Learfield Commc'ns, LLC, 713 F. Supp. 3d 355 (W.D. Tex. 2024).
2. See, e.g., Salazar v. Nat'l Basketball Ass'n, 118 F.4th 533 (2d Cir. 2024); and Gardner v. Me-TV Nat'l Ltd. P'ship, 132 F.4th 1022, 1023 (7th Cir. 2025), reh'g denied, No. 24-1290, 2025 WL 1433664 (7th Cir. May 14, 2025).
Originally published by Cybersecurity Law Report on the 21th of January, 2026.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
