Web Tracking Litigation:
Four Trends We’re Seeing in 2024

By Data Privacy Specialist Ekaterina Lyapustina and FBFK Commercial Litigation Attorney Ekaterina Long

While web tracking litigation became a major headache for companies in 2023, new trends are emerging within this niche in 2024 that are critical to call out.

As a backdrop, many companies use Internet tracking tools to analyze user activity and improve user experience online. Pixel systems and session replay software, for example, are quite dominant among major tech players.  Pixels can be embedded in a website to record a particular user’s clicks or scrolls and pages the user visited, among others, and session replay software is a tool used to record and replay user sessions on a website or application. The point? These web tracking methods are now in the “hot seat” because they are being used for personal data collection in new and highly compromising ways.  

Consumers have recently brought tech giants to court, arguing that they not only collected their personal data but also shared it with advertisers without first obtaining their consent. Not surprisingly, this wave of class-action lawsuits involving web tracking technology is a growing concern among tech companies.

For tech companies looking to stay ahead of challenging data privacy situations that pose a substantial risk, we’ve outlined four key trends to be aware of below. Moreover, it’s important to know that a tech company will likely need the help of a data privacy lawyer to navigate these trends.

 

Four Key 2024 Web Tracking Litigation Trends

1. Litigation Against Routine Marketing

While web tracking lawsuits mostly involved chatbots and session replay software in 2022/2023, the tide has changed drastically in 2024. Now, plaintiffs are targeting standard marketing tools like Google Analytics and Meta Pixel. These tools were considered the “safe zone” in the world of online advertising, but now, even Google has had to settle a $5 billion lawsuit for tracking users in incognito mode. This trend will continue to evolve in the second half of the current decade, and tech firms may require expert legal counsel to attempt to dismiss web tracking lawsuits at a pre-trial level or, if the lawsuit survives the pre-trial stage and does not settle, reduce damages.

Plaintiffs appear to favor California as a venue for bringing web tracking lawsuits. Their claims range from such common law theories of liability as breach of contract and invasion of privacy to statutory claims for a violation of California Privacy Rights Act (CPRA), Unfair Competition Law (UCL), the California’s Anti-Hacking Law, and California Invasion of Privacy Act (CIPA), among others. A fundamental issue being litigated in these suits is whether any of these claims may be asserted for tracking and collecting user web data in the absence of the user’s express consent to the same. Some statutory claims present additional legal issues that are unique to the statute at hand.

For instance, under the California Anti-Hacking Law, also known as the Computer Data Access and Fraud Act (CDAFA), the meaning of the “without permission” phrase in the statute is frequently litigated. Under CDAFA, liability arises when a party, without permission, knowingly accesses a computer or data or wrongfully uses the data to gain control over the victim’s property or money. But the lack of the victim’s consent when the party accesses or misuses their data may not necessarily create liability under CDAFA.

The UCL web tracking class action lawsuits frequently focus on a threshold issue of plaintiffs’ standing. If plaintiffs’ allegations fail to allege that defendants caused their injury by tracking their data on a website or application and as a result depriving them of money or property, defendants may be able to successfully dismiss the class action at a pre-trial phase.

2. The Power of Statutory Damages

Another major trend in web tracking litigation is easy access to statutory damages, which raises the risk of economically draining even major tech companies. These statutory damages can amount to:

  • $5,000 per violation as per the California Invasion of Privacy Act (CIPA)
  • $100 per day as per the Florida Security of Communication Act (FSCA)
  • Up to $1,000 for negligent violations and $5,000 for reckless or intentional violations as per Illinois Biometric Information Privacy Act (BIPA).

One good example is when companies collect biometric data from website visitors and, as a result, face litigation – particularly under the Illinois Biometric Information Privacy Act (BIPA). BIPA strictly regulates the collection and use of biometric data, and recent legal actions underscore its significance. In a landmark case last October, a jury awarded $228 million against a company for improperly collecting and storing fingerprints without informed written consent. Given BIPA’s severe penalties – up to $1,000 per negligent violation and $5,000 per reckless or intentional violation – many companies are opting to settle.

A notable defense in BIPA cases is demonstrating that the conduct did not occur in Illinois, as seen in the 2022 dismissals of class actions against Amazon and Microsoft. However, with the surge in biometrics litigation and significant jury verdicts, such cases are expected to increase, not just in Illinois but also in other states like California, where lawsuits have been filed against vendors for capturing “voice prints” at call centers.

As a result, the prospect of being liable for these damages may incentivize tech companies into early settlements simply because these laws don’t require proving the actual damages and are designed to favor plaintiffs.  The settlements could, in turn, encourage the filing of more class actions, creating a vicious circle.

3.    Identifying the Guilty Provider

Another critical trend involves web users – very often healthcare patients – not being able to determine exactly which third party should be held accountable for violating a state’s wiretapping laws. Since websites often employ the services of several providers, taking targeted approaches to mitigate the risk of web tracking litigation has become increasingly difficult. As a result, we can see healthcare providers revisiting previous mitigation strategies, such as the one where all web users give opt-in consents when visiting the website. Tech companies using these providers, therefore, must work with privacy lawyers if they wish to avoid lawsuits of this nature.

4.    Dispute Over “In Transit” Interceptions

Lastly, many defendants have argued against the validity of CIPA claims by stating that the law regarding illegal wiretapping necessitates that the hacked message must have been intercepted in transit. In Jacome v. Spirit Airlines, the plaintiff couldn’t show that the interception occurred “contemporaneously with transmission,” losing the case. Since plaintiffs failed to prove that the information between the website and the user was intercepted “in transit,” the court didn’t acknowledge their CIPA claim as valid. However, some federal judges consider even the allegations of “in transit” interception enough to give legal merit to the case.

 

Final Thoughts

Hundreds of pending class actions in state and federal courts bring rising concerns about tracking technologies among social media consumers, such as lawsuits against healthcare providers and claims for Video Privacy Protection Act violations. These web tracking trends are changing the way companies collect consumer information for advertising purposes.

Given this reality and to avoid web tracking lawsuits from disrupting workflow, it’s wise to consider hiring a data privacy lawyer who is aware of the latest trends in web tracking. A data privacy lawyer will ensure you comply with all local and global privacy laws. In this cybersecurity-conscious world, data breaches have devastating consequences even for small business owners.