A recent federal court decision offers important lessons for businesses that use cookies, pixels, and other tracking technologies on consumer-facing websites. Although the court dismissed one federal wiretap claim with leave to amend, it allowed other privacy claims to proceed, including claims under California’s pen register statute and common law intrusion upon seclusion.

The case involved allegations that a company’s website began collecting visitor data immediately upon a user landing on the site, before the user had a meaningful opportunity to reject non-essential cookies via a consent banner. The plaintiff alleged that, despite selecting “reject,” certain information had already been collected and transmitted to third parties, including browsing activity, website interactions, device information, session data, user identifiers, and geolocation data.

The court found that these allegations were sufficient, at the pleading stage, to establish a concrete privacy injury for damages. Importantly, the court emphasized that privacy harms may depend on the sensitivity and nature of the information collected. Browsing history, user interactions, identifiers, and location-related information may, in some instances, be enough to support standing when allegedly collected without consent.

The decision also highlights that a plaintiff’s status as a privacy “tester” does not automatically defeat standing. While courts may scrutinize whether a tester genuinely expected privacy and indeed have declined standing when a tester’s expectations that their information would be accessed, recorded, and disclosed are met, this court accepted the allegation that the user had expressly rejected non-essential tracking, which supported a reasonable expectation that tracking would not occur.

For businesses, the most practical lesson is that cookie consent tools must work as promised. A banner that allows users to reject non-essential cookies may create risk if tracking begins before a user has an opportunity to review the banner or make a selection, or if third-party technologies continue to operate despite a rejection. Businesses should not assume that having a banner alone is enough; they should test whether it is operating as intended or represented.

The decision also underscores the need to understand what data third-party tools collect. Courts are increasingly willing to consider whether website tracking technologies may fall within older privacy statutes, including laws originally written for telephone-era tracking devices. That means businesses should carefully evaluate pixels, analytics tags, advertising scripts, session replay tools, and related technologies.

If you have questions about web tracking and privacy issues for your business, contact a Jackson Lewis attorney to discuss.

Tags: banner, California, consent, litigatgion, opt-out, pixel, privacy, website tracking
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
Illinois’ Draft AI Notice Regulations: What Employers Need to Know
December 17, 2025
District Court Upholds Browsewrap Agreements in Pennsylvania Wiretap Class Action
May 8, 2025
Class Certification Granted - California Website Tracking Lawsuit Reminds Businesses about Notice Risks 
February 6, 2025