“Pixel tracking” or “website wiretapping” class-action lawsuits

Posted on by

I saw a post on FB about a DPC doctor being sued because their website has tracking capabilities. Most of us have that. For example, Google Analytics. Hell, this site has it. Here is what my search found:

By embedding tracking code on the website (e.g., Google AnalyticsMeta/Facebook Pixel, TikTok Pixel, session-replay tools like Hotjar or FullStory, or similar scripts), the site operator is causing users’ browsers to send information — clicks, page views, form interactions, IP addresses, cookies, browsing behavior, etc. — to third-party companies (Google, Meta, etc.) without the visitor’s explicit consent. Plaintiffs’ lawyers frame this as an unauthorized “interception” or “eavesdropping” on the user’s communication with the website. They often rely on old wiretapping statutes, especially California’s Invasion of Privacy Act (CIPA), which prohibits intercepting or recording communications without all parties’ consent and also restricts certain “pen register” or trap-and-trace devices. Similar claims sometimes appear under the federal Wiretap Act or other state laws

  • Plaintiffs’ firms file these as class actions, seeking statutory damages (under CIPA, typically $5,000 per violation, or three times actual damages, whichever is greater). With thousands or millions of potential class members, the theoretical exposure can be enormous, even without proving any real harm to users. 
  • Many cases start with demand letters, then escalate to formal lawsuits (“served papers”).
  • Targets include businesses of all sizes across industries — not just big companies or healthcare sites (though healthcare sites face extra scrutiny due to potential HIPAA overlap). Any site with analytics, pixels, chat widgets, or session recording can be at risk, especially if it has visitors from California.
  • Courts have been split: some claims survive early motions to dismiss (allowing cases to proceed to expensive discovery), while others are dismissed. Settlements are common to avoid litigation costs. 

What do you do? You need to display a customizable consent banner and automatically block non-essential trackers/scripts (Google Analytics, Meta Pixel, etc.) until the user explicitly consents. A plain notice banner is not enough for real compliance; you need active blocking. 

I built my website and had to add a plug-in called WPConsent to fix this.

If you ignore this, then you may get served papers because your website captures information from people. And then you will need a lawyer.

This is your DPC public notice announcement.

3

About Douglas Farrago, MD

Dr. Farrago is a retired family physician based in Forest, Virginia. Since 2021, he has run DPCnews.com, a leading resource for the Direct Primary Care (DPC) movement. He is the author of three best-selling books on Direct Primary Care: The Official Guide to Starting Your Own Direct Primary Care Practice The Direct Primary Care Doctor’s Daily Motivational Journal Slowing the Churn in Direct Primary Care (While Also Keeping Your Sanity) In 2016, Dr. Farrago conceived the idea for the Direct Primary Care Alliance and co-founded the organization alongside other pioneering DPC physicians. He is widely recognized as a leading expert in the DPC model and frequently lectures to medical students, residents, and practicing physicians on how to successfully start and run their own DPC practices.Dr. Farrago sold his Direct Primary Care practice in October 2020 but continues to receive care there as a patient.