12

The past year was a busy one for privacy litigation: Website tracking litigation gained momentum.  Plaintiffs repurposed legacy wiretap and video privacy statutes to target pixels, chat bots, and other AI-enabled user tools.  Courts issued decisions that altered liability theories and deepened splits over statutory terms and defenses.  Regulators remained active and staked out positions that stand to adjust private-plaintiff approaches to routine commercial website tracking.

In this post, we distill the year’s most consequential developments and what they mean for 2026.

1.    Consent, “contents,” and the third‑party liability under CIPA remain a flashpoint while California’s “commercial purpose” amendment stalls out.

CIPA decisions splintered on key elements.  On consent, courts honored conspicuous and clearly worded click-wrap agreements and prominent cookie banners as giving users constructive notice of tracking.  At the same time, decisions refused to credit statements regarding mere potentialuse as a basis for informed consent.  Litigants battled over the statutory definition of “contents,” which was interpreted broadly in 2025 to include metadata (e.g., user flows) revealing consumer preferences and content interaction.  As for third-party liability, vendor “eavesdropping” took center stage, with decisions focusing on narrow technological configurations.  All told, the financial stakes remain high.  As just one example, Meta faces significant liability in the Northern District of California for CIPA claims targeting the eavesdropping of consumer “app events” through software development kits (“SDKs”) integrated into Flo, a popular period-tracking service.

Businesses began the year hopeful that California would pass Senate Bill 690 to exclude routine commercial tracking from CIPA’s wiretap and pen‑register prohibitions.  Although the bill advanced unanimously in the California Senate, it thereafter stalled in the Assembly.  S.B. 690’s false start means businesses will face continued tracking litigation under CIPA for the foreseeable future.  Should the bill gain renewed support in 2026, it will create a safe harbor for companies using tracking technologies “to further a business purpose”—though likely only on a prospective basis.    

2.    Courts continue to grapple with VPPA claim elements. 

Plaintiffs leaned heavily on the Video Privacy Protection Act (“VPPA”) in 2025 to sue website providers that embed pixels with video content.  A blizzard of new cases culminated in several doctrinal shifts at the circuit level.  In Solomon v. Flipps Media, Inc., the Second Circuit adopted a narrow “ordinary person” view of “personally identifiable information” under the VPPA, joining the Third and Ninth Circuits.  The Sixth Circuit, for its part, limited VPPA theories of liability by rejecting a broad interpretation of the statute’s definition of “consumer” in Salazar v. Paramount Global, holding that newsletter subscribers of non‑audiovisual goods and services are not VPPA “subscribers,” even if they view website videos.  Other circuits remain more receptive to VPPA theories, though their respective district courts continue to struggle with whether event metadata, Facebook IDs, and URLs constitute “personally identifiable information” in different circumstances.  As 2025 wraps, the viability of VPPA claims depends more than ever on jurisdiction and the technical configuration of the tracking technologies at issue.

3.    The CCPA’s private right of action shows new teeth for “non‑breach” disclosures.

Recent rulings from the Northern District of California signal an expansion in the scope of the CCPA’s private right of action, which authorizes suit where an individual’s sensitive data is exposed via “unauthorized access, exfiltration, theft, or disclosure” when a business fails to put into place “reasonable security measures.”  While this statutory language historically has served as the basis for claims in the data breach context, the decisions in Shah v. Capital One Financial Corp and M.G. v. Therapymatch, Inc. leave open the possibility that private plaintiffs will increasingly leverage the CCPA as a general-purpose privacy enforcement tool. 

4.    Health data tracking remains a flashpoint.

Healthcare regulatory guidance on website tracking evolved while private enforcement intensified.  After judicial vacatur of HHS’s 2022 bulletin on website tracking, the Office of Civil Rights (“OCR”) issued a revision in 2024 that broadened the circumstances under which the agency considers website activity data from unauthenticated users to qualify as personal health information (“PHI”).  In the wake of this revision, courts have remained skeptical of the proposition that public website activity data conveys substantive medical information within the meaning of various state health privacy statutes (e.g., California’s Confidentiality of Medical Information Act).  Defendants have scored occasional victories, with one Illinois court concluding that “merely browsing and searching [a] website does not convey individually identifiable information.”  Still, total settlement values remain high, with 2025 featuring several big-ticket class resolutions involving Sutter Health ($21.5 million) and Kaiser Foundation Health Plan ($47.5).

Looking ahead to 2026.

As businesses review existing privacy practices within the context of 2025 litigation developments, several key principles should serve as a guide:

  • Take stock.  Inventory pixels and SDKs.  Map data elements and events.  Implement data minimization principles like IP anonymization, form-field suppression, and data collection restrictions.
  •  Stay conspicuous.  Make consent real and specific.  Tracking claims—whether brought under privacy statutes or deceptive trade practices acts—often come down to notice.  Place conspicuous banners and use clear language that describes tracking categories, recipients, and sensitive‑data collection with a high level of specificity. 
  • Ensure technical accuracy.  Statements in policies regarding privacy practices should be defensible and not dependent on ambiguities in language that often do not matter when considered against the backdrop of broad statutory standards that are construed broadly to protect consumers. 
  • Ensure tight vendor integrations and controls.  Claims often depend on technical configurations with third-party APIs and SDKs.  From a governance perspective, ensure legal and technical use restrictions.  To the extent you use tools to ensure compliance (e.g., ad conversion tools for remarketing), audit them to avoid any gaps in coverage.