Pixels Under Fire: Tracking Pixels and the Risk of CIPA Wiretap Lawsuits

California Invasion of Privacy Act (CIPA) regulates the use of cookies, tracking pixels, and similar online trackers and analytics tools, making this a critical concern for any business operating a website.

In a recent decision (S.D. Cal. November 18, 2025), a California federal court opened a lawsuit against sportswear company Adidas, alleging its use of pixels to collect private information violated the CIPA. The court concluded that the company’s disclosure of the data collection wasn’t sufficient, because it didn’t obtain explicit consent from website visitors to collect their data.

This blog article delves deeper into the CIPA tracking pixel lawsuit. Read it to learn how tracking pixels can trigger CIPA violations, and how to audit your website for risky pixels.

What Are Tracking Pixels

Tracking pixels are invisible 1x1 pixel images embedded in websites, ads, or emails that fire when a page loads or a user takes an action. They track user activity, such as email opens, page views, and conversions. When loaded, they send data to third parties (ad platforms, analytics tools, or social networks).

Tracking pixels collect and send data to third parties that could be used to identify a user or monitor user behavior. Collected data includes:

Page URL
User’s IP address
Device and browser details
Location
Referrer
User behavior.

There are several types of pixels:

Retargeting pixels: They are used to show repeated ads to users who have previously visited a website.
Conversion pixels: These are placed on order confirmation pages to track the success of advertising campaigns.

Tracking pixels per se are not “bad”. They are essential for measuring email open rates and are used in attribution, retargeting, and conversion tracking, allowing marketers to optimize marketing campaigns.

The problem starts when they collect user interaction data and share it with third parties without user consent. If websites don’t inform users about tracking pixels, users would not even know that the site uses online trackers to track their online activity.

Note: Unlike cookies, which are stored in the user's browser, tracking pixels send data directly to web servers and are much harder for users to block or clear.

Scan your website for free to see all your website cookies and trackers in use:

Why Tracking Pixels Are Under Fire in 2025

In 2025, lawsuits weren’t focused only on cookies or consent banners. They were targeting how data is transmitted in real time and investigated all methods that could collect or share user Personal Information.

Specifically, lawsuits were focused on whether tools like Meta Pixel or Google Analytics were silently tracking users’ online behavior and interactions.

In 2025, there were two big shifts:

Lawyers are now using old laws (like CIPA) to control tracking tools.
Courts are beginning to take these arguments seriously, instead of dismissing them.

Why now?

There are several reasons:

Wide usage
Pixel usage exploded across marketing stacks. They collect and share more information than users realize.
High-stakes leaks
Recent headlines about sensitive data leaks (health, finance, login pages) made headlines. People and governments became much more protective.
Renaissance of older laws
Lawyers are taking old wiretapping rules, originally written for phones (like CIPA), and are reinterpreting them for modern tech.

Conclusion: what used to be standard marketing practice is now being considered as potential interception of user communications and a violation of user privacy rights.

What Is CIPA? A Quick Breakdown of California’s Wiretap Law

The California Invasion of Privacy Act (CIPA) is an old law, dating back to the 1960s. Originally, it targeted phone wiretapping.

CIPA prohibits the use of pen registers and trap and trace devices without a court order or user consent. The law provides for the recovery of statutory damages of $5,000 per violation, even when no actual injury or harm occurred, as well as attorney's fees in certain instances.

It applies to any company with a website accessible by California residents, even if the company is not based in California. CIPA tracking pixel lawsuit raises concerns about their use.

Now it’s being reinterpreted and applied to websites. The CIPA wiretap law is used for website tracking.

Originally, CIPA says: “You can’t record or intercept a communication without consent from all parties involved”.

Historically, pen registers and trap and trace devices were used by law enforcement while conducting telephone surveillance. Pen registers were capturing the phone numbers of outgoing calls, while trap and trace were capturing the phone numbers of incoming calls.

CIPA defines pen register as "a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication."

In a modern online context, a pen register can be any online tool that registers user “communication”, while “communication”, mentioned by CIPA, can mean:

Browsing pages
Clicking buttons
Filling out online forms.

Under CIPA, to record any of these communications, websites need user consent.

If a third-party script, such as a tracking pixel, captures user interaction without informing users, plaintiffs argue that the pixel provider is an unauthorized third party. Thus, using tracking pixels is a direct violation of the law.

In 2026, many commonly usee technologies for user tracking are at risk, not only tracking pixels.

Recently, plaintiffs have successfully argued that the data was collected and/ or shared in a non-compliant way using these website technologies, including:

Third-party tracking pixels and software (e.g., Meta Pixel)
Third-party analytics (e.g., Google Analytics)
Software developer kits (SDK)
“Fingerprinting” software
Cookies and identity profiles
Application programming interfaces (API)
Session replay software (e.g., LogRocket)
Conversation intelligence software-as-a-service (SaaS)
AI chatbots
and other tools that could possibly identify users and track user behavior online.

Key CCPA/CPRA and CIPA differences: CCPA/CPRA focuses on data collection and user rights over data that could be applied after data is collected. CIPA focuses on real-time interception of communications and requires user consent before data collection.

How Tracking Pixels Can Trigger CIPA Violations

Tracking pixels can trigger CIPA violations when they collect and share user data with third parties without user consent. The key issue isn’t just data collection. It’s real-time sharing with a third party without user consent.

In practice, tracking pixels can create CIPA risk when they:

Capture user inputs (form fields, search queries).
Fire on sensitive pages (login, checkout, health info).
Send data to third parties without consent.

A few common scenarios of tracking pixel legal risk:

1. Form tracking

Tracking pixels on forms increases legal risk. If you install a pixel to track conversions, it fires when a contact form and sends data to third parties, such as Google Analytics. That can be interpreted as intercepting private communication.

2. Session recording with tracking pixels

If you use tools that track clicks, scrolls, or typing behavior, you are tracking and potentially recording user behavior online. This is private data; thus, such activity can trigger CIPA violations.

3. Pixels on authenticated pages

Logged-in pages, dashboards, or account sections have a higher expectation of privacy. If you track users on authenticated pages, you enter a higher legal risk.

Real Examples: When Pixels Turn Into Lawsuits

Let’s see real examples when pixels turn into lawsuits for CIPA violations.

Camplisson v. Adidas Am., Inc.

Camplisson v. Adidas Am., Inc. (2025) is a key CIPA case where website visitors sued Adidas for using tracking pixels to collect data without proper consent. Website visitors alleged the company violated CIPA § 638.51 by installing two tracking pixels (the TikTok Pixel and Microsoft Bing) on the visitors' web browsers without their consent.

According to the plaintiffs, the trackers purportedly collected IP addresses, browser information, unique identifiers, and other PII and addressing information. The trackers supposedly also used so-called device fingerprinting, when information collected through the trackers were associated with other PII to facilitate specific device activity tracking.

The court refused to dismiss the case, finding that these pixels could plausibly qualify as “pen register” devices under CIPA and that collecting user data (like IP addresses or unique identifiers) may be enough to support a claim.

Importantly, the court also ruled that Adidas did not obtain valid user consent. Even if the company’s Privacy Policy disclosed the use of tracking pixels, the document was buried in the footer and lacked any clear, affirmative opt-in.

Adidas aimed to dismiss the case, arguing, among other things, that the trackers did not meet the statutory definition of a pen register, because:

The trackers only captured specific outgoing information from a given device, as opposed to all outgoing communications; and

The information collected through fingerprinting was substantive, rather than mere dialing, routing, addressing, and signaling information.

The court rejected both arguments. Relying on CIPA's purportedly “intentionally broad language," the court stated that "most cases in this and other districts have also recognized that website-based trackers can plausibly constitute a pen register."

Greenley v. Kochava, Inc. (S.D. Cal. 2023)

Greenley v. Kochava, Inc. is one of the early cases that opened the door to investigations for CIPA violations based on digital tracking technology. The plaintiff alleged that Kochava’s embedded software collected identifying and routing-related data from mobile devices through fingerprinting. The court refused to dismiss the CIPA pen register claim, holding that tracking software could plausibly count as a “pen register” under the statute because CIPA covers a “device or process,” not just old-school physical hardware.

It was an important case since it was one of the first cases arguing that modern tracking software can fall under California’s older wiretap-style rules, and the tracking tools could be called pen registers.

Moody v. C2 Educ. Sys., Inc. (C.D. Cal. 2024)

Moody v. C2 Educ. Sys., Inc. case involved allegations that C2’s website used TikTok tools to collect visitor data through fingerprinting, including device, browser, geographic, referral, and URL data, as well as form inputs through TikTok’s AutoAdvanced Matching feature.

The court refused to dismiss the case and concluded that this software could possibly qualify as a pen register or trap-and-trace device under CIPA, rejecting the argument that the law applies only to physical devices attached to telephone lines.

Moody pushed the trend further by applying the same logic to website tracking tools, which helped fuel more CIPA suits targeting pixels, cookies, and similar technologies.

The current decisions form a precedent for future lawsuits, demonstrating that courts may treat website tracking software, such as common tracking pixels, as pen registers or trap-and-trace devices under CIPA. The use of common tracking tools now raises potential risks for CIPA violations.

Best Practices to Mitigate CIPA & Tracking Pixel Risk

The caselaw highlights certain best practices that can help to mitigate CIPA & tracking pixel risk. Use the best practices for pixel tracking compliance:

Audit website technologies
Websites are constantly evolving, driven by business needs. Websites constantly introduce new technologies that enhance customer experience and improve business outcomes. Thus, it is good business practice to regularly review those technologies to ensure alignment with applicable data privacy requirements and business needs.
Don’t fire pixels before consent
This is a serious issue. If tracking pixels fire the moment the page loads, you could be in problem. Block all non-essential pixels by default and only load them after a clear, affirmative opt-in.
Do not track sensitive pages
It’s better to avoid tracking at all on some pages, where lawsuits tend to focus. Disable pixels on these sensitive data collecting pages: login / signup pages, checkout pages, contact forms, and health, financial, or account-related pages.
Minimize data collection
Most websites collect data that is actually not necessary for them, but could cause compliance problems. Instead of full form field tracking and detailed user inputs, collect just basic events (e.g., form submissions) or aggregated / Anonymized data.
Limit third-party data sharing
Every third-party data sharing increases violation risks. Remove unnecessary pixels, turn off auto data-sharing features, and avoid sending user data unless absolutely necessary.
Update regularly Privacy Policies and Terms and Conditions
Website technologies and data privacy regulations are evolving constantly. Thus, review and update regularly your privacy policies and terms and conditions to reflect the recent changes.
Align legal and marketing tools
Sometimes, marketing teams install tools that are good for marketing but raise compliance issues. Legal teams could find out such tools too late. To avoid this, document each tool's functionality and establish a simple approval process for new trackers.
Implement alternatives to tracking pixels
Consider replacing tracking pixels with alternative technologies that use Anonymized data collection and sharing or use server-side tracking.
Coordinate with third-party vendors
After you look critically at their own practices of trackers’ usage, it is time to evaluate any third-party vendors to ensure alignment with company goals. Make sure they also comply with laws and regulations, such as CIPA.
Implement a Consent Management Platform (CMP)
Implement a CMP to provide a compliant Cookie Banner that clearly explains what data is collected and why, allows granular choices (analytics vs marketing) and easy opt-out at any time. A proper CMP should collect and store user consent for proof of compliance.

Use CookieScript CMP to mitigate CIPA & tracking pixel risk. In 2025, CookieScript received the fourth consecutive badge in a row as the leader on G2, a peer review site, and became the best CMP on the market for a whole year! It also has the GOLD Tier in the Google Tiering System.

CookieScript CMP has the following features:

CookieScript also offers a 14-day free trial.

How to Audit Your Website for Risky Pixels

The goal is not to dismiss tracking pixels but to use them in a compliant way to avoid risks for non-compliance.

Use these steps to audit your website for risky pixels:

Map every pixel and script
You must know what’s running on your site. Check your site for risky pixels, including the most common ones: Meta Pixel, Google Analytics, Google Ads, TikTok, LinkedIn, and session replay tools.
Identify where tracking pixels fire
Some pages are more sensitive than others, so you should know where trackers fire and limit sensitive data tracking. Focus on sensitive data collecting pages: contact forms, login/signup pages, checkout flows, and any page collecting user input.
Review consent flow
CIPA, as well as many other privacy laws, require obtaining valid consent before loading trackers. Make sure no tracking pixel fires before consent. Provide a Cookie Banner with granular options (analytics vs marketing) and make it easy to opt out of consent.
Check data sharing with third parties
Use browser dev tools or network inspectors to check what data is transmitted. Look for query parameters, form field values, and URLs with sensitive info.
Limit third-party data sharing
Disable automatic data collection features and use server-side tagging where possible. Don’t share sensitive data at all or strip sensitive parameters. Remember: less data shared - less exposure.

Safer Alternatives to Traditional Tracking Pixels

You don’t have to dismiss tracking pixels completely. To mitigate CIPA and tracking pixel risk, marketers have shifted to more secure, server-controlled methods.

You could use one of these safer alternatives to traditional tracking pixels, including:

Conversion APIs (CAPI)

A Conversions API (CAPI) is a server-side tracking tool that connects an advertiser’s server, website platform, mobile app, or CRM directly to advertising platforms like Meta (Facebook), Google, or TikTok.

This is the new gold standard for 2026. Unlike traditional web pixels, which operate on the user's browser, the Conversions API sends data directly from the server. This allows businesses to accurately track customer behavior while complying with privacy regulations.

Working principle: When users enter their data, your website backend sends a hashed, encrypted packet of data (such as email, phone, purchases, form fills, and other activities) directly to the ad platform’s API.

Thus, it bypasses ad blockers and ITP limits. Because the data is sent server-to-server, it has a 100% match rate, unlike pixels which currently lose about 30–50% of data.

It is supported by Meta CAPI, TikTok Events API, Snapchat Conversions API, and Google Enhanced Conversions.

Server-Side Tagging (sGTM)

Server-side tagging is a method that allows your tags to measure user activity wherever it happens.

Working principle: You send all your website data to a single private cloud server that you own, usually via Google Tag Manager Server-Side. Server containers use the same tag, trigger, and variable model as you. You can control data at this server: one data could be deleted, another- encrypted, another- forwarded to third parties.

Server-side tagging allows businesses to:

Improve page performance.

Improve data quality.

Unlock more detailed user privacy controls.

Increase page loading speed.

Your website only loads one script instead of 10 or 30 different pixels, drastically improving SEO and load times.

This is a good tool to mitigate CIPA risk and comply with GDPR or CCPA: you can remove sensitive info at the server, before sensitive data ever reaches Facebook or Google.

First-party analytics

First-party analytics means analyzing data collected directly from your own sources, such as websites, apps, CRM, or surveys, to understand customer behavior and preferences. This data is high-quality, accurate, and CIPA-compliant because it is gathered directly from users, rather than purchased.

First-party analytics allow businesses to:

Store data on your infrastructure.
Prevent data sharing with external platforms.

Less dependency on third parties becomes crucial for personalized marketing and improved targeting without using tracking pixels or cookies.

Zero-party data

Zero-party data (ZPD) is information that customers intentionally and proactively share with a brand. Businesses could directly ask for such data. When customers trust a brand, they will provide the required information for more personalized experience.

Businesses could use post-purchase surveys, interactive quizzes, or preference centers to ask for zero-party data. Loyal customers usually are willing to share their preferences, purchase intentions, and personal context.

Zero-party data is 100% accurate, legal, and doesn't rely on cookies. This high-accuracy data helps companies provide personalized experiences, build trust, and comply with privacy laws, such as CIPA.

In 2026, zero-party data yields up to a 25% higher conversion rate because personalization is based on real user needs.

Privacy-Preserving Measurement (PPM) & Clean Rooms

Privacy-preserving measurement (PPM) and data clean rooms use a neutral, secure, controlled digital space where multiple parties (e.g., advertisers, publishers, retailers) can combine and analyze their datasets.

Multiple parties can use a neutral digital space, such as Amazon Marketing Cloud or Snowflake, to analyze their data sets without seeing each other's raw customer info.

PPM and data clean rooms allow businesses to see their ads’ efficiency without exchanging personal data.

This approach allows companies to reach CIPA compliance and satisfy strict Privacy by Design requirements of the EU AI Act.

Conclusion: in 2026, tracking pixels are considered a legacy technology. Most companies replace tracking pixels with safer alternatives. Chrome browser now uses a User Choice model, where users can accept or restrict tracking. For those who restrict tracking by clicking "Limit," traditional tracking pixels can no longer be used. The server-side tagging, CAPI, and Zero-party data methods mentioned above become the only way to measure conversion.

FAQs About Tracking Pixels and CIPA Lawsuits

How to limit tracking by tracking pixels?

Users can restrict tracking pixels by disabling automatic image loading in email clients, using privacy-focused browser extensions, or using VPNs to mask IP addresses. Use CookieScript Cookie Scanner to scan your website for free to see all your website cookies, tracking pixels, and other trackers in use.

What are the key CCPA/CPRA and CIPA differences?

Even though both laws require user consent for their data collection, they have a different focus. CCPA/CPRA focuses on data collection and user rights over data that could be applied after data is collected. CIPA regulates the real-time interception of communications, requiring user consent before data collection occurs. Use Consent Management Platform like CookieScript to collect user consent and comply with CCPA, CIPA, and other privacy laws.

Can I still use Meta or Google pixels?

Yes, but there are strict conditions to use Meta or Google pixels: load them only after user consent, limit tracking to non-sensitive pages, avoid sending personal or form data, and disable features like automatic data matching. It’s not recommended to use Meta or Google pixels to track activity on login, checkout, or form pages, capture user inputs or identifiers, or share data with third parties in real time.

Are tracking pixels legal?

Yes, but only if you use them correctly. To avoid tracking pixel legal risk, you should get clear user consent before starting tracking, explain what data is collected and it is shared with, avoid collecting sensitive information, and limit data sharing with third parties. Scan your website for free with CookieScript Cookie Scanner to see all your website cookies, tracking pixels, and other trackers in use.

What counts as user consent under CIPA?

Under CIPA, user consent is considered real, informed, prior permission to use cookies, pixels, and similar online trackers. Valid consent should be prior (given before any pixel or tracking script fires), explicit (a clear action, not passive browsing), informed (users should understand what data is collected and who it is shared with), and specific (separate choices for analytics vs marketing). Use a Consent Management Platform like CookieScript to collect user consent and comply with CCPA, CIPA, and other privacy laws.

Do I need consent for tracking pixels?

Yes, tracking pixels collect customer data; thus, you need user consent. Valid consent should be prior (given before any pixel or tracking script fires), explicit (a clear action, not passive browsing), informed (users should know what data they share), and specific (separate choices for analytics vs marketing). Use CookieScript CMP to collect user consent and comply with CCPA, CIPA, and other privacy laws.

How to avoid CIPA lawsuits when using website tracking

To avoid CIPA lawsuits, get consent before firing cookies or tracking pixels, don’t use implied consent or passive banners, control your tracking (don’t use tracking pixels on sensitive pages, don’t collect unnecessary data, and audit your tracking regularly), and limit third-party sharing (share only what’s necessary, disable features like automatic data matching). It’s also recommended to use alternatives to tracking pixels, such as server-side tracking.

News