Tracking Pixel Litigation

State of play.

• The Second Circuit has hardened its defense-favorable "ordinary person" test for VPPA pixel claims. The Golden v. NBCUniversal affirmance — finding Facebook Pixel data transmitted from Today.com did not constitute PII under the 1988 statute — extends a line of dismissals through Solomon v. Flipps Media and Hughes v. NFL, giving media defendants in the Second Circuit clear grounds for early dismissal (→ Second Circuit Affirms Dismissal of VPPA Class Action Against NBCUniversal[1][3]).
• The Third Circuit has redirected session-replay and wiretap litigation to state court. In Popa v. Harriet Carter Gifts, the court found routine mouse-click and browsing data insufficient for Article III standing, vacating summary judgment and remanding WESCA claims to Pennsylvania state court — where federal standing doctrine does not apply .
• CCPA's private right of action is expanding beyond the breach-only framework. District court rulings in Shah v. Capital One and a Therapymatch case denied motions to dismiss, holding that unauthorized disclosure of personal information through pixels and cookies to Google, Facebook, and Microsoft can trigger §1798.150 liability without a traditional data breach .
• CIPA mass arbitration has become a volume-pressure enforcement model. Plaintiffs' counsel are filing hundreds to thousands of simultaneous CIPA claims targeting cookies, pixels, session replay tools, and chatbots — exploiting the $5,000-per-violation statutory damages structure to force settlement economics .
• For counsel advising website operators, media companies, or adtech vendors, the practical baseline is a multi-statute, multi-forum exposure map: Second Circuit VPPA defense is stronger, Third Circuit federal dockets are narrowing, California CCPA and CIPA exposure is expanding, and the sensitive-vs.-non-sensitive data distinction is now the central pleading variable across all theories.

Where things stand.

• VPPA pixel claims are circuit-dependent, with the Second Circuit firmly defense-favorable. The "ordinary person" PII test — requiring that an ordinary person, without technical expertise, could connect transmitted data to a specific individual's viewing history — has now dismissed three major class actions in the circuit; the First Circuit remains a more plaintiff-favorable alternative venue (→ Second Circuit Affirms Dismissal of VPPA Class Action Against NBCUniversal[1][3]).
• Article III standing for tracking claims turns on data sensitivity, not statutory violation alone. The Tash ruling drew a sharp line: disclosure of sensitive health-related data through pixel tracking resembles intrusion upon seclusion and survives standing challenge; mere identifier linkage without sensitive underlying data does not .
• Third Circuit federal jurisdiction over state wiretap claims requires concrete harm beyond routine browsing. The Cook v. GameStop precedent, extended through Popa, means mouse movements and clicks do not satisfy Article III — but WESCA claims survive in Pennsylvania state court, where the merits of "interception" under state law remain unresolved .
• CCPA's private right of action is being reinterpreted to cover tracking-based disclosures. The breach-only framework that governed CCPA enforcement since 2022 is under pressure; district courts are now permitting claims based on unauthorized sharing of personal information through third-party tracking tools, with the scope of qualifying conduct still unsettled .
• CIPA applies to any website accessed by a California user regardless of where the company is based. The statute's $5,000-per-violation damages floor and no-actual-harm requirement make it the highest-leverage tool in plaintiffs' arsenal; mass arbitration filing strategies are compounding settlement pressure .
• Consent architecture is the primary defense across all theories. Across VPPA, CIPA, WESCA, and CCPA, documented user consent — requiring reasonably conspicuous notice and unambiguous assent — is the operative defense; courts are scrutinizing whether cookie banners and privacy policies satisfy the standard .
• March 2026 privacy litigation decisions are being tracked as a leading indicator. The Troutman privacy litigation report covering March 2026 decisions reflects continued doctrinal movement across standing, wiretap, and state privacy statute theories .

Latest developments.

• Second Circuit affirms dismissal of VPPA pixel class action against NBCUniversal, reinforcing the "ordinary person" PII test and extending the Solomon/Hughes dismissal line (→ Second Circuit Affirms Dismissal of VPPA Class Action Against NBCUniversal[1][3]).
• Tash ruling splits standing between two plaintiffs based on data sensitivity — health-related search queries survive, generic identifier linkage does not — establishing sensitive-vs.-non-sensitive as the central pleading variable .
• Third Circuit remands Popa v. Harriet Carter Gifts to Pennsylvania state court, finding routine browsing data insufficient for Article III standing and leaving WESCA "interception" merits for state court resolution .
• District courts in Shah v. Capital One and Therapymatch deny motions to dismiss CCPA claims based on pixel and cookie disclosures to third parties, departing from the breach-only framework .
• CIPA mass arbitration wave documented — $5,000-per-violation damages, no actual harm required, mass filings targeting cookies, pixels, session replay, and chatbots across all company sizes .
• March 2026 privacy litigation report captures continued doctrinal movement across standing, wiretap, and state statute theories .

Active questions and open splits.

• What does "ordinary person" mean across circuits for VPPA PII? The Second Circuit's test is settled and defense-favorable; the First Circuit has taken different approaches to similar pixel claims, creating venue-selection incentives for plaintiffs that will persist until circuit conflict is resolved or the Supreme Court weighs in (→ Second Circuit Affirms Dismissal of VPPA Class Action Against NBCUniversal[1][3]).
• How will Pennsylvania state courts apply WESCA to session-replay and pixel tools on the merits? The Third Circuit's standing ruling leaves the substantive "interception" question entirely open in state court — where WESCA's $1,000-per-violation damages and the absence of federal standing requirements create a distinct litigation environment .
• How far does CCPA's private right of action extend beyond traditional data breaches? Shah v. Capital One and Therapymatch signal a major doctrinal shift, but the exact boundary of qualifying "unauthorized disclosure" through tracking tools remains unsettled as courts work through the implications .
• Does the sensitive-vs.-non-sensitive data distinction hold as a standing threshold across circuits? The Tash ruling makes data sensitivity the gating question for Article III injury-in-fact in pixel cases, but whether other circuits adopt this framework — and how courts define "sensitive" — is unresolved .
• Can mass arbitration economics force CIPA settlements before courts resolve the "interception" theory? The volume-pressure model — hundreds or thousands of simultaneous $5,000-per-violation claims — creates settlement incentives independent of merits, and whether courts will consolidate, stay, or otherwise manage mass CIPA arbitration dockets is an open question .
• What consent architecture actually satisfies the notice-and-assent standard? Across VPPA, CIPA, WESCA, and CCPA, consent is the primary defense — but courts have not converged on what cookie banners, privacy policies, or just-in-time disclosures must contain to constitute unambiguous assent .

What to watch.

• Pennsylvania state court proceedings in Popa v. Harriet Carter Gifts on remand — the first significant test of WESCA "interception" doctrine applied to session-replay tools outside federal standing constraints.
• Whether additional district courts follow Shah v. Capital One in extending CCPA's private right of action to pixel-based disclosures, and whether any Ninth Circuit panel takes up the breach-vs.-tracking split.
• First Circuit developments in VPPA pixel cases — the most likely venue for plaintiffs pushed out of the Second Circuit after Golden v. NBCUniversal.
• Whether California courts or the CPPA issue guidance on what consent mechanisms satisfy CCPA and CIPA simultaneously, given the divergent standards currently in play.
• Whether CIPA mass arbitration volume prompts any court to develop a consolidation or bellwether procedure that resets the settlement economics defendants currently face.