California Privacy Claims Target Online Tracking

By Paul Rothermel and Mark Gardner

A growing number of companies across the U.S., including medtech, biotech, pharma, cosmetic, food and beverage, and other life sciences companies are receiving demand letters and complaints alleging that common website technologies violate the California Invasion of Privacy Act (“CIPA”). Companies do not need to be located in California to be impacted.

“We are seeing companies receive demand letters seeking tens of thousands of dollars to settle alleged privacy violations based on routine website tracking technologies,” said Mark Gardner. “Many organizations have never evaluated whether their consent tools actually block tracking prior to user consent. Companies should review their websites now. If the technical compliance pieces are not in place, they may quickly find themselves the next target of these claims.”

CIPA and Online Tracking Technologies 

Plaintiffs’ firms are increasingly asserting that cookies, pixels, session replay tools, and other advertising and analytics technologies are collecting website visitor communications without proper consent, in violation of California’s wiretapping and eavesdropping prohibitions. These claims often target routine website functions such as marketing analytics, chat features, and patient or customer portals.

In recent months, several of our clients and other companies across multiple industries have received demand letters asserting these theories. These efforts are often driven by repeat or “serial” plaintiffs who systematically target companies alleging websites lack sufficient user consent mechanisms for various tracking technologies.

Many of these claims arise where websites deploy cookies, pixels, session replay tools, or other tracking technologies without first obtaining a visitor’s consent. In practice, this means that the consent banner or pop-up that asks users to agree to tracking is not just a formality. If a website begins collecting data before a visitor agrees, or if the site does not provide a meaningful way to decline or opt out, plaintiffs’ firms may argue that the website is violating CIPA. Many companies choose to settle these claims rather than incur the cost of litigating them, and settlements can be significant given CIPA’s statutory damages provisions. As a result, organizations whose websites have not recently reviewed their consent and opt-out mechanisms may face increased risk of being targeted.

“Companies often view website analytics and advertising tools as routine infrastructure,” said Paul Rothermel, Managing Attorney of Gardner Law's Privacy Practice. “But plaintiffs’ lawyers and regulators may allege some uses of these technologies are unlawful. Organizations should ensure that consent tools and disclosures are functioning as intended before these issues surface in a demand letter or enforcement action.”

Settlement Demands and Litigation Risk

Many of these matters begin with pre litigation settlement demands and are frequently followed by individual or putative class action complaints if not resolved quickly. While damages theories vary, CIPA provides for statutory penalties, which can make early stage disputes costly to defend, even where substantive defenses may exist.

Compliance Considerations for Medical Products Companies

Medical products companies face heightened exposure due to the intersection of privacy, consumer protection, and health information regulation. Organizations should assess how online tracking technologies are deployed, whether disclosures and consent mechanisms are adequate, and how third-party vendors process website data.

For additional context on enforcement trends involving health information and online tracking technologies, we recommend reading our prior alert on a related topic, Enforcement Update for Health Information and Online Tracking Technologies by Paul Rothermel.

Key Takeaway

Routine website technologies are increasingly being reframed as unlawful surveillance tools under California law, creating fast moving enforcement and settlement risk for life sciences companies. Companies should review their websites now to confirm that consent management tools are functioning properly and that tracking technologies are not collecting data before valid user consent is obtained.

How Gardner Law Can Help

Gardner Law advises medtech, biotech, pharma, food, and other FDA regulated companies on privacy risk assessments, website compliance reviews, demand letter response strategies, and litigation defense involving CIPA and related state and federal privacy laws.

If you would like assistance evaluating your website tracking technologies or responding to a CIPA demand letter, please contact our team.