Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: Three takeaways from May decisions: (1) cookie banners cut both ways for plaintiffs and defendants; (2) generic wiretapping “contents” allegations lose while transaction-specific ones survive; and (3) courts are splitting on whether a profit motive satisfies the crime-tort exception.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from May 2026.

Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more about, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.         Opt-Out Failures Are Driving Litigation

The most consistent thread in May’s tracking decisions was the failed opt-out: a plaintiff who rejected nonessential cookies through a consent banner, then alleged that the tracking continued. The decisions show how these complaints move past the pleading stage, where they stall, and how the theory is beginning to reach tracking that occurs before the user can act at all.

The first decision shows the “normal” approach of these decisions. The plaintiffs alleged they visited the website of a financial institution “to obtain information about trading, crypto assets, including pricing, and Defendant’s credit cards offering.” Thecomplaint alleges that when the plaintiffs first visited the website, they were shown a popup cookie consent banner stating: “We use cookies on our website to operate our site, enhance your experience, analyze our traffic and conduct advertising and analytics.” Plaintiffs allege not only that cookies tracked their actions even before the banner loaded, but that when the plaintiffs elected “disable all” cookies, nonessential cookies continued to track their behavior. In addition to state wiretapping and trap and trace claims, the plaintiffs asserted claims for intrusion upon seclusion and invasion of privacy, both of which require a reasonable expectation of privacy and a disclosure that is “highly offensive” to a reasonable person.

The court first found the plaintiff had alleged a reasonable expectation of privacy, finding “[a] reasonable person would not expect the Defendant to continue to process user data in this manner after it has affirmatively represented that it would not do so.” The court viewed the California Consumer Privacy Act’s (CCPA) opt-out regime as evidence of a baseline social expectation, reasoning that because California law requires websites to offer the opportunity to opt out, “California users are presumably accustomed to seeing these cookie rejection popups online and understand the pop-up to be an effective means to reject cookies.” The court ultimately dismissed the claim, however, after finding the complaint alleged only that the plaintiffs “browsed,” and that “[l]isting general categories of information that Plaintiffs allege the cookies are capable of collecting (without alleging such information was actually collected) does not suffice.” When the complaint was limited to what was alleged to have been collected, rather than merely capable of being collected, the intrusion was minimal: the plaintiffs “may have opened the website, rejected cookies, viewed the homepage for a few seconds, closed the website, and never returned,” and on those facts it was “difficult to see how the information collected about Plaintiffs . . . constitutes an ‘egregious breach of the social norms.’” The court acknowledged that “deceit can be a kind of ‘plus’ factor,” but distinguished cases finding offensive conduct on the ground that the tracking there continued after the user left; here, by contrast, the cookies captured only on-site activity. This holding is notably at odds with the first decision, which held “[w]hether . . . conduct was highly offensive can rarely be resolved at the pleading stage.”

The second decision follows this same approach but shows how a banner can still benefit defendants even when it is not operating as intended. In this case, the plaintiff sued over tracking that allegedly continued after he declined cookies. The plaintiff necessarily alleged he not only saw, but agreed to, the banner. But the banner also stated that clicking through accepted the defendant’s terms of service, which contained an arbitration clause and class-action waiver. The court compelled arbitration, finding the plaintiff could not selectively disclaim other text in the same banner. The court found the terms-of-service advisal sat in the same font, underlining, and placement as the cookie advisal he admitted reading, so there was “no reason why a reasonable consumer like Plaintiff should have noticed one advisal but not the other.”

Our third and final decision shows a new approach to the “broken banner” theory. In this case, the plaintiff alleged they visited the defendant’s website and opted out of nonessential cookies but did not allege that tracking continued afterward. Instead, the plaintiff alleged that the website tracked them before they could make that selection. The plaintiff asserted wiretapping claims under the California Invasion of Privacy Act (CIPA) and the Electronic Communications Privacy Act (ECPA) and a claim for intrusion upon seclusion. The court held the plaintiff had shown a reasonable expectation of privacy based on the initial tracking before the plaintiff even interacted with the cookie banner:

Although Defendant focuses on the point in time after which Defendant stopped tracking Plaintiff’s data upon her choice to reject cookies on the website, this does nothing to address the FAC’s allegations as to how the website began to track Plaintiff’s data from “the moment that Plaintiff landed on the Website.”

Put in other words, Defendant’s website collected Plaintiff’s data from the moment she visited Defendant’s website. Even though Plaintiff rejected non-essential cookies to prevent the tracking and transmission of her data, her selection was ineffective because there was a period that the website did collect, track, and transmit her information before she was able to direct it not to.

The court then found “a reasonable factfinder could determine the alleged unauthorized collection of Plaintiff’s information prior to her ability to reject tracking technologies was an unacceptable intrusion in violation of public policy. Because Defendant’s actions may constitute a highly offensive intrusion, the FACC raises a question that cannot be resolved on a motion to dismiss as a matter of law.” Notably, however, the court dismissed the ECPA claim after finding the complaint did not allege a crime or tort that would overcome the one-party consent exception.

Across these three decisions, the banner emerges as a double-edged instrument. For plaintiffs, it supplies the affirmative representation that anchors a reasonable expectation of privacy — and, on the third decision’s reasoning, the expectation can attach to tracking that precedes any interaction with the banner at all, before the user has the chance to decline. For defendants, the banner is more than a liability: it can defeat the highly offensive prong where the complaint pleads only generic tracking capabilities rather than actual data collection, and it can route the entire dispute to arbitration where its text incorporates terms of service. The common thread is that courts are reading the banner closely — its timing, its promises, and its full text — and measuring those representations against what the code actually did. The practical lesson for defendants is correspondingly narrow: the banner’s representations and the site’s behavior must align, because the gap between them is where these claims now live.

2.         For Wiretapping ‘Content’ Allegations, Generic Allegations Lose While Transaction-Specific Ones Survive

Wiretapping claims under both the federal ECPA and CIPA § 631(a) require the “contents” of a communication — the intended message conveyed — to be intercepted while in transit. Three May decisions applied that standard and divided not on the law, but on the specificity of the pleadings. Two courts dismissed claims where the complaint described what tracking technology could capture, while one denied the motion to dismiss where the complaint described what was actually intercepted.

In the first decision, a mortgage servicer’s trackers allegedly disclosed to third parties that a user had landed on a “Get Pre-Approved” page, had scrolled a given percentage down it, and had started and submitted a loan application. The court held those signals were not “contents,” but were instead facts about the user’s session. Regardless, the court found the complaint never established that contents were intercepted at all:

[I]t is unclear from the allegations presently in the complaint whether the trackers work by recording information about a user’s session on the website, intercepting a communication attempting to convey the precise user information PHH is alleged to have collected, or using some other method. Without allegations regarding the manner in which the trackers operate, [Plaintiff] does not plausibly allege that PHH aided and abetted third parties in learning the contents of any communication as opposed to simply record or session information.

A second decision also dismissed the claim for similar reasons. In this case, the plaintiffs alleged only that they “browsed” the defendant’s website and listed the categories of information the cookies were capable of collecting. The court held that “[l]isting general categories of information that Plaintiffs allege the cookies are capable of collecting (without alleging such information was actually collected) does not suffice.” In both cases, the complaint described the tool’s capacity rather than the plaintiff’s conduct, and in both, the court could not find that anything qualifying as contents had passed through it.

The third decision shows when a plaintiff’s allegations are sufficient to establish “contents.” In this case, the plaintiffs alleged the tracking pixel intercepted four specific categories of data during transmission: the URLs of the pages visited, the terms entered into a search bar, the actions taken on a page, and the contents of commonly used form fields. More importantly, the plaintiffs tied that interception to their own communications with the websites at issue. The court rejected the defendant’s argument that this was not the “content” of any communication, finding the identified data plausibly constituted the contents of the plaintiffs’ communications and was adequately alleged to have been captured in transit. The distinction from the dismissals was not the technology but the pleading: the complaint described a transaction, not a capability.

For defendants, the practical value lies in diagnosing which complaints are vulnerable on the contents element before discovery makes the point harder to win. A complaint that recites the categories of data a pixel or tracker can collect, or that pleads only session artifacts like scroll depth and form-submission events, remains exposed on a motion to dismiss (particularly where it leaves the mechanism of interception unexplained). The complaints that survive are those alleging specific message content the plaintiff actually transmitted.

3.         The Crime-Tort Exception Is Splitting Along a Profit-Motive Fault Line

The ECPA presents additional risks for defendants because it applies in any jurisdiction and provides statutory damages of up to $10,000. Its most severe limitation for plaintiffs, however, is that there is no liability if only one party consents to sharing the communication with a third party. Where websites knowingly install the third-party trackers, those websites have consented. To get around this one-party consent defense, plaintiffs allege that the interception was made in furtherance of a crime or tort — the “crime-tort exception.” May’s decisions divided on what a plaintiff must plead to invoke that exception, and the fault line runs through whether a profit motive can supply the required tortious purpose.

One decision read the exception broadly. In that case, a mortgage servicer’s trackers allegedly disclosed to third parties the type of loan a user applied for, along with identifiers capable of tying that disclosure back to the user, while the servicer’s privacy policies represented that it collected only aggregate data. The court held those allegations stated an invasion-of-privacy tort and that the plaintiff had adequately alleged the servicer acted with the purpose of committing it. The servicer allegedly deployed the trackers to trade sensitive financial information for reduced marketing costs, and the court treated that exchange as a purpose to invade privacy for profit, expressly rejecting “the notion that a financial motive removes a claim from the crime-tort exception.”

In sharp contrast, a second decision read the exception narrowly on closely comparable facts. A fertility clinic’s pixel and insight-tag code allegedly transmitted a patient’s treatment and reproductive-health information to two advertising platforms. But the only purpose the complaint identified was advertising. The court held that a commercial motive is the opposite of the tortious purpose the exception demands:

[T]he Court agrees with multiple others in this district that have found the crime-tort exception is inapplicable where the defendant’s primary motivation was to make money, not to injure plaintiffs tortiously.

Although the plaintiff argued in their opposition brief that the clinic’s real purpose was to violate the Health Insurance Portability and Accountability Act (HIPAA) and invade her privacy, the court held the complaint did not make that allegation and declined to credit it. The result is notably at odds with the first decision: the same profit-seeking conduct that supplied the tortious purpose in the mortgage case defeated it in the fertility case, because one complaint framed the disclosure as an invasion of privacy for gain and the other framed it as advertising.

A third decision reached the defense-favorable result by a different route and added a choice-of-law wrinkle. A hotel guest alleged the operator’s trackers fed his booking inputs to two advertising platforms, and he invoked a California statute barring hotelkeepers from disclosing guest records as the predicate tort. The court doubted the statute reached the alleged conduct because the complaint described disclosure of booking details but not the identifying information the statute protects. Regardless, the court held that the crime-tort exception looks to whichever body of state law would actually govern the predicate act under a choice-of-law analysis. Because the website’s terms contained an Illinois choice-of-law clause and the plaintiff had not alleged any violation of Illinois law, the California predicate evaporated and the exception failed.

For defendants, two practical points follow. First, the profit-motive split is real and consequential: a complaint that frames tracking as an invasion of privacy undertaken for gain may clear the exception in one court, while a complaint framing identical conduct as advertising fails in another, so the defense can turn on pleading choices and on which court hears the case. Second, the hotel decision points to a structural defense: an enforceable choice-of-law clause can dictate which state’s law measures the predicate tort and can extinguish a crime-tort theory that depends on a statute the chosen forum does not supply.