Meta Pixel lawsuits in California: What’s driving the risk

Meta Pixel lawsuits are no longer isolated cases. In California, Meta Pixel lawsuit activity has increased significantly, driven by claims under laws like the California Invasion of Privacy Act (CIPA).

At the center of these cases is a simple but serious allegation: Organizations are sharing user data with third parties without proper consent or disclosure.

What has changed is not the technology. It is how regulators, plaintiffs and courts are interpreting it.

What the Meta Pixel actually does

The Meta Pixel is a tracking script embedded on a website that captures user activity and sends that data to Meta platforms.

Organizations use it to:

• Track user behavior such as clicks, purchases and form submissions
• Improve ad targeting and campaign performance
• Build audiences for retargeting
• Measure conversion and engagement

The functionality itself is not unusual. The risk comes from what data is captured and when it is transmitted.

If the pixel fires on pages where users are entering sensitive information or before proper consent is obtained, that data may be shared in ways that create legal exposure.

Why Meta Pixel lawsuits are increasing in California

This trend is not slowing because the underlying issue is widespread.

Many organizations:

• Implemented tracking tools years ago
• Layered additional tools over time
• Never fully mapped what data is being captured or shared

At the same time, legal theories have expanded. Plaintiffs are increasingly relying on:

• California Invasion of Privacy Act (CIPA)
• Video Privacy Protection Act (VPPA)
• Broader privacy and wiretapping claims

This wave of pixel litigation is expanding beyond early healthcare cases into multiple industries.

What these lawsuits have in common

These cases are not edge scenarios. They reflect common patterns in how organizations implement tracking, consent and data-sharing practices — and where those practices break down.

Across industries, the same issues continue to surface.

1. Tracking data is shared without full visibility

Many organizations deploy tracking technologies like Meta Pixel without fully understanding what data is being captured and transmitted.

In one case, the FTC’s enforcement action against GoodRx highlighted how prescription and treatment-related data was shared with advertising platforms through tracking technologies.

The issue was not simply the presence of tracking tools, but the lack of visibility into how sensitive data was being disclosed in the background.

2. Consent and opt-out mechanisms fail in practice

Even when organizations implement consent banners and opt-out tools, those controls don’t always function as intended.

In a 2025 enforcement action, Healthline was fined after failing to honor user opt-outs, despite having multiple consent mechanisms in place. Tracking technologies continued to share data even after users attempted to opt out.

In that case, regulators found that disclosures, consent tools and actual data practices were misaligned — creating a significant compliance gap.

3. Data collection extends beyond user expectations

Some organizations collect and monetize data in ways that go beyond what users reasonably expect, even when the data is technically permitted.

In a separate case, the Texas attorney general sued Allstate for allegedly collecting location and driving behavior data through embedded software in mobile apps. The claim focused not just on data collection, but on how that data was used and monetized without clear consumer awareness or consent.

When data practices extend beyond what is clearly disclosed, they create legal exposure regardless of the technology involved.

Across all of these cases, the underlying issue is not a specific tool or platform.

It’s a lack of alignment between:

• What data is collected
• How that data is shared
• What users are told
• And what actually happens in practice

Where this risk shows up across industries

This is not limited to healthcare. The same exposure exists anywhere sensitive interactions occur on tracked pages.

• Healthcare and senior living: Patient portals, appointment scheduling and “find a provider” tools often live on the same domains as marketing scripts. When pixels fire on those pages, they can capture behavior tied to protected health information.
• Financial services: Loan applications, account onboarding and rate inquiries often involve personal financial data. If tracking tools capture user inputs or behavior tied to those processes, the data may be considered sensitive.
• Construction and real estate: Property inquiries, lease applications and financing forms frequently collect personal and financial information. When pixels fire on those pages, that data can be transmitted unintentionally.
• Manufacturing and distribution: Even B2B environments are exposed. Customer portals, quote requests and product configuration tools can capture identifiable data tied to business operations.

The risk is not defined by industry. It is defined by whether sensitive activity is occurring on tracked pages.

Video content is creating a second wave of exposure

A growing number of lawsuits involve websites that stream video content.

Under the Video Privacy Protection Act (VPPA), organizations may be liable if they disclose information about what videos a user watches without proper consent.

Courts have interpreted “video service provider” broadly to include modern websites.

In one case, a media company settled claims after allegedly sharing video viewing activity with Facebook through tracking technology.

Any organization that hosts video content and uses tracking tools on those pages should evaluate whether consent and disclosures align with how data is being shared.

The real issue: Most organizations don’t know where their pixel is firing

The biggest problem is not the use of tracking tools. It is the lack of visibility into how they operate.

In many environments:

• Pixels are deployed through tag managers
• Scripts are inherited across site templates
• New pages are launched without privacy review

This creates situations where tracking fires on:

• Login pages
• Form submissions
• Scheduling tools
• Account-related workflows

Often, organizations do not realize this until a legal or compliance review surfaces the issue.

What risk mitigation looks like now

Reducing exposure does not require eliminating all tracking. It requires control.

Organizations should focus on:

• Mapping where tracking technologies are deployed across the site
• Identifying pages that involve sensitive or regulated activity
• Ensuring consent is obtained before tracking fires where required
• Validating what data is transmitted to third parties
• Aligning privacy disclosures with actual data practices

Some organizations choose to remove tools like Meta Pixel entirely. Others keep them but restrict where they operate.

The right decision depends on how those tools are used and how much risk the organization is willing to accept.

Why this issue isn’t going away

This is not a temporary surge in litigation.

It sits at the intersection of:

• Evolving privacy regulation
• Increasing consumer expectations
• Widespread use of third-party tracking technologies

As long as those forces continue, so will the risk.

Quick self-check: Is your site at risk?

Before you assume your tracking setup is compliant, ask:

• Is your Meta Pixel or other tracking technology firing on pages where users enter sensitive information? This includes appointment scheduling, financial forms, account access or any user-specific interaction.
• Does tracking activate before a user has provided clear, valid consent? Especially in jurisdictions like California, timing matters as much as disclosure.
• Do you know exactly what data is being transmitted to third parties — and when? If the answer requires guesswork or assumptions, that’s a risk.

If you can’t confidently answer all three, it’s worth taking a closer look at how tracking is implemented across your site.

How Wipfli can help

Wipfli helps organizations assess and manage privacy risks associated with website tracking technologies.

Our services include:

• Website privacy and tracking assessments
• Cookie and consent management strategy
• Data flow and third-party sharing analysis
• Policy and disclosure alignment
• Ongoing privacy and compliance support

To learn more about managing website tracking risk, explore our privacy and data protection services.