Tracking Technology Litigation Boom Likely Will Carry Into 2026, Lawyers Say
Despite stricter court rulings and limits on the use of older statutes to regulate newer technologies, 2025's increase in privacy litigation, especially around tracking technologies, looks set to continue into 2026, said privacy lawyers in interviews. Additionally, the potential for lawmakers clarifying the California Invasion of Privacy Act (CIPA) could push litigators to bring cases at even faster rates this year as they hope to file before an amendment becomes effective, one lawyer said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“2025 was sort of a renaissance” for tracking technologies litigation, said Troutman’s Dave Navetta, noting more case law was created, and more demand letters went out "more frequently.” The litigation space has become “almost like a mature industry ... kind of a small community" with “a cadence to it.”
But as more plaintiffs’ lawyers get involved and cases happen more frequently, the “trend starts to get a little bit … wider in its scope,” he added.
Though the California Invasion of Privacy Act (CIPA) is usually the vehicle for claims involving tracking technologies, the Electronic Communications Privacy Act (ECPA) “is starting to gain more traction,” Navetta said. For example, some California plaintiff lawyers recently sent demand letters that reference the federal wiretapping statute but omit CIPA, he added.
Part of this may be because, under the ECPA, “you can get $10,000 per violation, so it's twice as much bang for your buck.” Additionally, the federal law doesn't limit plaintiffs' jurisdiction, he added.
Still, Navetta said he was “really surprised” seeing a California lawyer focus on an ECPA violation without including CIPA. “It seems like they're trying to lay the groundwork for more of that type of theory of liability,” either because some CIPA case law has favored defendants recently, or owing to the potential limiting effects of SB-690 (see 2505280028).
Marashlian & Donahue’s Susan Duarte agreed that wiretapping claims are changing. As businesses and courts begin to grasp certain topics, litigators are moving to others. For example, “now people understand cookies and cookie banners,” so plaintiffs’ lawyers are “moving over to platforms, or they're going to ECPA" for its more lucrative penalties, she said.
In addition, Duarte said it’s “notable” that privacy issues prevented SB-690 from going through in 2025. Given the “excitement for the industry” and “costly litigation for companies” based on “old and outdated laws,” she had anticipated “a solution.”
Without it, the volume of cases will remain extreme, though Duarte recognized the litigation is addressing “privacy concerns” and that “it's good for consumers to understand their rights" in the space.
Instead, if regulators had provided guidance, the situation would be "less costly.” In addition, guidance would have eliminated the “lack of certainty” resulting from courts issuing contrasting rulings “across different topics.”
Kelley Drye’s Laura Riposo VanDruff, however, remains “optimistic” that California lawmakers will address CIPA reform, especially considering “there hasn't been clear direction from courts on the use of wiretap statutes,” which “remains a real frustration for businesses across the country.”
CIPA Reform Possible But Case Volume Could Remain
However, Julie Rubash, chief privacy officer for compliance vendor Sourcepoint, said the potential for “a law amending CIPA,” even if it won’t take effect for a couple of years, means “the plaintiff's bar is just going to hit the gas pedal in 2026.”
“All the stars are kind of aligning” where there may be only “one more year” to file these kinds of lawsuits, “but they now have enough rulings where they have a straightforward path to file these actions,” she said.
As courts have “narrowed the scope of some of these actions,” Rubash said, “they've also kind of created a roadmap for the plaintiff's bar,” which “in a way, makes it easier” for them. Lawyers know “where we're not seeing consistency” in the courts and can instead opt for another path where there’s more uniformity.
Navetta said there has been a “little bit of consolidation” around some aspects of wiretapping law related to content disclosures. Most courts have ruled that IP addresses and metadata are “pretty clearly not considered” content that constitutes a claim, which is why some CIPA claims were dropped.
Standing is an area without consistency, he said. That argument began with data breaches, and “for a long time,” tracking technology cases were getting past this hurdle “pretty easily,” as the theory had “been softened by the data breach litigation.”
But now courts are waking up to “the really bad downstream impact of these cases” and “the potential for huge damages,” and are revisiting standing arguments and dismissing them at this stage, Navetta said. But this “depends on the court, the judge, and a bunch of other things,” so it will likely end up at a federal appeals court or maybe even the U.S. Supreme Court.
Also, more recently, third parties that put the pixel or cookie or tracker on a website “are getting sued directly,” Navetta said. “It'll be interesting to see” what happens with this in 2026.
Duarte said there are “a lot of different CIPA allegations of eavesdropping,” where plaintiffs are trying to find “companies liable for processing and listening to calls because they didn't monitor their disclosures.” This is an “easy fix” for companies though, as they just need to “check their chatbot disclosures” or calling disclosures, if they're using AI.
Companies must also look at their level of involvement. If you're making telemarketing calls or using AI voice, make sure you “have the right consents,” she said.
Context also matters, Duarte said, pointing to the unanimous jury ruling in Frasco v. Flo Health that found Meta was intentionally eavesdropping on health app Flo users' menstrual cycles and reproductive health data (see 2508040041).
Overall, the “rapid increase” in the amount of litigation has “bypassed regulatory action in the minds of businesses” in terms of “the threat that they really need to focus on,” Rubash said. Usually, companies try to focus on regulatory requirements and “get buttoned up from that perspective,” but this is one of the first years that's not the case (see 2512310046).
Instead, businesses are thinking, ‘What do we do about this litigation? How can we put … consent in place? Or reconfigure tracking pixels, or look differently about approaching litigation?'
This is “very challenging,” and companies want to follow regulators' priorities and litigation topics, Rubash said. Compliance challenges also stem from the courts being “all over the place” with litigation, especially with CIPA and the federal Video Privacy Protection Act.
“With the variety of decisions out there, it's still [the] wild west in many ways,” Navetta said. There's favorable and unfavorable case law, so plaintiffs must be open to negotiating and leveraging "the uncertainty toward settlement.”