CNN stuck with CIPA suit over alleged data-sharing with Microsoft and adtech partners

Judge Victor Marrero of the US District Court for the Southern District of New York ruled on April 9, 2026, that CNN must face a proposed class action. The suit alleges CNN shared consumers' personal information with Microsoft and adtech firms without consent, in alleged violation of California privacy law.

• The judge denied CNN's motion to dismiss, finding that lead plaintiff Anthony D'Antonio had adequately pleaded a claim under California Invasion of Privacy Act’s (CIPA) pen-register rules
• D'Antonio alleges that CNN loaded data-tracking tools from Microsoft Corp., PubMatic Inc., and OpenX Technologies Inc. on its website. These tools allegedly collected user data and built marketing profiles for targeted advertising
• This is the second time the judge has denied CNN's motion to dismiss. The first ruling came 14 months earlier on an earlier version of the complaint

What is this case about?

D'Antonio says CNN's website loaded scripts that captured his personal information and fed it into the real-time bidding (RTB) ecosystem. In RTB, multiple advertisers bid on user data in milliseconds to serve an ad.

‍The complaint alleges at least one advertiser bid on D'Antonio's information. That data was likely shared with hundreds more bidders during the automated ad auction process.

What did the court decide?

CNN argued two things. First, that D'Antonio had not shown a concrete injury, so he could not sue in federal court. Second, that the tracking code did not qualify as a "pen register" under CIPA.

‍The judge rejected both arguments. He found that D'Antonio's allegations (that his data was collected and sold in the online ad marketplace, and that this was "highly offensive") were enough to establish standing.

On CIPA, CNN argued the trackers captured the contents of communications, which the pen-register definition excludes. D'Antonio countered that trackers collecting "fingerprint" data (device and browser identifiers) do not count as content.

The judge sided with D'Antonio for now. He also said it was too early to decide whether CNN could claim CIPA's exemption for service providers using pen registers to operate their services.

Why does this matter?

CIPA damages are up to $5,000 per violation. For a publisher loading standard adtech scripts across millions of page views, the numbers get large quickly.

‍The ruling adds to a line of cases treating common adtech tools as "pen registers." RTB pixels, identity resolution scripts, and device fingerprinting scripts are all potentially in scope.

The practical question is whether tracking scripts load only after the user has consented. A consent banner that exists on the page is not enough if scripts fire before the user interacts with it.

Key takeaways

• Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
• Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
• Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

‍Privado AI's Web Auditor continuously maps every tracker and adtech partner loaded on your site, flags pixels that fire before consent, and helps publishers demonstrate that tracking activity matches documented user choices.