How to comply with new rules for privacy assessments, automated decisionmaking, & cybersecurity audits

Thank you!
Please check your email to view the guide.

NFL hit with CIPA class action over website pixels that ignored consent

July 16, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
NFL CIPA lawsuit

A proposed class action filed against the NFL (National Football League) on July 6, 2026, in California state court alleges that NFL.com shared visitors' personal data with advertising companies via trackers that ran both before and after users opted out via the site's consent banner.

  • A California resident alleges that NFL.com deployed 182 third-party trackers, including four canvas fingerprinting scripts and a session recorder, before visitors could make any consent choice
  • The complaint claims 186 trackers continued running even after users opted out, transmitting data to Google Ads, The Trade Desk, and other advertising and analytics companies
  • The lawsuit, filed on behalf of a nationwide class and a California subclass, alleges violations of the California Invasion of Privacy Act (CIPA), the federal Wiretap Act (ECPA), the California Computer Data Access and Fraud Act (CDAFA), the California constitutional right to privacy, and California's Unfair Competition Law (UCL)

What is this case about?

The plaintiff, a San Francisco 49ers fan, says she visited NFL.com in January 2026 to check scores and schedules. 

According to the complaint, the moment she landed on the site, trackers operated by companies including Google, The Trade Desk, Rubicon Project, OpenX, and LogRocket were installed on her browser.

Citing forensic testing, the complaint alleges that the site generated a unique device fingerprint, recorded her browsing session, and transmitted her information to third parties for targeted advertising in real time. 

The session replay tool allegedly captured mouse movements, clicks, scrolling, navigation paths, and keystrokes entered into search fields.

Why does the consent banner matter?

NFL.com displays a consent banner that allows visitors to opt out. The complaint argues this banner gives users a "false and misleading sense of security" for two reasons.

First, the trackers allegedly fire as soon as a visitor lands on the site, before any privacy choice can be made. Second, opting out allegedly does nothing to stop the tools that do not rely on cookies, such as session recorders and fingerprinting scripts. The complaint claims 186 third-party trackers continued running after opt-out.

This "opt-out that doesn't opt you out" allegation targets the gap between what a consent banner promises and what a website actually does. That gap is increasingly the focus of both CIPA plaintiffs and state regulators running opt-out compliance sweeps.

How was CIPA allegedly breached?

The complaint invokes two CIPA provisions. 

  • Under section 631(a), the wiretapping provision, the plaintiff alleges the trackers intercepted the "contents" of her communications with NFL.com while in transit, without her consent
  • Under section 638.51(a), the plaintiff alleges each tracker operates as an unlawful "pen register." CIPA defines a pen register as a device or process that records dialing, routing, addressing, or signaling information. The complaint argues that by capturing IP addresses and device identifiers, the trackers meet that definition.

CIPA is attractive to plaintiffs because it provides statutory damages of $5,000 per violation with no need to prove actual harm. 

The complaint also pleads claims under: 

  • The federal Wiretap Act (ECPA)
  • The California Computer Data Access and Fraud Act (CDAFA)
  • The California Constitution's right to privacy
  • California's Unfair Competition Law (UCL)

Key takeaways

  • Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
  • Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
  • Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

Privado AI continuously scans websites and apps to reveal exactly which trackers fire, what data they share, and whether users' consent choices are actually enforced.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading