CIPA Litigation Prevention Guide

Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.

Thank you!
Please check your email to view the guide.

Pfizer faces CIPA class action over alleged post-opt-out personal data sharing

July 7, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
Pfizer CIPA lawsuit

A proposed class action, filed on May 12, 2026, alleges that Pfizer's website continued to track visitors and share their data with Google through advertising tools after they selected "Decline All" on the site's consent banner.

  • The complaint alleges Pfizer used Google Ads and Google DoubleClick trackers to collect browsing data, device identifiers, and approximate geolocation, then shared it with third parties after the plaintiff opted out
  • The lawsuit invokes the federal Wiretap Act, the California Invasion of Privacy Act (CIPA) pen-register provisions, the California Consumer Legal Remedies Act, and the California Unfair Competition Law
  • Pfizer was served on May 18, 2026 and its answer is due on June 8, 2026 in the Southern District of New York

What is this case about?

Paul Nakamura, a California resident, alleges he visited Pfizer's website in July 2025 to research COVID-19 vaccine information. When the consent banner appeared, he selected "Decline All" to reject non-essential tracking.

Despite that opt-out, the complaint alleges that Pfizer's website continued transmitting data to third parties, including Google.

The alleged tracked data includes pages viewed, clicked links, device and browser information, approximate geolocation, and identifiers that could link a visitor across sessions or websites.

The proposed class covers users nationwide who visited Pfizer's website, interacted with the privacy banner or consent settings, and did not accept tracking during the applicable limitations period. A California subclass is also proposed for the state-law claims.

What laws were allegedly violated and why?

A federal Wiretap Act claim alleges that Pfizer's tracking tools intercepted visitors' electronic communications and transmitted them to third parties without consent. This is the same statute at the center of a growing wave of advertising tracker litigation.

A CIPA claim alleges that the tracking tools functioned as pen registers or trap-and-trace devices by recording IP addresses, device identifiers, and browsing data. Courts remain divided on whether web tracking technologies fall within the scope of this statute.

Consumer protection claims allege that Pfizer made representations through its consent banner and privacy settings that users could reject tracking, but the tracking occurred anyway.

What should privacy teams take away?

This case follows a clear pattern. A consent banner tells users they can decline tracking. The user declines. But the scripts fire anyway.

The practical question is whether your consent management platform actually blocks the relevant tags when a user selects "Decline All." Google Ads, DoubleClick, and similar tags must not execute before consent is granted or after it is refused. 

A tag manager misconfiguration, an incorrectly scoped consent signal, or a third-party script that bypasses the CMP can all create the gap this lawsuit describes.

If your site tells users they can opt out, but the data still flows, you have a gap between your consent banner and your actual tag behavior. That gap is exactly what plaintiffs' attorneys are testing.

Key takeaways

  • Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
  • Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
  • Run data protection assessments for any processing of personal data for targeted advertising, the selling of personal data, or the processing of sensitive data

Privado AI's Web Auditor continuously scans websites to verify that no tracking pixels or analytics tags transmit user data before consent is captured, and flags any scripts with access to sensitive input fields.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading