
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

A proposed class action, filed on May 12, 2026, alleges that Pfizer's website continued to track visitors and share their data with Google through advertising tools after they selected "Decline All" on the site's consent banner.
Paul Nakamura, a California resident, alleges he visited Pfizer's website in July 2025 to research COVID-19 vaccine information. When the consent banner appeared, he selected "Decline All" to reject non-essential tracking.
Despite that opt-out, the complaint alleges that Pfizer's website continued transmitting data to third parties, including Google.
The alleged tracked data includes pages viewed, clicked links, device and browser information, approximate geolocation, and identifiers that could link a visitor across sessions or websites.
The proposed class covers users nationwide who visited Pfizer's website, interacted with the privacy banner or consent settings, and did not accept tracking during the applicable limitations period. A California subclass is also proposed for the state-law claims.
A federal Wiretap Act claim alleges that Pfizer's tracking tools intercepted visitors' electronic communications and transmitted them to third parties without consent. This is the same statute at the center of a growing wave of advertising tracker litigation.
A CIPA claim alleges that the tracking tools functioned as pen registers or trap-and-trace devices by recording IP addresses, device identifiers, and browsing data. Courts remain divided on whether web tracking technologies fall within the scope of this statute.
Consumer protection claims allege that Pfizer made representations through its consent banner and privacy settings that users could reject tracking, but the tracking occurred anyway.
This case follows a clear pattern. A consent banner tells users they can decline tracking. The user declines. But the scripts fire anyway.
The practical question is whether your consent management platform actually blocks the relevant tags when a user selects "Decline All." Google Ads, DoubleClick, and similar tags must not execute before consent is granted or after it is refused.
A tag manager misconfiguration, an incorrectly scoped consent signal, or a third-party script that bypasses the CMP can all create the gap this lawsuit describes.
If your site tells users they can opt out, but the data still flows, you have a gap between your consent banner and your actual tag behavior. That gap is exactly what plaintiffs' attorneys are testing.
Privado AI's Web Auditor continuously scans websites to verify that no tracking pixels or analytics tags transmit user data before consent is captured, and flags any scripts with access to sensitive input fields.