Why European Wax Center paid $5M CIPA settlement over website pixel tracking

On April 2, 2026, European Wax Center, Inc. agreed to a $5 million class settlement in Florida state court to resolve allegations that it ran the Meta Pixel and other tracking technologies on waxcenter.com without visitor consent.

• The lawsuit alleged violations of the California Invasion of Privacy Act (CIPA), the federal Electronic Communications Privacy Act (ECPA), and the Florida Security of Communications Act (FSCA)
• The class includes every US resident who visited waxcenter.com between June 30, 2023, and the date of preliminary approval; valid claimants receive $10, subject to pro rata reduction
• The complaint alleges data was disclosed to Meta, Attentive Mobile, LinkedIn, and Snap without consent

What is this case about?

The case is Cumor v. European Wax Center, Inc., filed in the 13th Judicial Circuit in Hillsborough County, Florida. 

The plaintiffs allege that waxcenter.com loaded the Meta Pixel and other third-party trackers that captured visitor information (including booking-related data) and disclosed it to advertising and marketing partners without consent.

The legal claims involved are now well established. ECPA, CIPA, and FSCA all derive from telephone wiretap statutes and are now being applied to third-party JavaScript on commercial websites.

The legal theory at play is that setting tracking technologies without consent amounts to intercepting a person’s communications with the website. Similar claims have led to hundreds of class action cases over the past decade.

An interesting quirk of the case is that to claim their $10 damages, claimants must attest that when they visited waxcenter.com they: 

• Did not have the Google Analytics opt-out add-on installed
• Were not blocking cookies via browser settings
• Were not using extensions to prevent tracking
• Were not in private browsing mode 

The deal explicitly excludes anyone who took meaningful steps to block the tracking.

Why does this matter for privacy teams?

European Wax Center’s alleged violations are far from uncommon. 

The beauty-services website was running standard third-party marketing pixels without an effective consent mechanism. 

CIPA's $5,000-per-violation statutory damages, multiplied across a multiyear class, can add up to eye-watering amounts. The $5 million settlement reflects the cost of avoiding that outcome.

The key learning is to ensure your marketing pixels are not firing before consent is captured. Tag managers, SDKs, and server-side tracking all need verification. A consent banner on the page is not enough if scripts fire before the user interacts with it.

Key takeaways

• Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
• Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
• Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

Privado AI's Web Auditor continuously maps every tracker and advertising partner loaded on your site, flags pixels that fire before consent, and helps demonstrate that tracking activity matches documented user choices.