Private right of action isn’t just a talking point for future privacy laws; it’s already law. The California Invasion of Privacy Act (CIPA) has included an individual’s right to bring a civil suit since 1967.
With privacy under unprecedented attack by data brokers and social media, it is the wrong time to weaken these protections, as has been proposed in California Senate Bill 690, which passed the state Senate in June.
Attorneys in private practice are a key part of the privacy protection team, alongside journalists, researchers, legislators and regulators. After Frasco v. Flo Health (aka the “Flo case”), where a jury found that Meta violated CIPA by receiving menstrual cycle information from a mobile app, the private right of action is seen even more as an essential part of modern privacy enforcement.
But myths about whether CIPA is relevant to digital advertising persist. Here’s the reality.
Myth: Tracking pixel lawsuits rely on a dusty 1967 wiretapping law.
Reality: While CIPA dates back decades, it was updated in 2016 to cover electronic communications. The 2016 updates are the basis for today’s tracking-pixel cases.
Even in 1967, lawmakers anticipated the privacy risks of new technology:
“Advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications [and] such devices and techniques [have] created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.”
More recently, a 2024 legislative analysis confirmed that CIPA was meant to evolve alongside technology.
In other words, CIPA is far from obsolete.
Myth: Pixel-tracking cases fail for lack of injury.
Reality: Some early cases were dismissed, but plaintiffs have adapted. Because Big Tech keeps inflicting harm on users at scale, injury and therefore standing are (unfortunately) not the problem.
Awareness of the harms caused by Big Tech’s addiction to user tracking has gone fully mainstream. The Wall Street Journal covered Meta’s “epidemic of scams,” and Reuters reported that Meta estimated that it would earn 10% of its ad revenue from promoting scams and banned goods. Meanwhile, the FBI advises people to “use an ad blocking extension when performing internet searches” because of malware risks.
Companies sharing data with surveillance giants are part of these ongoing injuries.
Myth: Tracking lawsuits are turning public opinion against privacy lawyers.
Reality: Public sentiment is overwhelmingly against Big Tech’s data practices. Weakening privacy laws is unpopular and will only embolden harm.
Legitimate businesses already know they’re being squeezed by Big Tech. These firms scrape content and social media interactions for AI, steer consumers to fraudulent sellers who impersonate real retailers and brands and even ignore reports of fraud and abuse.
Big Tech grows at 20% annually, while everyone else celebrates if they can keep up with the wider economy’s single-digit growth rate. Meanwhile, the largest companies keep taking a bigger and bigger piece of each sale.
Simply put, the surveillance advertising oligopoly is unsustainable, and legitimate businesses are going to have to move on from the status quo.
Myth: CIPA is obsolete now that California has passed CCPA and CPRA.
Reality: All of these laws work together. The 2024 legislative analysis of California’s SB 690 makes it clear:
“[T]he CCPA is not meant to operate to the exclusion of CIPA,” and, “While the CCPA may provide a remedy in some cases, it may not provide remedies in others. … This overlap between multiple privacy-related statutes seems to be particularly relevant where smaller websites rely on Facebook Pixel, or other tracking services, to track consumers across devices and sites.”
Myth: GDPR-style consent dialogs can fix wiretapping risk. Companies will be able to keep doing business as usual by adding GDPR-style consent dialogs to their site.
Reality: They can’t. EU regulators may tolerate confusing consent flows, but California law demands real consent.
In Calhoun v. Google, LLC, the 9th Circuit held that consent can’t rely on the average user decoding complicated legalese. Consent prompts must reflect what a reasonable person would understand.
In the Flo case, the jury found that even though users “agreed” to data collection, no valid consent existed because of a lack of user understanding of the scope of what they were agreeing to.
The lesson: Adding one more consent-management click isn’t going to persuade a judge or a jury.
Takeaways for advertisers, publishers and legislators
The only sustainable solution will be to move away from surveillance, not disguise it with confusing banners and opt-ins.
Meanwhile, regulators should protect, not limit, private rights of action. It’s the only tool that allows citizens and attorneys to hold Big Tech accountable when government enforcement falls short.
The private right of action is not a historical relic; it’s the lifeblood of privacy enforcement. When regulators are underfunded and legislators divided, private attorneys remain the last line of defense.
“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Follow Don Marti, Robert Tauler and AdExchanger on LinkedIn.
For more articles featuring Don Marti, click here.
