All insights
Quarterly RoundupJuly 4, 2026 8 min read

Website Litigation Roundup: Q2 2026

Eight-figure pixel settlements, a hardening state-court line against pen-register claims, a live Supreme Court VPPA question, and a new front in the inbox. The quarter's developments and what shifted.

Risk intelligence, not legal advice. The patterns below are indicators that have appeared in real litigation or enforcement — not proof of a violation, and not a substitute for counsel.

The second quarter of 2026 did not resolve website-tracking litigation so much as sharpen its fault lines. Plaintiffs banked large settlements and a few favorable federal rulings; defendants won meaningful procedural victories and watched the California state-court line against pen-register theories harden further. Underneath it all, a Supreme Court question hangs over the most active federal statute, and a new theory moved from the website to the inbox.

Here is what mattered this quarter, and what it changed. As always, this is risk intelligence, not legal advice.

Settlements kept climbing — and stayed centered on health data

The quarter's headline numbers came from the healthcare sector, where tracking-pixel disclosures on patient portals continued to drive eight-figure resolutions.

Sutter Health reached a $21.5 million settlement resolving claims that tracking technologies — including Google Analytics and the Meta Pixel — on its MyHealthOnline patient portal disclosed patient information to third parties without consent, with final approval granted in late February and class claims running into the spring. Inova Health resolved comparable allegations for $3.1 million. The pattern is now familiar: an advertising or analytics tag on an authenticated health surface, transmitting identifiers and context it should never have touched. We walk through the mechanics of this fact pattern in our health-pixel autopsy.

The significance is less any single dollar figure than the durability of the theory. Health-pixel settlements have become a predictable cost of leaving advertising tags on portal pages, and the supply of class periods stretching back years has not run dry.

A defense win on class certification

Not every development favored plaintiffs. In late March, a federal court in the Northern District of California denied class certification in the Meta Pixel tax-filing cases — a reminder that the individualized questions baked into these claims (who was logged in, what consent existed, what each visitor actually did) can be a real obstacle to certifying a class even where the underlying conduct is undisputed. Certification denials do not end cases, but they sap the settlement leverage that makes them attractive, and defendants will cite this one.

The pen-register line hardened in state court

The California state-court trend against the Section 638.51 pen-register theory continued to firm up. Building on dismissals earlier in the year, courts this quarter reinforced the view that the trap-and-trace provisions were written for telephone surveillance and do not reach commercial website software — the same reasoning reflected in the Blaker v. NetScout decision. At the same time, the Southern District of California's Camplisson v. Adidas line — allowing wiretapping and pen-register theories against common trackers to proceed past the pleading stage — continued to pull the other way. The split we map in our pen-register jurisdiction piece did not close this quarter; it deepened.

The VPPA's central question is now at the Supreme Court

The Video Privacy Protection Act remained unsettled at the highest level. With the Supreme Court having taken up the question of who qualifies as a "consumer" under the statute, lower courts and litigants spent the quarter operating in the shadow of a pending decision that could either broaden the statute's reach nationwide or narrow it. Settlements continued regardless — BuzzFeed's $9 million VPPA resolution, covering account holders and newsletter subscribers who accessed videos while the Meta Pixel was active, is a reminder that defendants are still paying to exit these cases rather than wait for doctrinal clarity. Our VPPA signal covers the underlying split in depth.

A new front: email open-tracking pixels

The quarter's most notable expansion was directional. Plaintiffs began applying the same wiretap framing used against website pixels to the tracking pixels embedded in marketing emails — the invisible images that fire when a message is opened. The theory is that the open event is captured contemporaneously, as the recipient reads, which plaintiffs argue is interception in transit rather than after-the-fact recordkeeping. With a large majority of marketing email reportedly carrying at least one tracking pixel, the potential surface is enormous, and early rulings have divided on standing. We break down that mechanism in Email Open-Tracking Pixels. International pressure is converging from the same direction, with European regulators signaling consent expectations for email open-tracking. This is early, and the outcomes are genuinely uncertain — but it is the clearest sign yet that the wiretap theory is migrating beyond the web page.

What shifted, and what to re-check

Three things moved this quarter. The health-pixel settlement track became more entrenched. The state-versus-federal divide on pen-register theories widened rather than narrowed. And the wiretap theory found a new target in the inbox.

For anyone reassessing exposure heading into the second half of the year, the practical checklist is unchanged in kind but broader in scope:

  • Advertising and analytics tags on authenticated or sensitive pages, especially in healthcare.
  • Trackers transmitting IP address, full URLs, and identifiers on load, before any consent.
  • Session-replay and chat tools capturing input on forms.
  • Email programs relying on open-tracking pixels without recipient consent.
  • Whether "reject" on your consent banner actually withholds tags, across pages.

The developments change quarter to quarter; the underlying question does not. Running a detailed scan of your own site — and now, a look at your email program — is the fastest way to see which of these patterns you actually exhibit.

[Quarter-at-a-glance table: development, mechanism, and why it matters] [Trendline of disclosed pixel-related settlements by sector, 2024 to 2026]

Sources

See what your own pages do

The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.

Run a free scan

Keep reading