Another website-tracking class action has hit a familiar roadblock: class certification.
In Ingraham v. Capital One Financial Corp., No. 24-cv-05985-TLT (N.D. Cal. June 16, 2026), the Northern District of California denied certification of both nationwide and California classes arising out of allegations that Capital One improperly disclosed consumers’ information through website tracking technologies, including Meta Pixel, Google Analytics, Adobe Analytics, and other tools embedded on Capital One’s credit card application webpages.
The plaintiffs alleged that when consumers applied for credit cards through Capital One’s website, various tracking technologies transmitted personal and financial information to third parties without consent. According to plaintiffs, the information allegedly included data concerning credit card applications, browsing activity, employment information, bank account information, and other consumer data. But despite allegations of a uniform tracking ecosystem deployed across Capital One’s website, the court concluded that the case could not proceed on a classwide basis. And the reasons why should sound familiar to anyone defending website-tracking litigation.
The court’s first concern was a recurring issue in pixel and wiretapping cases: what information was actually transmitted?
Plaintiffs identified numerous categories of allegedly protected information that they contended were shared with third parties. The problem was that the record demonstrated that different users may have transmitted different information depending on their browser settings, browsing behavior, interactions with the website, and the particular tracking technology involved.
In other words, simply proving that a tracking technology existed on the website did not answer the question of what information was actually transmitted for any particular user.
The court found that determining whether information was transmitted, and if so, precisely what information was transmitted, would require individualized inquiries for each putative class member. Because plaintiffs could not demonstrate that the same categories of information were uniformly transmitted for all users, individualized issues predominated. But the opinion gets even more interesting when it turns to consent.
The plaintiffs argued that consent could be resolved through common proof because Capital One utilized common disclosures and privacy policies. The court disagreed. Relying on prior website-tracking decisions, the court emphasized that consent often depends on what disclosures a particular user encountered and what understanding that user developed from those disclosures. Some users may have seen different disclosures, some may have reviewed privacy policies differently, and California residents may have received additional notices not provided to others. As a result, determining whether any individual user expressly or impliedly consented would require a user-by-user analysis. This issue continues to create significant challenges for plaintiffs in website-tracking litigation.
Courts evaluating claims under the California Invasion of Privacy Act (“CIPA”), the Electronic Communications Privacy Act (“ECPA”), and similar privacy statutes have increasingly focused on consent as an individualized factual issue. Where consent depends on the disclosures a user encountered and the user’s understanding of those disclosures, predominance becomes difficult to establish.
The court then addressed another issue that has become increasingly important in privacy class actions: standing.
The court noted that it had previously reached different standing conclusions regarding the named plaintiffs themselves. One plaintiff was able to demonstrate a privacy interest sufficient to establish standing, while another was not. That distinction proved significant. According to the court, determining whether a particular class member suffered a concrete injury would require examining what information was transmitted, how it was transmitted, the nature of the information involved, and whether that individual had a privacy interest in the information at issue.
Those questions could not be answered through common proof. Instead, they would require the same fact-intensive analysis for potentially thousands or even millions of class members.
Read together with other recent website-tracking decisions, Ingraham reflects a growing trend. Courts are increasingly scrutinizing whether plaintiffs can establish common proof regarding three critical issues:
- What information was actually collected or transmitted;
- Whether users consented to the alleged disclosures; and
- Whether users suffered a concrete injury sufficient to establish standing.
The mere presence of a tracking technology on a website is often not enough.
For businesses defending website-tracking litigation, the decision provides another roadmap for opposing class certification. Variations in user behavior, browser settings, disclosures, consent, and the information actually transmitted may create individualized issues that overwhelm common questions.
The lessons here:
- The existence of website tracking technology alone may not support class certification.
- Plaintiffs increasingly must demonstrate a common method of proving what information was actually transmitted for every class member.
- Consent remains a powerful certification defense where users encounter different disclosures or privacy notices.
- Standing continues to present a significant obstacle in privacy class actions, particularly where individualized inquiries are required to determine whether any particular user suffered a concrete injury.
- Companies defending CIPA and website-tracking cases should focus early discovery efforts on differences in user experiences, disclosures, browser settings, and the specific information allegedly transmitted.
So here’s another reminder that the presence of a tracking technology may be enough to file a lawsuit, but it is not necessarily enough to certify a class.
Discover more from TCPAWorld
Subscribe to get the latest posts sent to your email.