Pixels, Privacy, and the Price of Data: Financial Services Update

Not so pixel-perfect: growing trend of pixel litigation

The newest wave of consumer litigation impacting the financial services industry is “Pixel” litigation, wherein plaintiffs claim that tracking pixels, usually placed by third-party platforms such as Meta, Google, or other analytics providers, are transmitting data without permission from the user.

If embedded in a financial services website or customer portal, such tracking pixels could collect not only browsing information and activity, but sensitive data such as personal identifier information, loan numbers, and financial behaviors or spending patterns.

The new litigation trend includes claims sounding in violation of privacy (e.g., GLBA or HIPAA), wiretapping claims, and state consumer protection laws. Claimants contend that they did not give informed consent to the sharing of this data, and the strength of these claims may hinge on the adequacy of privacy disclosures and whether there is an option to opt-out.

A narrow win for Financial Institutions

In Stevens v. TD Bank (June 2025), the Court issued an opinion dismissing plaintiff’s pixel-related claims for violations of the GLBA, but the opinion rested on the fact that plaintiff failed to specifically allege what personal financial information was captured and how it caused harm.  Companies including those in the financial services sector can expect that plaintiffs will become more savvy in pleading their Pixel claims moving forward.

California’s SB 690: Relief or Regulatory Trap?

SB 690 was proposed to amend the California Invasion of Privacy Act (CIPA), providing a limited safe harbor for businesses using tracking pixels "for a commercial business purpose"—as long as those uses comply with the California Consumer Privacy Act (CCPA). The bill, which will not be reconsidered until 2026 and likely would not take effect before 2027, is designed to counter the recent flood of wiretapping lawsuits that treat pixel use as illegal interception of communications.

While SB 690 could shield financial institutions from CIPA claims if they use pixels for legitimate business functions (e.g., fraud prevention, site optimization), it still requires companies to meet stringent CCPA compliance standards—such as offering opt-outs, maintaining privacy notices, and not engaging in cross-contextual behavioral advertising without consent.

A Cautionary Tale: Healthcare Sector Settlements

Although not within the financial services sector, the recent $1.73 million settlement by Adena Health and a $7 million class action settlement agreed to by The Christ Hospital to resolve claims it shared patient information with third parties such as Facebook and Google over pixel tracking on its patient portal are both cautionary tales for our industry. In those cases, claims asserted against included negligence, unjust enrichment, and violation of federal wiretap laws.

Because financial information is guarded similarly to health data, if pixel technology results in the exposure of personally identifiable financial data (e.g., online behaviors, loan applications, transaction histories), similar legal theories may be applied in litigation against banking defendants. Financial services firms should take reasonable precautions to ensure that pixels are not placed on login pages or other secure parts of their websites without clear disclosure and informed user consent.

Conclusion