The LinkedIn Pixel and CCPA: Why Businesses Are Getting Lawsuit Letters

If you’ve recently received a demand letter from a law firm claiming your website violated California privacy laws, you’re not alone. Across the country, businesses are opening their mail to find legal notices alleging that a small piece of tracking code on their website has exposed them to significant liability under the California Consumer Privacy Act (CCPA) and related privacy laws.

The culprit? LinkedIn’s Insight Tag, a tracking pixel similar to Meta’s Facebook Pixel, which has become the latest target in an expanding wave of privacy litigation. What many business owners thought was a helpful marketing tool is now triggering class action lawsuits, particularly when used on websites that collect sensitive information.

Let’s break down what’s happening, why these lawsuits are gaining traction, and what you need to know to protect your business.

What Is the LinkedIn Insight Tag?

LinkedIn’s Insight Tag is a snippet of JavaScript code fueled by LinkedIn cookies that businesses can embed into their websites to track visitor activity. Think of it as a tiny invisible tracker that watches what visitors do on your site, then reports back to LinkedIn.

After matching website visitors with their LinkedIn accounts, LinkedIn provides companies with consumer engagement analytics based on the collected data to improve their marketing strategies and targeted ad campaigns. For businesses, this seems like a no-brainer. You get valuable data about who’s visiting your site, what they’re interested in, and how to reach them with targeted ads on LinkedIn later.

The problem is that this tracking happens whether users know about it or not, and the data being collected can be far more sensitive than businesses realize.

The Wave of LinkedIn Privacy Lawsuits

LinkedIn has recently been hit with three digital privacy class actions contending that it illegally intercepted users’ sensitive information to use in targeted advertising. These aren’t isolated incidents. They’re part of a broader pattern that’s making privacy attorneys take notice.

The claims were brought on behalf of class members who made appointments on the websites of health care companies.

The complaints accuse LinkedIn of accessing users’ private personal and health care information, such as gender, sexual orientation and the conditions for which they were seeking treatment, via its tracking tool, the LinkedIn Insight Tag, which was installed on the companies’ websites.

But healthcare isn’t the only sector getting hit. One day after an investigation by The Markup and CalMatters, LinkedIn and Google were hit with a proposed class-action lawsuit alleging they improperly received confidential data from trackers on California’s health insurance exchange website. Even government websites aren’t immune from these privacy concerns.

Why LinkedIn Pixels Are Legal Landmines

The function of the tag is similar to Meta’s Facebook Pixel, a tracking tool that transmits data about users’ website interactions to Meta and has been targeted by dozens of class action privacy lawsuits since 2022, including allegations that the Big Tech giant unlawfully acquired customers’ private medical information via Pixel’s installation on hospital and health care provider websites.

The LinkedIn Insight Tag follows a similar playbook to Meta’s Pixel, which means it’s facing similar legal challenges. But there’s a key difference: many businesses that learned to be cautious with Facebook Pixel haven’t yet realized the same risks apply to LinkedIn’s tracking tool.

“Tracking technology litigation, including wiretapping claims under CIPA, can affect basically any company with a public-facing website,” said Stacy Boven, privacy and technology attorney at Nixon Peabody who leads the firm’s tracking technology team.

Read that again. Basically any company with a public-facing website. If that doesn’t get your attention, it should.

The Legal Framework: CCPA and CIPA

Understanding why these lawsuits are succeeding requires a quick look at two California laws that have become powerful tools for privacy litigation.

California Consumer Privacy Act (CCPA)

The CCPA provides for a private right of action for consumers if their “nonencrypted and nonredacted personal information” is subject to unauthorized access and exfiltration, theft, or disclosure caused by a business’s failure to “implement and maintain security procedures and practices”. Damages available to consumers under this private right of action provision can be as high as $750 per violation. (Walker, L. (2020). California’s Privacy Laws. Commercial Law World, 34(4), 38-41. & Kirzhakova, L. (2024). Facial Recognition Technology in the Market: What Consumers Need to Know to Protect Their Rights.)

Initially, the CCPA’s private right of action was understood to apply primarily to data breaches. But courts are now interpreting it more broadly. A trio of federal court decisions has emboldened the plaintiffs’ bar with a new potential tool to wield in the ongoing wave of litigation targeting businesses for their use of routine website technologies.

In each case, the court adopted an expansive reading of the CCPA’s private right of action, allowing claims to survive dismissal based on allegations that a business disclosed personal information to third-party technology providers without consumer consent.

This expansion is significant. What was once seen as routine website analytics is now being treated as potential unauthorized disclosure of personal information.

California Invasion of Privacy Act (CIPA)

CIPA is even more powerful for plaintiffs. CIPA’s private right of action provision requires only that a plaintiff be “injured by a violation” and statutory damages reach the greater of $5,000 or triple the actual damages suffered by the plaintiff. (Galanter, M. (1991). Punishment: Civil Style. Israel Law Review. https://doi.org/10.1017/s0021223700010748)

That’s right. $5,000 per violation, or triple damages. For a class action lawsuit with hundreds or thousands of website visitors, you can see how quickly the numbers become astronomical.

In Mirmalek v. LA Times Communications LLC, a court held that CCPA claims did not preempt CIPA claims, so future attempts to sue for privacy violations under the CCPA are likely to be accompanied by CIPA claims. This means businesses are often facing claims under multiple laws simultaneously, multiplying their potential exposure.

What Makes These Cases Different

You might be thinking, “But LinkedIn’s privacy policy covers this, right?” Not so fast.

LinkedIn users must agree with a privacy policy, a cookie policy, and, in California, a separate privacy disclosure to use the platform. However, despite language in its privacy policy stating it will collect personal data only when lawful, the plaintiffs claim that the company has unlawfully collected sensitive medical data from users.

Here’s the critical issue: According to the lawsuits, users often are unaware of which websites have embedded the Insight Tag and, therefore, cannot legally consent to the collection of their information. (LinkedIn Faces Digital Privacy Class Actions for Tracking User Personal and Health Care Information.)

Think about it from a user’s perspective. You visit a healthcare website to book an appointment. You’re not thinking about LinkedIn. You’re not on LinkedIn’s platform. You probably have no idea that LinkedIn is tracking your activity on this completely separate website. Yet your information, including potentially sensitive health data, is being transmitted to LinkedIn without your knowledge or explicit consent.

The Covered California Case: A Wake-Up Call

One of the most alarming examples came from California’s own health insurance exchange. The lawsuit, filed in the Northern District of California, cites forensic testing by The Markup and CalMatters, as well as research by the plaintiff, to allege that LinkedIn and Google received health data from web trackers on coveredca.com without the knowledge or consent of users.

The government entity that operates the exchange, Covered California, has since removed the trackers. A spokesperson said they had been used as part of an advertising campaign that began in February 2024.

Even a government website with presumably robust legal review ended up transmitting sensitive personal health information through tracking pixels. If it can happen to them, it can happen to any business.

The Bigger Picture: Pixel Litigation Is Exploding

LinkedIn pixels aren’t the only problem. This is part of a much larger trend. In 2024, pixel-related claims comprised 40% of privacy class actions, with plaintiffs seeking statutory damages that can escalate to millions for large user bases.

According to a March 2024 report, approximately 47 percent of websites utilize Meta Pixel, including 55 percent of those in the S&P 500, 58 percent in the retail industry, 42 percent in the finance sector, and 33 percent in the healthcare industry. This widespread adoption has created a target-rich environment for plaintiffs’ attorneys.

Broader trends show that 2024 to 2025 saw a 25% rise in pixel suits, with mass arbitrations bypassing class actions. The pace is accelerating, not slowing down.

LinkedIn’s Own Warnings (That Many Businesses Miss)

Here’s what’s particularly frustrating for businesses: LinkedIn actually warns against exactly the practices that are leading to these lawsuits. On its informational page about the Insight Tag, LinkedIn places the burden on websites that employ the tag not to use it in risky situations. The tag “should not be installed on web pages that collect or contain Sensitive Data,” the page advises, including “pages offering specific health-related or financial services or products to consumers”.

LinkedIn’s Ads Agreement explicitly states that customers should not “transfer to LinkedIn any data that you know or reasonably should know was collected from or about children under the age of 16, or constitutes Sensitive Data, including by way of installing the Insight Tag on a page that collects medical, financial, or other Sensitive Data about identified or identifiable individuals”.

The problem is that many businesses either don’t read these terms carefully, or they install the Insight Tag globally across their entire website without thinking through the implications for specific pages that collect sensitive information.

Who’s At Risk?

Based on the current wave of litigation, here are the businesses at highest risk:

Healthcare providers and related services: This includes hospitals, clinics, mental health services, fertility clinics, pharmacies, and any business offering health-related services. If your website allows users to book appointments, request information about treatments, or access patient portals, you’re in the danger zone.

Financial services: Banks, investment firms, insurance companies, tax preparation services, and anyone collecting financial information. Several lawsuits have targeted financial institutions for pixel tracking on pages where users apply for services or access their accounts.

Education services: Particularly those collecting information about students, which may trigger additional protections.

Government websites: As the Covered California case shows, even government entities aren’t immune, especially when providing health or financial services.

Any business with forms collecting personal information: Even if you’re not in one of the above categories, if your website has forms collecting names, emails, phone numbers, addresses, or other personal details, and you have a LinkedIn Insight Tag installed, you could be at risk.

What Plaintiffs’ Lawyers Are Looking For

The typical lawsuit alleges several key violations:

  1. Unauthorized interception of communications: Under CIPA, plaintiffs argue that the tracking pixel intercepts their communications with the website without consent.
  2. Failure to obtain proper consent: Users aren’t meaningfully informed that LinkedIn is tracking their activity on a third-party website.
  3. Inadequate security measures: Under the CCPA, plaintiffs argue that allowing third-party trackers to access personal information constitutes a failure to maintain reasonable security practices.
  4. Disclosure of sensitive personal information: Particularly in healthcare contexts, the transmission of health-related information to advertising platforms is alleged to violate multiple privacy protections.

The Anatomy of a Demand Letter

If you receive a demand letter related to LinkedIn pixels or other tracking technologies, here’s what you can typically expect:

The letter will likely come from a law firm specializing in privacy class actions. Common firms sending these letters include Bursor & Fisher, Swigart Law, Tauler Smith, and Pacific Trial Attorneys.

The letter will allege that your website’s use of tracking pixels violated one or more California privacy laws, typically CIPA and the CCPA. It will often reference forensic testing showing that your website transmitted user data to LinkedIn or other third parties.

You’ll be presented with a settlement demand, often for a significant sum. The letter may threaten a class action lawsuit if the matter isn’t resolved quickly.

Many businesses’ first instinct is to panic or to immediately agree to the settlement demand. Neither is the right response.

How Courts Are Ruling

The landscape is still evolving, and not all courts are ruling the same way. In a notable October 2025 ruling in Doe v. Eating Recovery Center LLC, the Northern District of California granted summary judgment dismissing a CIPA claim based on a website’s use of a third-party tracking pixel. The court found that the pixel’s data constituted the “contents” of a communication but that no reading or learning of contents occurred “in transit,” as required under CIPA.

The court harshly criticized CIPA’s ambiguous language and conflicting applications in the digital age, calling it a “total mess” and “virtually impossible to understand”.

However, this hasn’t stopped the wave of litigation. This year, two major cases involving unauthorized, non-breach disclosures of data survived motions to dismiss. Both involved online mental health platforms that disclosed user information to third-party advertisers.

The key takeaway is that while some businesses are successfully defending these claims, many are not. The law is unsettled, which means expensive litigation even if you ultimately prevail.

What You Should Do Right Now

If you have a LinkedIn Insight Tag or similar tracking pixels on your website, here’s your action plan:

1. Audit Your Website Immediately

Identify all tracking pixels and third-party scripts on your website. This includes LinkedIn Insight Tags, Meta Pixels, Google Analytics, and any other tracking technologies. Document where they’re installed and what data they might be collecting.

Pay special attention to:

  • Forms collecting personal information
  • Pages offering or describing health services
  • Financial service pages
  • Appointment booking systems
  • Patient or customer portals
  • Checkout or payment pages

2. Review LinkedIn’s Restrictions

Go back and carefully read LinkedIn’s terms of service and documentation about the Insight Tag. LinkedIn’s guidance is clear that the tag “should not be installed on web pages that collect or contain Sensitive Data”.

If you’ve installed the tag globally across your site, you may be violating LinkedIn’s own terms, which strengthens plaintiffs’ arguments that you knew or should have known about the risks.

3. Remove or Restrict Problematic Tracking

If you’re in a high-risk category (healthcare, financial services, etc.), seriously consider removing the LinkedIn Insight Tag entirely, at least from pages that collect sensitive information. The marketing benefits rarely outweigh the legal risks.

If you want to keep some tracking functionality, work with a developer to ensure that tracking pixels are only active on low-risk pages that don’t collect personal or sensitive information.

4. Implement Proper Consent Mechanisms

Simply having a privacy policy isn’t enough. A 2025 amendment via SB 690 clarified exemptions for certain business-purpose cookies but maintained opt-out mandates.

You need clear, conspicuous consent mechanisms that:

  • Inform users specifically about third-party tracking
  • Name the third parties (like LinkedIn) receiving data
  • Allow users to opt out before data collection begins
  • Don’t hide critical information in lengthy privacy policies

Consider implementing a consent management platform that gives users granular control over different types of cookies and tracking.

5. Document Your Compliance Efforts

If you do get sued or receive a demand letter, having documentation of your compliance efforts can be valuable. Keep records of:

  • When you conducted privacy audits
  • What changes you made to tracking implementations
  • Your consent mechanisms and how they were tested
  • Training provided to staff about privacy compliance
  • Legal guidance you sought

6. Review Your Insurance Coverage

Check whether your existing insurance policies cover privacy litigation. Some general liability or cyber insurance policies may provide coverage, but often with limitations. Consider whether additional coverage makes sense for your business.

7. Consult With Privacy Counsel

If you’re in a high-risk industry or have already received a demand letter, don’t go it alone. Privacy law is complex and rapidly evolving. An experienced privacy attorney can help you:

  • Assess your actual risk level
  • Respond appropriately to demand letters
  • Negotiate reasonable settlements if necessary
  • Defend against unfounded claims
  • Implement compliant practices going forward

The Broader Context: Where Privacy Law Is Headed

The LinkedIn pixel litigation is part of a broader shift in how courts and regulators think about online privacy. In 2024, courts have been particularly receptive to web tracking challenges brought under CIPA, but less receptive to the newer theories raised under TUCSRA.

But the direction is clear: users are gaining more privacy rights, and businesses face more restrictions on how they can collect and use personal data. This trend isn’t reversing.

Healthcare pixel tracking violations have cost the US healthcare industry over $100 million across 19 unique cases from 2023 to 2025, with 2023 marking a turning point, resulting in $37.15 million in penalties across eight cases.

These aren’t small settlements. The financial stakes are real and growing.

Common Misconceptions That Get Businesses In Trouble

Let’s address some dangerous misconceptions:

“But everyone uses these tracking pixels”: The fact that a practice is common doesn’t make it legal. Courts don’t care that 47% of websites use Meta Pixel or that LinkedIn Insight Tag is widely deployed.

“Our privacy policy covers this”: Having a privacy policy that mentions third-party tracking isn’t the same as obtaining meaningful consent. Users must be able to make an informed choice before their data is collected.

“We don’t use the sensitive data for anything bad”: Your intent doesn’t matter. The issue is that the data is being collected and transmitted in the first place, often without proper consent or security measures.

“LinkedIn is responsible, not us”: Wrong. Courts have found both the website operator and the tracking technology provider can be liable. You can’t outsource your privacy obligations.

“We’re too small to be targeted”: Plaintiffs’ lawyers are increasingly using automated tools to identify websites with tracking pixels. Size doesn’t protect you.

A Word on Settlement Demands

If you receive a settlement demand letter, understand that it’s the beginning of a negotiation, not a take-it-or-leave-it offer. Many of these letters are sent by firms that specialize in privacy litigation and are hoping for quick settlements.

That said, some legitimate claims are mixed in with opportunistic ones. Don’t assume every demand letter is baseless, but don’t assume it’s airtight either.

Work with experienced counsel to:

  • Evaluate the strength of the claims
  • Assess your actual risk if the case goes to trial
  • Understand the full scope of your potential liability
  • Negotiate from an informed position
  • Consider whether early settlement or litigation makes more sense

The Bottom Line

The era of installing tracking pixels across your entire website without careful consideration of privacy implications is over. LinkedIn Insight Tags, Meta Pixels, and similar technologies can create significant legal exposure, particularly for businesses in healthcare, financial services, and other sectors handling sensitive information.

The lawsuits are real, the damages can be substantial, and the legal landscape is still evolving. But you’re not powerless. By understanding the risks, auditing your current practices, implementing proper consent mechanisms, and removing tracking from sensitive pages, you can significantly reduce your exposure.

The cost of compliance is almost always less than the cost of litigation. Act now, before the demand letter arrives.

Anthony Rickard

Anthony Rickard is the founder of MDRN, a web development agency, and an experienced web developer delivering results-driven solutions that boost productivity, performance, and revenue by analyzing business needs and implementing tailored web strategies.

Ready to grow smarter?​

Schedule Consultation

Work with Anthony

Fill out the form below to speak with someone from Anthony's team.

Name(Required)
This field is for validation purposes and should be left unchanged.