top of page

XL INSIGHTS+
Legal Alerts and News Updates

Search

Tracking Cookies and Similar Technologies: Ordinary Uses Give Rise to Extraordinary Risks for Colleges and Universities

  • Litigation based on the use of tracking cookies and similar technologies, brought under various federal and state wiretap and other privacy laws, has increased steadily over the past several years.

  • While most litigation to date has involved for-profit businesses, a proposed class action lawsuit against a non-profit college was recently settled after surviving a motion to dismiss.

  • Colleges and universities should review the tracking cookies and similar technologies installed across their websites and implement notice and consent measures to reduce litigation risks.On August 1, 2025, the PRC Supreme People’s Court issued the Interpretation II on Issues Concerning the Application of Law in the Trial of Labor Dispute Cases, which establishes uniform legal standards in several employment situations that have raised questions in recent years, including the employment relationship in affiliation arrangements, foreign employees, double wages, and two consecutive fixed-term contracts.


What are Tracking Cookies and Similar Technologies?

 

Colleges and universities (collectively, “institutions of higher education” or “IHEs”) commonly use tracking cookies and similar technologies (e.g., tracking pixels) for purposes such as generating and analyzing website user analytics and serving targeted advertisements.

 

Such tracking cookies and similar technologies may, for example, track which webpages a user viewed, which buttons a user clicked, the locations a user scrolled to, and other webpages that the user navigated to before or after accessing the IHEs webpage. When such tracking cookies and similar technologies are installed and activated on IHE websites, this tracking occurs automatically and in a manner that is invisible to ordinary users unless users take certain actions to block or deactivate the tracking cookies and similar technologies.

 

IHE marketing or web development teams, or other individuals with website administrator access, often procure and install third-party tracking cookies and similar technologies on the IHE’s websites without needing approval from the IHE’s legal counsel, as many of the most popular tracking cookies and similar technologies (e.g., Meta Pixel or Google Analytics) are freely available and thus not subject to standard procurement processes and workflows. However, while such tracking cookies and similar technologies may be free of charge, they are certainly not free of legal risk.

 

Recent Litigation Trends and Case Studies

 

Many website owners, mostly for-profit businesses, have recently faced individual or class action lawsuits alleging that their uses of tracking cookies and similar technologies violate longstanding federal privacy laws, such as the Federal Wiretap Act or the Video Privacy Protection Act, or similar U.S. state wiretap or other privacy laws, such as the California Invasion of Privacy Act. Some such laws allow for statutory damages, making IHEs and other organizations that are subject to these laws attractive targets for class actions with damages amounting to millions of dollars when multiplied across thousands of website users.

 

For example, in late 2025, the developer of a sexual and reproductive health app agreed to pay an $8 million settlement to resolve allegations that it violated the California Invasion of Privacy Act, which allows for statutory damages of $5,000 per violation. In this class action, the plaintiffs alleged that the app shared users’ sensitive personal information with third-party providers of tracking technologies without obtaining the users’ consent.

 

Other laws, particularly state comprehensive data privacy laws, do not provide a private right of action but may be enforced with hefty fines issued by local enforcement authorities.

 

For example, this March the California Privacy Protection Agency Board issued a $1.10 million fine against a youth sports media company, whose services many IHEs use for athletics ticketing, finding that the company violated California’s comprehensive data privacy law, the California Consumer Privacy Act (“CCPA”). The findings included violations for failing to provide adequate privacy notices, as well as failing to provide sufficient mechanisms to enable website and mobile app users to easily opt-out of the use of tracking cookies to deliver targeted advertisements. While non-profit IHEs are not directly subject to the CCPA, there are currently six states with comprehensive data privacy laws similar to the CCPA that are potentially applicable to non-profit IHEs.

 

While most litigation to-date has involved for-profit companies, a recently settled case against a Michigan college serves as a stark reminder that non-profit IHEs are not immune to lawsuits based on their users of tracking cookies and similar technologies. In this putative class action, which survived a motion to dismiss, the plaintiffs alleged that the college violated the federal Video Privacy Protection Act, which allows for statutory damages of $2,500 per violation. The allegations were based on the college’s use of a third-party tracking technology to “augment its advertisements” (i.e., deliver targeted ads), which allegedly shared users’ video viewing activities with the third-party tracking technology provider without obtaining consent.

 

Takeaways and Recommendations for IHEs


Short of eliminating all uses of tracking cookies and similar technologies, there is no single, clear-cut way for IHEs to avoid litigation based on their uses of tracking cookies and similar technologies. However, litigation to-date has shown that robust privacy notices and consent are crucial to reduce litigation risks. IHEs should act now to:

 

  • Review all instances of tracking cookies and similar technologies used on IHE websites to understand their purposes and the types of personal information they share with third-party technology providers;

  • Consider requiring users to take an affirmative action to opt in to the use of any tracking cookies and similar technologies, and/or providing an easy way for users to opt out of the use of any tracking cookies and similar technologies, including through the use of a universal opt-out mechanism;

  • Develop and publish robust privacy notices to clearly inform website users of how the IHE uses tracking cookies and similar technologies, highlighting the types of personal information shared with third parties, any available methods to opt out of the use of tracking cookies and similar technologies, and the rights available to users under any applicable data privacy laws, such as U.S. state comprehensive data privacy laws; and

  • Implement processes and procedures to regularly audit the IHE’s use of tracking cookies and similar technologies and to require legal approval of any new uses, including any new uses of freely available third-party technologies that are not subject to standard procurement processes and workflows.



© 2024 XL Law & Consulting P.A. - A U.S. Corporation - Privacy Policy - Cookies Policy - Contact Us

 - 

The information provided on the XL Law & Consulting website is for educational purposes only. Nothing on this website should be construed as or relied upon as legal or other professional advice, nor does use of this website create an attorney-client relationship.

bottom of page