Website Tracking, Data Breaches, and AI Class Actions: Managing Escalating Technology Litigation Risk

A wave of privacy- and technology-driven class actions is reshaping litigation exposure for companies that operate consumer-facing websites, manage sensitive data, or deploy artificial intelligence (AI) tools. Plaintiffs are advancing aggressive litigation theories under decades-old wiretapping statutes and state and federal consumer protection laws applied to AI and algorithmic systems. Courts have allowed many of these claims to proceed past the pleading stage, increasing settlement leverage and elevating risk to the enterprise and board level.

Additionally, plaintiffs are increasingly using state consumer protection theories to advance their data breach class action claims.

For executives and in-house counsel, the implications are immediate. Routine digital practices such as cookies, tracking pixels, session replay tools, cybersecurity controls, AI-driven marketing, and pricing algorithms are all now being scrutinized through the lens of class litigation.

This Insight summarizes our recent Morgan Lewis Class Action Academy webinar, examining the major litigation trends and practical considerations for risk mitigation.

Key Takeaways

• Legacy statutes are being applied to modern digital tools: Website tracking, cybersecurity, and AI systems are increasingly challenged under wiretapping and consumer protection theories.
• Procedural leverage has shifted: Courts are allowing more claims to proceed past the pleading stage, increasing settlement pressure and making class certification the critical inflection point.
• Governance decisions shape litigation risk: Incident response, documentation, vendor oversight, and internal controls frequently become central evidence.
• AI is being evaluated under traditional unfairness and deception standards: Marketing claims, data practices, and algorithmic outputs are now drawing increased litigation attention.

Wiretapping Statutes Meet Modern Website Technology

Plaintiffs have increasingly relied on state and federal wiretapping laws (many originally drafted to address telephone interception) to challenge website tracking technologies. Frequently invoked statutes include the California Invasion of Privacy Act, the federal Electronic Communications Privacy Act, Pennsylvania’s Wiretapping and Electronic Surveillance Control Act, and Florida’s Security of Communications Act.

These statutes carry statutory damages that can range from $1,000 to $10,000 per violation. When applied to website visitors on a classwide basis, potential exposure escalates quickly.

The theory underlying many of these suits is straightforward but expansive: when a user visits a website, the interaction constitutes a “communication,” and embedded third-party tracking tools act as unauthorized “interceptors.” Technologies targeted in these cases include session replay tools, tracking pixels, cookies, chatbots, software development kits (SDKs), and pen register–type processes. Because these tools are widely used across industries, the litigation risk is not limited to a particular sector. While retailers are perhaps the most frequent targets, businesses in manufacturing, B2B services, and others are also seeing these claims.

Courts have fueled litigation activity by declining to narrow broadly worded statutes at the motion to dismiss stage. In some cases, courts have allowed plaintiffs to argue that website tracking tools qualify as “processes” under statutory pen register provisions. Even where ultimate liability remains uncertain, survival past the pleading stage significantly increases settlement pressure.

Companies confronting website tracking claims should take a structured approach to litigation strategy and governance controls, including the following steps:

• Assess threshold defenses early, including standing, consent through privacy policies or cookie banners, whether the alleged conduct constitutes “interception” of “contents,” and whether arbitration clauses or class action waivers apply.
• Anticipate class certification arguments, focusing on individualized issues such as variations in user consent, browser settings, and the specific data collected, which may present meaningful barriers to certification.
• Elevate governance of tracking technologies, recognizing that website tools should no longer be treated solely as marketing infrastructure but as potential litigation triggers.
• Conduct regular audits and align disclosures with practice, ensuring that deployed technologies match public-facing privacy statements and that vendor oversight is structured and documented.
• Negotiate broad, comprehensive settlement releases, where appropriate, to reduce the risk of serial or copycat claims.

Data Breaches and the Class Action ‘When,’ Not ‘If’

Cybersecurity incidents have become a routine trigger for class litigation. Plaintiffs increasingly file suit even where the volume or sensitivity of data is limited. Industry data underscores the financial impact: the global average total cost of a data breach is approximately $4.4 million, while the US average exceeds $10 million. Litigation and regulatory investigations account for a significant portion of those costs.

Negligence remains the most common cause of action in breach cases, with courts evaluating duty, reasonable care, damages, and foreseeability. However, plaintiffs often add claims for intrusion upon seclusion, breach of implied contract, unjust enrichment, violations of state consumer protection laws, and state data breach statutes. Because numerous states provide private rights of action in this space, multistate exposure is common.

Class certification is a central battleground in breach litigation. Variability in the type of data compromised, differences in state statutory triggers, divergent consumer protection standards, and individualized questions of causation and injury can undermine commonality and predominance. Arbitration clauses and class action waivers, where applicable, may also reshape the litigation posture.

Class action defense begins in the earliest stages of incident response. Companies should approach a cybersecurity event with litigation exposure in mind and consider the following practical steps:

• Assume litigation is likely and integrate defense strategy from day one: Ensure communications, forensic investigations, and internal assessments are coordinated, accurate, and defensible.
• Carefully evaluate and document the scope of impacted data: This should include how uniform (or non-uniform) the affected data sets are across individuals, as this analysis can shape class certification arguments.
• Manage external communications with precision and coordinate across legal, information technology, communications, and executive leadership: Fragmented responses or statements that overstate, speculate about, or mischaracterize risk can significantly amplify exposure.
• Evaluate early resolution options where appropriate: This should include whether a claims-made or other structured settlement may be strategically advantageous in light of certification risk and data variability.
• Strengthen internal controls, training, and reporting mechanisms: These are not only compliance measures, but can be demonstrable evidence of reasonable care in anticipated litigation.

For boards and senior management, breach preparedness must be treated as litigation preparedness. The quality of documentation, governance oversight, and response coordination in the immediate aftermath of an incident often determine the trajectory of any subsequent class action.

Artificial Intelligence and Consumer Protection Theories

In the absence of comprehensive federal AI legislation, regulators and private plaintiffs have turned to existing consumer protection statutes, including Section 5 of the Federal Trade Commission (FTC) Act and state “mini-FTC” laws. These technology-neutral frameworks are now being used to challenge allegedly deceptive marketing claims, undisclosed data practices, and automated decision-making systems that plaintiffs contend are unfair or misleading.

Recent cases have focused on marketing claims that allegedly overstate AI capabilities, discriminatory or biased algorithmic outputs, use of scraped or biometric training data, chatbot design that allegedly creates foreseeable harm, and AI transcription tools that raise recording and consent issues.

In some matters, plaintiffs have sought not only damages or injunctions but also structural remedies such as monitoring, data or model deletion, and algorithm testing mandates.

Courts evaluating these claims are not creating new AI-specific doctrines. Instead, they are applying familiar tests centered on specificity of representations, materiality, reliance, causation, internal documentation, and foreseeability. This means that litigation outcomes often turn less on abstract technological novelty and more on what companies said, what they documented, and how they governed the technology.

Governance is therefore critical. Companies deploying AI tools should perform the following:

• Maintain a centralized inventory of AI systems, with visibility across business units and functions.
• Document data sources and usage rights, including the provenance of training data and any applicable contractual or regulatory constraints.
• Conduct rigorous vendor due diligence, particularly where third-party tools influence pricing, hiring, or consumer-facing decisions.
• Align marketing and investor disclosures with actual system capabilities and limitations, ensuring that public statements are precise and supportable.
• Implement periodic testing and auditing, especially in high-impact use cases such as hiring, pricing, or recommendation systems, to demonstrate good-faith compliance efforts if challenged.

This type of documented oversight can materially affect both regulatory posture and class action defense strategy.

Strategic Considerations for Corporate Leadership

Across wiretapping, data breach, and AI litigation, several themes are emerging. Plaintiffs are repurposing older statutes for modern technologies. Courts are often allowing claims to advance past the pleading stage. State-level enforcement and private class actions frequently proceed in parallel. And governance failures, rather than purely technical failures, often sit at the center of the allegations.

For executive leadership, the risk is not confined to legal departments. Website configuration, cybersecurity architecture, vendor management, marketing claims, and AI deployment decisions all carry litigation implications. These issues increasingly require cross-functional oversight, disciplined documentation, and board-level visibility.

Technology-enabled business models remain central to growth strategies, but they are also central to plaintiffs’ theories of liability. Companies that embed legal review into product development, align disclosures with operational reality, and engage counsel early when issues arise will be better positioned to manage exposure as this litigation landscape continues to evolve.

How We Can Help

Morgan Lewis’s global class and group actions team represents clients in complex consumer class actions, collective actions, group litigation, and mass arbitrations in the United States and internationally, including privacy, cybersecurity, technology, and AI-related disputes. We advise companies from pre-suit risk assessment and investigations through class certification, merits defense, settlement, appeals, and parallel government inquiries, coordinating cross-border strategies that align legal defense with business and reputational priorities.

Learn more about our Class Action Academy series and register for upcoming sessions.