Somewhere between the marketing team’s “let’s track applicant conversions” meeting and the first demand letter from a plaintiff’s attorney, corporate careers pages became privacy landmines. And this isn’t hypothetical anymore.
Recruiting vendors openly support placing Meta and other tracking pixels on career pages, job listings, application forms, and thank-you pages. The goal is straightforward: measure engagement and optimize recruiting campaigns. The problem is that the data collected on these pages can be far more sensitive than typical retail browsing — and the lawsuits are piling up.
A flood of class actions, demand letters, and arbitration proceedings has reframed routine website tracking tools as unlawful surveillance devices. Advertising pixels, analytics scripts, session-replay tools, and even AI chatbots are now fueling serious privacy litigation nationwide. The risk exposure is enormous. Every applicant, every employee logging into a benefits portal, and every patient scheduling an appointment online is a potential class member.
Why careers pages are uniquely dangerous
A visitor browsing a product page may have clicked around casually. A visitor on a careers page may have created an account, uploaded a resume, disclosed accommodation needs, completed self-identification forms, or revealed their application status. That’s a much more compelling story for a plaintiff.
Federal contractors, for example, may ask applicants to self-identify disability and protected-veteran status. EEOC guidance also contemplates accommodation requests during the application process. When tracking pixels fire on those exact pages, the data captured can include deeply personal information — the kind that makes courts pay attention.
Meanwhile, recruiting platforms actively encourage employers to place pixels precisely where applicant behavior is most valuable: job pages, apply pages, and confirmation pages. The business logic makes sense. The legal exposure, however, is severe.
The laws driving the litigation wave
Three statutory frameworks are behind most current pixel-tracking lawsuits. Each carries steep per-violation damages that make class-wide exposure staggering.
The first is the California Invasion of Privacy Act, or CIPA. Originally enacted in 1967 to address telephone wiretapping, it’s now being used to challenge common web-tracking tools. The argument is simple: pixels that collect IP addresses, device identifiers, timestamps, and browsing activity function as “pen registers” under the statute. CIPA provides $5,000 in damages per violation — with no requirement to prove actual harm. Multiply that across thousands of website visitors and the numbers become eye-opening.
The second is the Video Privacy Protection Act, or VPPA. This 1988 federal statute prohibits disclosure of video-viewing information without consent. Plaintiffs argue that when pixels transmit data about a user’s interaction with video content to third parties like Meta or Google, they violate the VPPA. Damages run at $2,500 per violation. The theory has produced significant settlements, including a $2.72 million class action resolution earlier this year.
The third category involves federal and state wiretapping statutes. The federal Wiretap Act and its state counterparts prohibit intercepting electronic communications without consent. Several states require all-party consent. Plaintiffs have argued that pixels and session-replay tools “intercept” communications between users and websites — creating liability that stacks on top of CIPA and state privacy obligations.
Recent court decisions have sent mixed signals, making it difficult for companies to assess their actual risk.
One of the most consequential rulings came in late 2025. In Camplisson v. Adidas, a Southern California federal court denied Adidas’ motion to dismiss a class action alleging that TikTok Pixel and Microsoft Bing tracking tools on the company’s website violated CIPA. The court rejected a narrow reading of the pen register definition. It also found that Adidas’ browsewrap consent — a privacy policy hyperlinked in the website footer — was inadequate because visitors were never required to agree before tracking began.
Just days later, another California court reached a partially similar conclusion in Wright v. TrueCare. A plaintiff plausibly stated a CIPA claim by alleging that Meta Pixel tracked her visit and Facebook ID. However, other claims were dismissed because the complaint didn’t identify specific sensitive medical information.
On the defense side, courts have pushed back in certain cases. Massachusetts’ highest court held that ordinary hospital-website browsing wasn’t covered by the state’s wiretap act when no private medical records or provider messages were intercepted. The Third Circuit found no standing where a plaintiff’s GameStop activity involved only mouse movements, clicks, and cart activity — with no sensitive personal information involved.
The Ninth Circuit reached a similar conclusion in a case involving pet-store browsing preferences. These rulings suggest that routine browsing facts may be too thin for federal court. But careers-page facts are often far more sensitive — which is exactly what makes them a more attractive target for plaintiffs.
It’s not just a California problem
Companies outside California aren’t safe either. In Briskin v. Shopify, the Ninth Circuit found jurisdiction was proper in California even though the defendant was based elsewhere. The reasoning: the company allegedly knew the user’s device was in California when it installed cookies and used the data to build consumer profiles.
For employers recruiting nationally, geography won’t provide a shield. If recruitment data is knowingly collected from Californians, California law may apply regardless of where the company is headquartered.
What companies should do now
There are practical steps that can reduce exposure and strengthen a defense if a demand letter arrives.
Start with a comprehensive tracking audit. Inventory every pixel, cookie, analytics script, session-replay tool, chatbot, and tag firing across employer-controlled properties. That includes careers pages, benefits portals, and patient-facing sites. Identify what each tool collects, when it fires relative to any consent interaction, and where the data goes.
Next, fix the consent architecture. A footer hyperlink to a privacy policy is not consent. Deploy cookie banners that require affirmative user action before any tracking fires. The language needs to be specific about the types of tracking in use and the purposes behind data collection. It must also offer genuine choice without dark patterns.
Then review privacy disclosures. Make sure they accurately reflect the tracking tools in use, the data being collected, and the third parties receiving it.
Finally, minimize collection. Remove advertising pixels from any page that can reveal applicant identity, application status, disability or accommodation information, veteran status, or free-text inputs. If a tracking tool isn’t essential to a legitimate business purpose, take it off.
