Sony Settles for $16 Million Showing Web Tracker Lawsuits Continue to Expand

The latest round of class-action lawsuits is becoming increasingly creative and widespread, extending beyond the initial focus on healthcare organizations to target financial services and online retailers.

In the last month alone, we witnessed one of the most significant settlements under the Video Privacy Protection Act for 2023. Sony’s Crunchyroll, a video viewing service, settled a VPPA lawsuit for $16 million. The allegations included the unauthorized sharing of subscribers’ personal information and video viewing habits with third-party services such as Facebook, Google, and Adobe, facilitated by their online tracking technology.

In August 2022, we covered the first class-action lawsuits filed against hospitals for using the Meta pixel. Since then, the momentum has continued to build, resulting in more complex and creative cases. Over 30 hospitals have faced legal action, with over 100 Video Privacy Protection Act (VPPA) cases brought against various companies for unauthorized use of web trackers. 

Just this past September, a groundbreaking legal case emerged with the first-ever RICO (Racketeer Influenced and Corrupt Organizations Act) class-action lawsuit related to web trackers, targeting H&R Block. The lawsuit asserts that H&R Block, Meta, and Google collaborated to collect sensitive financial information from customers’ tax forms, aiming to boost profits through targeted ads based on that data.

This case unfolded after a year-long saga initiated by an investigation by the Markup, followed by a Senate committee inquiry. The committee’s findings, released in July 2023, and a warning from the Federal Trade Commission (FTC) regarding the misuse of customer data set the stage for this landmark RICO lawsuit. RICO lawsuits carry significant weight in the courts, making the defense against them notably more costly and extensive than traditional class-action suits involving privacy law violations like HIPAA, VPPA, and CIPA. Additionally, this case provides a roadmap for plaintiff attorneys to pursue more substantial and robust cases in the future.

While healthcare-related claims under HIPAA violations persist, the legal landscape is expanding into the retail sector. A recent class-action lawsuit targets retailer Costco, accusing them of allegedly sharing pharmacy patients’ data with Facebook via the Meta pixel.

Another healthcare development is GoodRx, which settled a $13 million lawsuit to avoid mass arbitration, addressing their alleged collection of users’ personal health information through online web trackers without consent. This legal action followed an earlier $1.5 million fine imposed by the FTC on GoodRx for the same issue earlier in the year.


The plaintiffs are becoming more creative with using the RICO statute, entering new industries, and double dipping by filing identical lawsuits in different states or filing a lawsuit following a regulatory fine. It is easy for these issues to compound in the current legal and regulatory environment. 

Companies utilizing third-party tracking tools such as Facebook, Google, and session replay technology on their websites need to be vigilant. Rather than facing costly lawsuits and regulatory actions, they should proactively mitigate these risks by implementing privacy software that safeguards their customers and organizations against unintentionally sharing personal information with unauthorized third parties.

LOKKER’S Privacy Edge software is a firewall against unauthorized data collection on websites. Request a free web privacy risk audit for your website to determine if it is collecting any data without proper consent: