With state privacy laws expanding and plaintiffs’ lawyers testing new theories, companies face mounting risks tied to cookies, pixels, and other web-tracking tools embedded in their sites. By early 2026, half of U.S. consumers will fall under state-level online privacy regimes as new laws take effect in Indiana, Kentucky, and Rhode Island.

“There’s a lot of risk right now in the website area, and it’s coming from all different places,” said Justin Yedor, a partner at BakerHostetler. “This is a topic that probably impacts virtually every business.”

The latest wave of enforcement builds on established regimes such as California’s Consumer Privacy Act (CCPA), which remains the most comprehensive U.S. state privacy statute. In July, the California attorney general sued San Francisco-based Healthline Media for allegedly transmitting user data to advertisers despite consumers opting out of such sharing.

According to the complaint, investigators discovered that Healthline’s website still deployed 118 advertising cookies even after a “triple opt-out” attempt, transmitting unique identifiers to dozens of ad networks. The case settled for $1.55 million in civil penalties, with Healthline agreeing to modify its site and enhance compliance. The company said it aims to remain “transparent with our on-site visitors” regarding data collection practices.

Cookies and tracking pixels—small data packets that record browsing activity—sit at the heart of most enforcement actions. Their use, while ubiquitous, can trigger obligations under privacy statutes if they transmit identifiable information or cross-site behavioral data. Yedor cautioned that vendors supporting websites may inadvertently shift from service providers to “data processors” under the law, potentially converting certain data flows into “sales” requiring consumer opt-outs.

“It’s important to understand what’s in your agreements,” he said. “That determines whether you must provide an opt-out to a consumer for a specific technology.”

Even outside regulatory enforcement, litigation risks are rising. Plaintiffs’ firms are increasingly invoking state and federal wiretapping laws to allege unlawful “eavesdropping” through website tools like chatbots, analytics pixels, and session replay software. Although many of these statutes were drafted for telephone communications, they have become a favored vehicle for privacy claims.

Yedor said BakerHostetler has developed a proprietary “cookie classification service” to help clients identify, catalog, and assess cookies for compliance purposes. “If you have a bunch of cookies on your site and you don’t know what they do—or whether the vendors are processors—that can pose a lot of risk,” he noted.

Recent legal developments suggest those risks are multiplying. In 2022, Partners Healthcare (now Mass General Brigham) agreed to an $18.4 million settlement after plaintiffs alleged its use of the Meta pixel exposed patient data from online portals to Facebook. In a client update, Holland & Knight attorneys Caitlin Saladrigas and William Farley wrote that similar theories are now being tested against companies using AI-driven analytics tools that transcribe or analyze customer service calls—potentially “the next wave of wiretap litigation.”

California Gov. Gavin Newsom this week signed new legislation restricting AI-powered chatbots aimed at minors, highlighting regulators’ growing attention to automated digital interactions.

State privacy laws generally lack private rights of action, but their per-violation penalties—often around $7,500—can quickly add up when multiplied across thousands of site visits. Yedor said overlapping enforcement by multiple states further compounds the risk. “Truly understand what tracking technologies are on your site, when they’re being set, and whether you have the right controls,” he advised.

For in-house counsel, that means ensuring web operations and marketing teams map every data flow—and that vendors, developers, and analytics providers understand that what once counted as simple website functionality is now a potential compliance minefield.