Greetings CIPAWorld!
Well, it was only a matter of time before the plaintiff’s bar set its sights on the biggest brand in American sports. With the FIFA World Cup dominating sports headlines this summer, you might think the NFL could lay low until kickoff in September. Think again. A new California Invasion of Privacy Act (“CIPA”) class action landed in Alameda County Superior Court, and the defendant is none other than NFL Enterprises LLC, the company behind NFL.com. The case is Kimmons v. NFL Enterprises LLC, No. 26CV197596 (Cal. Super. Ct., Alameda Cnty., filed July 6, 2026), and was filed on behalf of a proposed nationwide class and a California subclass.
So let’s kick it off with a breakdown. Plaintiff is a 49ers fan from San Leandro who visited NFL.com in and around January 2026 to check live scores and game schedules. See Compl. ¶¶ 6, 101. Sounds harmless enough, right? Not according to the complaint. Plaintiff alleges that the moment she landed on the site, the NFL caused a whole roster of trackers and cookies developed and operated by Google, The Trade Desk, Rubicon Project, OpenX, LogRocket, Inc., and Shape Security to be installed on her browser. Id. ¶ 2. And the numbers pleaded here are eye-popping. Forensic testing allegedly confirmed that the website deployed 182 third-party trackers, including 24 cookies, 4 separate canvas fingerprinting scripts, and 1 session recorder, with data flowing to four major advertising networks. Id. ¶ 52.
But here’s the allegation that really caught my attention. Opting out allegedly did not stop the tracking. The complaint acknowledges that NFL.com displays a cookie opt-out banner but claims the banner gives users a false and misleading sense of security for two reasons. Id. ¶ 79. First, the trackers allegedly deploy immediately upon a user landing on the website, so before a user can even configure their privacy choices, the trackers have already begun fingerprinting the device, recording the session, and downloading cookies and pixels. Id. ¶ 80. Second, opting out of cookies allegedly does nothing to stop session recorders, canvas fingerprinting, or other scripts that don’t rely on cookies to operate. Id. ¶ 81. In fact, the complaint alleges that after a user affirmatively opts out, the website continues to run 186 third-party trackers. Id. Yes, you read that correctly. Four more trackers after opting out than before.
Now let’s talk about the session recorder, because these allegations are the centerpiece here. Plaintiff alleges the NFL deployed session replay technology from LogRocket that intercepted, recorded, and transmitted user interactions in real time. See Compl. ¶ 53. The technology allegedly captured the full Document Object Model (“DOM”) state and a reconstructed visual replay of each browsing session, enabling LogRocket to reproduce exactly what the user saw, viewed, selected, and interacted with. Id. ¶ 54. We’re talking every mouse movement, cursor location, click, click coordinate, hover event, and navigation path, plus scrolling depth, speed, and direction. Id. ¶¶ 56–57. The session recorder allegedly captured keystrokes entered into search bars and other input fields, including the sequence and timing of individual keystrokes, regardless of whether the user deleted or submitted the entry. Id. ¶¶ 55, 105.
Next, which I find fascinating, the canvas fingerprinting allegations deserve a close look too. The complaint alleges the NFL deployed four separate canvas fingerprinting scripts, three through Google Tag Manager and one through Shape Security. Id. ¶¶ 66, 69. All four instances allegedly capture what the complaint calls the full trifecta of canvas-based fingerprinting signals, meaning font rendering, geometry rendering, and data URL extraction, which together produce a highly detailed, device-specific graphical signature reflecting the user’s GPU, graphics drivers, operating system font library, and browser rendering engine. Id. ¶ 68. Three of the Google Tag Manager instances are allegedly tied to Google Ads and Campaign Manager, which the complaint says shows the fingerprints are being collected for cross-site advertising attribution and user tracking. See Compl. ¶ 69. And because fingerprints don’t rely on cookies, they allegedly persist even when a user clears their browser data. Id. ¶ 28.
So what claims did Plaintiff bring? Five causes of action. Violations of CIPA sections 631(a) and 638.51(a), violations of the federal Wiretap Act under the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2510 et seq., violations of the California Computer Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502, invasion of privacy under Article I, Section 1 of the California Constitution, and violations of California’s Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq.
If you’ve been following this space, the legal theories will look familiar. On the Section 631 wiretapping side, the complaint alleges the trackers intercepted the “contents” of communications, citing Mikulsky v. Bloomingdale’s, LLC, 2025 WL 1718225, at *1 (9th Cir. June 20, 2025) for the proposition that session recording technology captures “contents” for Section 631 purposes. The complaint also leans on Smith v. Rack Room Shoes, Inc., 2025 WL 1085169, at *4 (N.D. Cal. Apr. 4, 2025) and Ambriz v. Google, LLC, 2025 WL 830450, to argue the tracking vendors are unauthorized third-party interceptors rather than mere “extensions” of the website. On the Section 638.51 pen register side, the complaint invokes Greenley v. Kochava, Inc., 2023 WL 4833466 (S.D. Cal. July 27, 2023), alleging the trackers record outgoing routing, addressing, and signaling information, including IP addresses, without a court order or prior consent.
Based on these theories, Plaintiff seeks statutory damages of $5,000 per violation under CIPA section 637.2, statutory damages under the ECPA of the greater of $100 per day per violation or $10,000, plus restitution, injunctive relief, and attorneys’ fees. The complaint also puts a price tag on the data itself, alleging that the behavioral information collected has tremendous value and comparing it to focus group participation, which allegedly pays $30 to $500 per session. See Compl. ¶ 70. In other words, the theory goes, the NFL and its ad-tech partners took something valuable from users and never paid for it.
So what are the takeaways?
First, no brand is too big for the CIPA docket. The NFL is about as mainstream as defendants come, and this filing shows the plaintiff’s bar is perfectly comfortable running these theories at household names. If you operate a high-traffic consumer website, this case is another reminder that prominent brands and heavily trafficked websites remain attractive targets.
Second, the “opt-out that doesn’t opt you out” allegation is the one to watch. Pleading that 186 trackers kept running after the user declined cookies is a powerful narrative against a consent-based defense. If your cookie banner only governs cookies while session recorders and fingerprinting scripts keep firing, this complaint is a preview of how that gap may be pleaded against you. Additionally, the pre-consent deployment allegation goes right at the timing element courts have focused in on. Of course, keep in mind whether the banner governed all of the challenged technologies, whether adequate disclosures were presented, and whether legally valid consent was otherwise obtained are separate questions that will likely be contested.
Third, canvas fingerprinting is stepping more and more into the spotlight. We’ve watched pen register theories evolve from IP address collection to device fingerprinting, and this complaint includes unusual technical details supporting the fingerprinting allegations, right down to the specific rendering signals captured and the ad platforms the scripts feed into.
Fourth, and as always, remember this is a complaint, not a ruling. These are allegations only, and the NFL has yet to respond. But between the session recorder, the fingerprinting scripts, and the consent-banner allegations, this case checks nearly every box in the modern CIPA playbook. We’ll be watching how these theories fare.
Lastly, if reading this made you wonder what’s actually running on your website, that’s exactly the right question to be asking. A consent banner is only as effective as the technologies it actually controls. Companies should understand which scripts deploy before consent, which remain active after an opt-out, what information they collect, and where that information is transmitted. The team here at Troutman Amin, LLP regularly defends companies in CIPA and website-tracking class actions and helps businesses evaluate their tracking technologies, consent mechanisms, and litigation risk to ensure compliance. Reach out!
We’ll be tracking this one closely (pun fully intended). And remember, the best offense is a good defense.
As always, keep it legal, keep it smart, and stay ahead of the game.
Chat soon!
