Online Tracking, Cookies, and US Privacy Law

Online tracking technologies — including HTTP cookies, pixel tags, fingerprinting scripts, and session replay tools — sit at the intersection of advertising infrastructure and consumer privacy rights. US law governs these technologies through a patchwork of federal statutes, Federal Trade Commission enforcement actions, and state-level frameworks, most notably the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). Understanding how these mechanisms are classified, what legal obligations attach to them, and where enforcement lines are drawn is essential for compliance professionals, privacy officers, and legal counsel operating in digital environments.

Definition and scope

Online tracking encompasses any technical method by which a website operator, third-party vendor, or data broker collects behavioral, device, or identity data about individuals navigating digital properties. The Federal Trade Commission (FTC) defines tracking broadly to include the collection of data across sites and services that are not owned by the same entity — a concept known as cross-context behavioral advertising.

Cookies are the foundational mechanism: small text files placed on a user's device that can persist across sessions (persistent cookies) or expire when the browser closes (session cookies). Beyond cookies, the tracking taxonomy includes:

1. First-party cookies — Set by the domain the user visits directly; used for authentication, shopping carts, and preferences.
2. Third-party cookies — Set by domains other than the one being visited; historically the backbone of cross-site advertising networks.
3. Pixel tags (web beacons) — Invisible 1×1 image files embedded in pages or emails that trigger a request to an external server, confirming delivery and often capturing IP address and user-agent strings.
4. Device fingerprinting — Aggregation of browser attributes (screen resolution, installed fonts, hardware identifiers) to create a probabilistic unique identifier without storing anything on the device.
5. Session replay scripts — Third-party code that records keystrokes, mouse movements, and page interactions in real time.

The Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) provide baseline federal constraints on unauthorized interception and access, though neither statute was drafted with contemporary tracking architectures in mind.

How it works

A standard third-party tracking interaction proceeds through a defined sequence. When a user loads a webpage, the HTML instructs the browser to fetch assets from external domains. Each such request delivers cookies or fingerprinting scripts controlled by a network of data brokers or advertising platforms. The third party receives the HTTP request, the referrer URL (identifying the site the user is on), the user's IP address, and any previously set identifiers — constructing a behavioral profile across the full range of sites that have embedded that vendor's code.

Consent management frameworks modulate this flow by inserting a consent-signaling layer — typically implemented through the IAB Europe Transparency and Consent Framework (TCF) or a proprietary consent management platform (CMP) — that conditionally fires tracking scripts only after a user's affirmative consent is recorded. Under CCPA/CPRA compliance standards, the operative legal question is not consent per se but whether data is being "sold" or "shared" for cross-context behavioral advertising, which triggers opt-out rights regardless of whether a cookie banner is displayed.

The California Privacy Protection Agency (CPPA), created by CPRA, has explicit rulemaking authority over automated decision-making and profiling technologies, directly implicating the behavioral advertising stack. The CPPA's draft automated decision-making regulations, released in 2023, extend scrutiny to profiling systems that use tracked behavioral data as inputs.

Common scenarios

Advertising retargeting: A retail site embeds a pixel from an advertising exchange. A user who browses a product page is subsequently shown ads for that product on unrelated sites. This is the canonical cross-context behavioral advertising scenario regulated under CCPA/CPRA's opt-out right (California Civil Code §1798.120).

Healthcare and health data adjacency: A hospital system embeds analytics and Meta Pixel code on its patient portal login page. The pixel transmits URL strings that may encode condition or appointment type data to Meta's servers. The FTC and HHS Office for Civil Rights issued a joint warning letter in 2022 addressing this scenario, noting potential HIPAA violations when tracking technologies capture protected health information. This intersection is examined further under health data privacy beyond HIPAA.

Children's platforms: Sites directed to children under 13 are prohibited from deploying third-party tracking cookies for behavioral advertising under the Children's Online Protection Rule enforced by the FTC (COPPA, 15 U.S.C. §6501 et seq.). A 2023 FTC policy statement clarified that supporting third-party advertising through cookies on child-directed properties constitutes a COPPA violation. Further detail on this framework is covered under COPPA and children's online privacy.

Location data derived from tracking: IP-to-geolocation inference and GPS-precise tracking via mobile SDKs create a distinct legal surface, addressed in location data privacy standards, where state attorneys general have pursued enforcement against data brokers.

Decision boundaries

The operative legal distinctions in US tracking law cluster around four axes:

• First-party vs. third-party: First-party analytics (e.g., a site measuring its own traffic) generally faces fewer restrictions than data sharing with third-party advertising networks. CCPA/CPRA's "sharing" definition specifically targets cross-context behavioral advertising, which requires a third-party transfer.
• Sale vs. sharing: CPRA added "sharing" as a separate trigger from "sale," closing the loophole where no monetary exchange occurred but behavioral data was transferred to advertising platforms. Both now require opt-out mechanisms.
• Sensitive vs. non-sensitive data: Tracking that captures precise geolocation, health-related browsing, or data about minors triggers heightened obligations under both CPRA (Cal. Civ. Code §1798.121) and emerging state laws in Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA). The personal data classification taxonomy governs what qualifies as sensitive.
• Consent vs. opt-out models: CCPA/CPRA's default is opt-out for most tracking; opt-in consent is required only for sensitive data categories and minors aged 13–15. This differs structurally from the EU's GDPR, which requires opt-in consent for non-essential cookies as a default — a distinction material to multinational compliance programs reviewed under cross-border data transfers.

FTC privacy enforcement actions remain the primary federal mechanism for addressing deceptive or unfair tracking practices where no sector-specific statute applies — operating under Section 5 of the FTC Act (15 U.S.C. §45).

References

• Federal Trade Commission — Privacy and Security Enforcement
• California Privacy Protection Agency (CPPA)
• California Civil Code §1798.100 et seq. (CCPA/CPRA)
• HHS Office for Civil Rights — HIPAA and Online Tracking Technologies Guidance
• FTC — Children's Online Privacy Protection Act (COPPA)
• Electronic Communications Privacy Act — 18 U.S.C. Chapter 119
• IAB Transparency and Consent Framework (TCF) — IAB Tech Lab
• FTC Act Section 5 — 15 U.S.C. §45