By Dr. Kyle Conkle
Recent developments in online advertising continue to highlight the growing tension between user privacy expectations and the commercial realities of digital platforms. As programmatic advertising, identity resolution, and cross-device tracking have become standard tools for monetizing online engagement, organizations increasingly rely on third-party technologies to generate revenue at scale. At the same time, regulators and courts have shown greater willingness to scrutinize data practices that operate largely out of public view. A class-action lawsuit filed against the National Collegiate Athletic Association (NCAA) and Turner Sports Interactive, Inc. provides a timely case study of this tension, alleging that visitors to NCAA.com were subjected to unauthorized tracking and data monetization in violation of the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 638.51.
The case centers on the NCAA’s alleged use of multiple third-party tracking technologies embedded throughout its website via advertising, analytics, and engagement tools. According to the complaint, these trackers collected routing and addressing information, like IP addresses, along with device characteristics and browsing behavior, without user consent or court authorization. The plaintiffs argue that this conduct falls within CIPA’s prohibition on the use of “pen registers,” a term traditionally associated with telephone surveillance but increasingly applied to digital technologies that capture identifying information about electronic communications. Although these tools do not record message content, the statute focuses on the collection of signaling and routing data, placing modern web tracking squarely within its scope.
Several specific tracking technologies are identified in the complaint. The Adform Tracker, a widely used advertising technology product, is alleged to collect IP addresses, device attributes, and browsing activity in order to optimize advertising campaigns. Installed through the NCAA’s servers, the tracker enables ongoing monitoring across sessions and websites, feeding data into Adform’s broader advertising ecosystem. The plaintiffs allege users are rarely aware of the extent or immediacy of this data collection. Similar claims are made regarding the OpenX Tracker, operated by a California-based data broker and supply-side platform. OpenX’s technology is described as collecting extensive personal data, including persistent identifiers, browsing histories, inferred interests, and geolocation signals, while linking activity across devices through cookies. This information is then shared with advertising partners, allowing the creation and monetization of detailed user profiles.
The complaint also focuses on the Adnxs Tracker, part of Microsoft’s advertising ecosystem (formerly Xandr), which operates through real-time bidding and ad-serving infrastructure. This tracker allegedly collects IP addresses and device identifiers and uses fingerprinting techniques to associate multiple sessions with individual users. Data gathered through this system may then be shared with additional platforms, including behavioral automation tools such as Wunderkind’s Bounce Exchange Tracker. Wunderkind’s technology is characterized as an identity-resolution and engagement platform that links browsing behavior and persistent cookies to a broader identity network. Integration with social media advertising tools further expands the reach and value of the collected data which showcases how it could be used well beyond the NCAA website itself.
The named plaintiffs, Maren Anderson and Valeria Gonzalez, describe experiences that the complaint presents as typical of affected users. Both are California residents who visited NCAA.com in 2025 and allege that their browsers received multiple third-party trackers during those visits. According to the plaintiffs, these trackers collected IP addresses and related data without notice or consent, and the information was used to analyze marketing performance, target advertising, and generate revenue for the defendants. Neither plaintiff claims to have been aware of these practices at the time, and no court authorization was obtained. Their experiences are offered as examples of a broader, systematic approach to data collection affecting all California users who accessed the site during the relevant period.
From a legal perspective, the case raises questions that courts are increasingly confronting as privacy law collides with digital advertising practices. A central theme among these is whether web-based trackers qualify as pen registers when they capture routing and addressing information in real time. Other issues include whether users reasonably expect confidentiality when interacting with a public-facing website, whether privacy policies and cookie banners amount to meaningful consent, and whether third-party vendors embedded in a website should be treated as independent recipients of user data or as service providers acting on the site operator’s behalf. The plaintiffs have brought the case as a proposed class action, arguing that these issues can be resolved on a class-wide basis because the same tracking tools and disclosures applied uniformly to all users.
The defendants are expected to raise several defenses commonly seen in CIPA litigation. They are likely to argue that no unlawful interception occurred because the data was collected as part of normal website operations and received by parties to the communication rather than by outside eavesdroppers. Similarly, they may contend that third-party vendors functioned as technical service providers, not independent data recipients. Consent-based defenses are also likely going to rely on privacy policies, terms of use, and implied consent through continued website use. Defendants may further argue that interactions with a publicly accessible sports website lack the confidentiality required to trigger CIPA protections, or that plaintiffs have not suffered any concrete harm beyond a technical statutory violation.
Courts have taken varied approaches to these arguments. While some CIPA claims have been dismissed early, many survive initial motions because questions of consent, agency, and reasonable expectations of privacy tend to be fact-specific. As a result, early dismissal is far from guaranteed. For institutional defendants, the most significant pressure point often arises at class certification, where differences in user experience, device settings, and disclosure practices may undermine the plaintiffs’ ability to proceed on a class-wide basis. Even so, the potential for statutory damages, which is up to $5,000 per violation, creates substantial settlement pressure. At scale, theoretical exposure can reach into the tens of millions of dollars which can heavily influence litigation strategy.
The risks extend beyond monetary damages. Privacy litigation frequently involves invasive discovery into website code, data flows, vendor contracts, and internal decision-making, exposing organizations to reputational harm as well as operational disruption. Injunctive relief may require changes in areas like consent mechanisms, data-sharing arrangements, and even relationships with technology vendors, which places compliance obligations that last long after a case is resolved.
More broadly, the lawsuit reflects deeper structural issues within the digital advertising ecosystem. Third-party trackers, data brokers, and identity-resolution platforms enable highly efficient monetization but often operate in ways that are difficult for users to see or understand. As California privacy law, the California Consumer Privacy Act, and international frameworks such as the GDPR continue to evolve, organizations that operate high-traffic websites face growing pressure to balance revenue generation with transparency and user trust. For stakeholders in sport, media, and higher education, all sectors that depend heavily on public credibility, these trade-offs may be more consequential than currently anticipated.
Viewed in this light, NCAA website litigation is not just a discrete legal dispute as it illustrates how older privacy statutes are being applied to modern technologies. It also shows how procedural dynamics such as class certification shape real-world risk and how digital monetization strategies can carry legal and ethical consequences well beyond initial financial exposure. Regardless of its ultimate outcome, the case underscores the need for organizations to reassess how they collect, share, and monetize user data in an environment where privacy expectations and legal standards continue to shift.
