NFL Enterprises LLC Faces CIPA Class Action Over 182 Website Trackers On NFL.com

NFL Enterprises LLC, the company behind NFL.com, is now facing a California Invasion of Privacy Act class action lawsuit filed in Alameda County Superior Court.

The case, Kimmons v. NFL Enterprises LLC, No. 26CV197596, was filed on July 6, 2026, on behalf of a proposed nationwide class and a California subclass.

The plaintiff is a San Francisco 49ers fan from San Leandro who visited NFL.com in and around January 2026 to check live scores and game schedules.

According to the complaint, the moment she landed on the site, a roster of trackers and cookies developed by Google, The Trade Desk, Rubicon Project, OpenX, LogRocket, Inc., and Shape Security were installed on her browser.

Forensic testing allegedly confirmed the website deployed 182 third-party trackers, including 24 cookies, 4 canvas fingerprinting scripts, and 1 session recorder, with data flowing to four major advertising networks.

One of the more striking allegations is that opting out of tracking through the site’s cookie banner did not actually stop the trackers from operating on the user’s device.

The complaint claims trackers deploy immediately upon a user landing on the website, before any privacy choices can be configured, meaning fingerprinting and session recording begin before consent is given or declined.

Even more striking, the complaint alleges that after a user affirmatively opts out, the website continues to run 186 third-party trackers, four more than were active before the opt-out was registered.

The session replay technology, allegedly provided by LogRocket, reportedly captured every mouse movement, cursor location, click, hover event, navigation path, scrolling depth, and even individual keystroke sequences entered into search fields.

The complaint further alleges that four separate canvas fingerprinting scripts were deployed, three through Google Tag Manager and one through Shape Security, capturing font rendering, geometry rendering, and data URL extraction to produce a device-specific graphical signature.

Because fingerprints do not rely on cookies, they allegedly persist even when a user clears their browser data, rendering standard privacy hygiene ineffective against this form of tracking.

Plaintiff has brought five causes of action, including violations of CIPA sections 631(a) and 638.51(a), violations of the federal Wiretap Act under the Electronic Communications Privacy Act, violations of the California Computer Data Access and Fraud Act, invasion of privacy under the California Constitution, and violations of California’s Unfair Competition Law.

The complaint seeks statutory damages of $5,000 per violation under CIPA section 637.2, plus statutory damages under the ECPA of the greater of $100 per day per violation or $10,000, along with restitution, injunctive relief, and attorneys’ fees.

The complaint also argues the behavioral data collected has measurable commercial value, comparing it to focus group participation, which allegedly pays $30 to $500 per session.

Legal analysts note the case highlights a growing gap between what cookie consent banners promise users and what tracking technologies actually do in practice, a gap that courts are increasingly being asked to scrutinise.

The NFL has not yet responded to the complaint, and these remain allegations only, with the outcome of the litigation yet to be determined.