You may have seen this ad and yet another warning about the rise in privacy lawsuits and by using Captain Compliance’s software your company can protect against these claims as we ensure your consent banners are integrated and setup correctly along with using our data subject rights tools to comply with the California DROP Act.

The ad states: Attorneys suspect that Crate & Barel may have installed tracking software on its website to transmit consumers’ personal data to tech compnaies, including Google and Meta, without consent, potentially violating California privacy laws. Affected shoppers, who could be owed $100s, are now being gathered to take legal action against Crate & Barrel via mass arbitration. Find out how to sign up today.

Our privacy litigation watch series continues as Crate & Barrel hit with privacy claims over website tracking

THE SHORT VERSION

Crate & Barrel is the latest major retailer accused of violating California privacy laws by allegedly sharing customer data with Meta, Google, Microsoft and Pinterest through website tracking technologies — without proper consent. The matter is being pursued as mass arbitration by Bryson, Harris, Suciu & DeMay PLLC, a firm increasingly active in pixel, chatbot and session-replay privacy disputes. For any brand running a consumer website, the message is unmistakable: if your consent platform is not deployed, configured, and auditable, you are a target. We have covered how Cargurus recently settled a case that cost them over $400,000 and how Morgan & Morgan has entered the space going after the Athletic and Questrade being sued for non-working banners and the list goes on and on and on…

Get a free privacy audit and see if your website is in violation and at risk of being sued for a privacy violation 

What Just Happened to Crate & Barrel

Another household retail name has landed in the privacy crosshairs. Attorneys working with ClassAction.org and the law firm Bryson, Harris, Suciu & DeMay PLLC are now recruiting California consumers for a mass arbitration against Crate & Barrel, alleging the furniture and housewares retailer installed tracking technology on CrateandBarrel.com that transmitted shoppers’ personal information to Meta, Google, Microsoft and Pinterest without legally sufficient consent.

According to the sign-up campaign, the potentially shared data includes IP addresses, device identifiers, geolocation information and URL-level browsing activity — in other words, a detailed digital fingerprint of what users were looking at, where they were, and what device they used. The recruitment targets any California resident, 18 or older, who in the last two years made a purchase on or held an account with CrateandBarrel.com while simultaneously having a Facebook, Google, Pinterest or Bing account.

Consumers who join the campaign pay nothing upfront. The firm works on contingency and, per the marketing materials, individual recoveries could reach hundreds or even thousands of dollars per claimant. When those numbers are multiplied across potentially tens of thousands of California shoppers, the exposure to Crate & Barrel is meaningful — and so is the signal it sends to every other direct-to-consumer retailer.

“Attorneys believe Crate & Barrel may have installed tracking technology on its website to transmit consumers’ personal data to big tech companies — such as Microsoft, Meta, Google and Pinterest — without consent.”

Put simply: this isn’t a niche claim. It is the same playbook now being run against dozens of retailers across apparel, beauty, home goods, travel, and digital media.

Why This Is Mass Arbitration, Not a Class Action

Crate & Barrel’s terms of use — like those of most modern e-commerce sites — require customers to resolve disputes through arbitration and waive their right to join a class action. For years, defense lawyers treated those clauses as a shield. Plaintiffs’ firms have turned them into a sword.

In mass arbitration, hundreds or thousands of individual arbitration demands are filed against the same company at the same time, over the same underlying issue. Each demand triggers filing fees, administrative fees, and arbitrator fees that the company typically must pay. The cumulative cost can reach seven or eight figures before a single claim is decided on the merits, creating enormous pressure to settle.

That is precisely the pressure point Bryson, Harris, Suciu & DeMay is positioned to apply here.

About the Firm: Bryson, Harris, Suciu & DeMay PLLC

Bryson, Harris, Suciu & DeMay PLLC (often referenced in filings and marketing as BHSD) has emerged as a notable plaintiffs’ firm in the modern wave of consumer-privacy litigation. The firm profiles itself as a champion of client rights across data privacy, unfair fees, defective products, workplace violations and other consumer-protection matters.

Where BHSD is particularly active — and where compliance teams should pay close attention — is the intersection of older wiretap-style statutes and modern web technology. The California Invasion of Privacy Act (CIPA), the Video Privacy Protection Act (VPPA), Pennsylvania’s Wiretap Act (WESCA), and analogous state laws are being deployed against:

• Meta Pixel, Google Analytics, Microsoft Clarity and Pinterest Tag deployments on checkout and account pages.
• Session replay tools (FullStory, Hotjar, Quantum Metric, LogRocket and others) that capture mouse movement, form inputs and scrolling behavior.
• Live chat and AI chatbot widgets that transcribe conversations and route them to third-party processors.
• Video players that transmit viewing history to advertising networks.

Crate & Barrel joins a growing roster of consumer-facing brands answering these kinds of allegations. The common denominator is almost always the same: tracking technology fired before a user had a meaningful opportunity to consent, or consent UIs that didn’t actually block the tags they claimed to block.

This Is Not an Isolated Lawsuit — It’s a Trend

Over the last 24 months, privacy filings against consumer websites have accelerated into what practitioners now openly call an industrial complex of pixel and session-replay litigation. A few data points make the scale clear:

• Thousands of CIPA demand letters and complaints have been filed in California against companies running standard adtech on their sites.
• Mass-arbitration campaigns are being openly marketed on Facebook, Instagram, TikTok and Google — the Crate & Barrel campaign itself is running on paid social.
• Retailers, streaming services, telehealth providers, insurers and even non-profits have all been swept in.
• State regulators — the California Privacy Protection Agency, the Texas Attorney General, the Colorado AG — are running parallel enforcement on many of the same issues.

The legal theories keep multiplying. CIPA Section 631 (wiretapping). CIPA Section 638.51 (pen register / trap-and-trace, now being applied to cookies). VPPA. Common-law intrusion upon seclusion. State consumer-protection statutes. Each one gives plaintiffs another angle on the same underlying conduct: unconsented sharing of browsing data with third parties.

For in-house counsel and privacy officers, the practical takeaway is brutal and simple. If your site fires advertising or analytics tags before consent, someone is already screenshotting your network tab.

Why Consent Keeps Failing in the Wild

The overwhelming majority of the retailers now being sued are not consciously disregarding privacy law. They have cookie banners. They have privacy policies. Many have a consent management platform (CMP) installed. So why do they keep ending up on complaint captions?

1. The banner is cosmetic.

A banner that displays a Reject All button but still fires Meta Pixel, Google Ads and TikTok tags on page load is not a consent tool — it is a liability generator. Tag Manager containers, hardcoded scripts, and server-side pixels often bypass the CMP entirely.

2. Server-side and CAPI integrations are unmonitored.

Conversions API, Enhanced Conversions, and similar server-to-server feeds send data directly from your backend to Meta or Google. They don’t appear in the browser’s network tab, but they still require consent — and in most of the active lawsuits, plaintiffs are obtaining that data in discovery.

3. Consent signals aren’t wired into Google Consent Mode or Meta’s LDU.

Even when the CMP collects consent correctly, teams frequently fail to pass the signal downstream. Google Consent Mode v2 must be configured and tested. Meta’s Limited Data Use flag must be set for California users. Pinterest and Microsoft have their own opt-out parameters. One missed integration is enough to support a claim.

4. Pre-consent leakage on landing and checkout pages.

The highest-risk pages — product detail, cart, checkout, and account creation — are the pages attorneys audit first. Many of the tracking tags on these pages are inserted by marketing teams, A/B testing tools, or third-party apps without security review.

5. No evidence, no defense.

When a demand arrives, the company needs to prove — with logs — what the user saw, what choice they made, when they made it, and what tags fired as a result. Most organizations can’t produce that record.

What a Properly Working Consent Platform Actually Does

A consent management platform is not a banner. It is a control plane. When it is deployed correctly, it enforces, records and proves consent — and it is the single most important technical defense against the wave of litigation Crate & Barrel is now facing.

At a minimum, a working consent platform must do the following:

• Block by default. No advertising, marketing or analytics tag — including server-side pixels — should fire for an identifiable California, Colorado, Connecticut, Virginia or Utah user until a lawful basis exists. Opt-in where required, opt-out where permitted, and honor Global Privacy Control signals automatically.
• Govern tags at the source. Integrate with Google Tag Manager, Tealium, Segment and raw script includes so the CMP actually controls what loads — not just what appears in the banner UI.
• Propagate consent server-side. Pass consent signals to Meta CAPI, Google Enhanced Conversions, TikTok Events API, Pinterest Conversions API, and your own backend. Pre-consent data must not leave the boundary.
• Maintain an immutable audit log. For every visitor: timestamp, jurisdiction, banner version shown, choice made, and the resulting tag state. This is what you hand to outside counsel the day a demand arrives.
• Respect authenticated preferences. A logged-in customer’s saved preferences must carry across sessions, devices and subdomains — not reset with every new cookie.
• Support DSAR and deletion workflows. Consent is one pillar; access, correction, deletion and opt-out of sale/sharing are the rest. The same platform should handle them end-to-end.
• Get audited. A scan on deployment day is not enough. Tags change every sprint. Continuous scanning across checkout, account, and landing flows is table stakes.

What Retailers Should Do This Quarter

If you run a U.S.-facing e-commerce site, treat the Crate & Barrel campaign as a fire drill. The specific steps below are what Captain Compliance recommends clients tackle first:

• Run a privacy scan across checkout, cart, account creation and post-purchase pages. Compare the outbound requests against your consent state.
• Inventory every server-side integration: Meta CAPI, Google Enhanced Conversions, TikTok Events, Pinterest, LiveRamp, and any data clean room feed.
• Verify Google Consent Mode v2 is live and that signals are flowing, not just declared.
• Enable Meta’s Limited Data Use for California, Connecticut, Colorado, Virginia and any other state your legal team flags.
• Honor Global Privacy Control automatically for California and Colorado visitors.
• Capture and retain consent logs for at least the statute-of-limitations window (in California, effectively up to four years for CIPA claims).
• Stress-test your cookie banner: if a user clicks Reject All, prove — in logs — that no non-essential tags fired.
• Align marketing, engineering and legal on a tag-change approval process. Most leaks begin with a well-meaning marketer adding a pixel to Tag Manager on a Friday afternoon.

The Bottom Line

Crate & Barrel is a household brand. The attorneys pursuing it — Bryson, Harris, Suciu & DeMay PLLC — are not experimenting; they are running a proven mass-arbitration playbook that has already extracted settlements from multiple peer retailers. The statutory structure, the funding model, the paid-social recruitment, and the plaintiff appetite are all aligned.

The companies that avoid becoming the next name in a campaign like this will not be the ones with the prettiest cookie banner. They will be the ones whose consent management platform actually blocks tags, actually passes consent signals server-side, actually logs every decision, and actually produces a defensible record on demand.

If you’re not sure whether yours does — it probably doesn’t. And the plaintiffs’ bar is watching.

Need to validate your consent stack before you become a case caption?  Captain Compliance helps retail, media and SaaS teams deploy audit-ready consent management, server-side consent signaling, and continuous tag scanning across their domains to protect against privacy litigation.

Reference material: ClassAction.org — Crate & Barrel sign-up page  ·  Bryson, Harris, Suciu & DeMay PLLC is identified in the campaign as the sponsoring law firm.