In plaintiff-side class action litigation, there is an open secret that defense counsel understand and corporate defendants often do not: a large percentage of class action complaints are filed by firms whose economic model depends on settling quickly, settling cheaply, and moving on to the next case. These firms apply settlement pressure — they file well-pleaded complaints, survive an initial motion to dismiss, and then leverage the threat of discovery and class certification to extract settlements that are comfortable for both sides. The defendant avoids the uncertainty of trial. The plaintiff firm books its contingency fee and files the next complaint.
This model is not fraudulent or improper. It is simply the economic reality of how contingency-fee class action litigation works for many firms. But it means that many defendants who receive class action complaints — particularly from smaller boutique firms — are not actually facing the risk of going to trial. They are facing the risk of a settlement process, which is a very different and substantially less dangerous thing.
Dovel & Luner breaks this pattern entirely.
The Santa Monica, California-based litigation boutique has an 85 percent trial and arbitration win rate and has resolved over 300 cases through trial or judgment. These are not statistics that a firm achieves by settling cases before they reach a courtroom. They are statistics that a firm achieves by building cases that are fully prepared for trial — with complete technical records, expert witnesses, developed factual narratives, and the institutional willingness to take cases in front of judges and juries.
When Dovel & Luner files a pixel tracking class action against your company, you are not receiving a settlement shakedown. You are receiving a litigation threat from a firm that has genuinely prepared to try the case. That distinction has significant implications for how corporate defendants should assess their exposure, how defense counsel should advise their clients, and — most importantly for compliance professionals — how urgently remediation needs to happen before a complaint arrives.
The Firm: Boutique Scale, Elite Pedigree, Contingency Alignment
The Founders and Institutional Character
Dovel & Luner was founded by Greg Dovel and Sean Luner, both of whom bring litigation backgrounds that distinguish the firm from typical plaintiff boutiques. The firm’s attorneys include lawyers with experience at major defense firms, federal clerkships, and serious trial litigation backgrounds — the kind of institutional preparation that produces litigators capable of developing and trying technically complex cases.
This pedigree matters because it shapes how the firm builds its cases. Lawyers who have done defense work at major firms understand exactly how defense teams will challenge plaintiff evidence — which technical arguments will resonate, which expert witness approaches will be attacked, which factual gaps will be exploited. Building a plaintiff case with that defense perspective embedded in the process produces complaints and evidentiary records that are substantially harder to attack on motion practice and at trial.
The firm operates exclusively on contingency — they receive no payment unless they win or achieve a settlement. This fee structure is common in plaintiff litigation but its implications are often underappreciated by defendants. A firm paid only on success is a firm with a powerful financial incentive to select only cases it genuinely believes it can win, to invest heavily in case development, and to resist low settlement offers that do not reflect the genuine litigation value of the case. Contingency alignment produces a fundamentally different adversary than a firm billing hourly hours regardless of outcome.
The firm is based in Santa Monica — not San Francisco or New York, where much of the major plaintiff privacy litigation bar is concentrated. This geographic positioning reflects a deliberate choice: Dovel & Luner is a California-focused litigation operation, deeply expert in California privacy law (particularly CIPA and California Constitutional privacy), with the local court relationships and jurisdictional expertise that make California federal and state court litigation particularly effective.
What “Trial Ready” Actually Means
The 85 percent trial win rate is the most important single fact about Dovel & Luner that defense teams and compliance professionals need to internalize — but it requires unpacking to understand its full significance.
“Trial ready” does not mean “willing to waste resources on hopeless trials.” It means that the firm’s case development process is oriented toward building the complete evidentiary record, expert foundation, and factual narrative required to win before a judge or jury — rather than merely to survive a motion to dismiss and create settlement pressure.
In pixel tracking cases, this trial readiness manifests in specific ways:
Technical evidence development. Dovel & Luner’s cases are built on detailed, precise technical records demonstrating exactly what data the defendant’s pixels transmitted, exactly when they transmitted it, exactly which users were affected, and exactly what the receiving party (Meta, Google) received and could link to individual identities. This is not a generic description of how pixels work — it is specific, documented, network-traffic-level evidence tied to the specific defendant’s specific configuration.
Expert witness preparation. The technical aspects of pixel tracking cases require expert testimony from computer science and data privacy experts who can explain to courts and juries, in accessible terms, what a tracking pixel does, how the data transmitted can be linked to individuals, and why the defendant’s specific configuration created the privacy violation alleged. Dovel & Luner develops this expert record with the same rigor a major defense firm would apply to building its technical defense.
Damages theory sophistication. One of the most common defense strategies in privacy class actions is attacking the damages theory — arguing that statutory damages are disproportionate to actual harm, that the class is too large to certify, or that individual issues predominate over common ones. Dovel & Luner’s trial orientation requires developing damages theories that can survive these challenges and be presented persuasively to a jury.
Class certification preparation. Class certification — the procedural step that transforms an individual case into a class action and dramatically expands the defendant’s exposure — requires extensive factual and expert support. Dovel & Luner builds its cases with class certification in mind from the beginning, not as an afterthought.
The Primary Legal Theories: Pixel Tracking, Healthcare, and Video Privacy
Meta Pixel Healthcare Tracking: Where HIPAA Meets CIPA
Dovel & Luner’s most consequential and highest-profile litigation focus has been on Meta Pixel deployments on healthcare websites — a category of cases that combines the sensitivity of protected health information, the reach of federal HIPAA regulation, and the damages potential of California’s CIPA wiretapping statute into a litigation profile unlike any other in the privacy space.
The Healthcare Pixel Problem Explained
To understand why Meta Pixel deployments on healthcare websites created such significant litigation exposure, it is necessary to understand both what the Meta Pixel does and what HIPAA requires.
What the Meta Pixel does on a healthcare website:
The Meta Pixel is a JavaScript tracking tag that, when deployed on a website, collects information about user behavior and transmits it to Meta’s advertising infrastructure. The standard data transmitted includes: the URL of the page the user visited (including URL parameters that may identify the medical content being accessed), information about the user’s device and browser, the user’s IP address, and — critically — a unique identifier that can be matched to a Facebook account if the user is simultaneously logged into Facebook.
This last element is what transforms an analytics tool into a HIPAA problem. When a patient logged into Facebook visits a hospital’s “Schedule an Appointment” page, a symptom checker, a medication information page, or a patient portal, the Meta Pixel can transmit data to Meta that includes both the patient’s Facebook-linked identity and the URL or page content indicating the medical context. Meta receives information that can connect a specific person to a specific healthcare interaction.
What HIPAA requires:
HIPAA prohibits covered entities (healthcare providers, health plans, and their business associates) from disclosing protected health information (PHI) without patient authorization, except in limited circumstances. PHI includes any individually identifiable health information — information that relates to an individual’s health condition, healthcare provision, or payment for healthcare and that identifies (or could reasonably be used to identify) the individual.
When a hospital’s Meta Pixel transmits a patient’s Facebook-linked identity alongside URL data indicating that the patient visited a specific medical condition page or appointment scheduling page, it may be transmitting PHI to Meta without HIPAA authorization. Meta, which has not signed a Business Associate Agreement (BAA) with the hospital for this purpose, is receiving PHI it has no right to receive.
The HIPAA violation is only the beginning. Under CIPA Section 631, the same transmission constitutes an unauthorized wiretapping by a third party (Meta) — with statutory damages of $5,000 per violation. For a hospital system with millions of website visitors, the aggregate damages exposure is severe.
The Advocate Aurora Case: National Attention and Lasting Impact
Dovel & Luner’s involvement in litigation against Advocate Aurora Health following the 2022 discovery of its Meta Pixel deployments brought national attention to the healthcare pixel problem and established the firm’s position at the center of this litigation wave.
Advocate Aurora Health is a major Midwestern health system — one of the largest not-for-profit health systems in the United States, operating dozens of hospitals and hundreds of clinics across Illinois and Wisconsin. In 2022, it was discovered that Advocate Aurora had deployed Meta Pixel on its website and patient portal in a manner that may have transmitted protected health information about approximately 3 million patients to Meta without their authorization.
The facts were particularly damaging: the pixel had been deployed on pages where patients scheduled appointments, accessed their medical records, communicated with healthcare providers, and performed sensitive health searches. The information transmitted potentially included the specific medical content the patient was accessing — a level of PHI exposure that went beyond what even sympathetic courts would characterize as incidental or technical.
Advocate Aurora disabled its Meta Pixel implementation after discovering the problem. But in HIPAA compliance and privacy litigation, disabling a non-compliant tracking implementation after the fact does not undo the historical transmission. The class period — the period during which the pixel ran without adequate safeguards — defined the scope of the claim and the size of the class.
What the Advocate Aurora case established beyond its specific facts:
The case contributed directly to the HHS Office for Civil Rights issuing guidance specifically addressing the use of tracking technologies on healthcare websites. OCR’s December 2022 guidance — updated in 2024 — explicitly addressed how tracking pixels on healthcare websites can constitute impermissible disclosures of PHI and what healthcare providers must do to deploy tracking technologies in a HIPAA-compliant manner.
This regulatory guidance, prompted in part by the litigation wave that Dovel & Luner helped drive, has become the compliance standard against which all healthcare website pixel deployments are now evaluated. Every hospital, health system, telehealth provider, and healthcare technology company that operates a consumer-facing website needs to assess its pixel configurations against OCR’s guidance — and against the litigation risk that cases like Advocate Aurora illustrate.
The Business Associate Agreement Problem
A specific and frequently misunderstood aspect of healthcare pixel compliance is the Business Associate Agreement (BAA) requirement. Under HIPAA, when a covered entity shares PHI with a third-party vendor that will use the information on the covered entity’s behalf, that vendor must sign a BAA acknowledging its obligations to protect the information.
Meta has not signed a BAA with healthcare organizations for the purpose of advertising pixel data collection. Google has not signed one for Google Analytics and Ads data in most healthcare contexts. This means that when a hospital’s tracking pixel transmits PHI to Meta or Google, it is doing so without the BAA that HIPAA requires — independently creating a HIPAA violation beyond any analysis of the specific data transmitted.
For healthcare compliance teams, the BAA analysis must be part of any pixel review: not merely “what data does this pixel transmit?” but “has the vendor receiving this data signed a BAA, and if not, can this pixel receive any data from pages with PHI?” In most cases, advertising platform pixels cannot be deployed on healthcare websites with PHI-adjacent content without a BAA — and major advertising platforms have not signed BAAs for advertising purposes.
VPPA: The Pixel-Video-Authentication Triangle
Dovel & Luner’s VPPA practice follows the same technical pattern that Milberg, Pacific Trial Attorneys, Levi & Korskinsky, Zimmerman Reed, and other active VPPA firms pursue — but with the trial-oriented rigor that distinguishes the firm’s approach to all of its litigation.
The Theory and Its Elements
The Video Privacy Protection Act claim in the pixel tracking context requires three elements to coexist on a single web page or user session:
Video content. The VPPA applies to “video tape service providers” — entities that provide prerecorded video material or services for the rental, sale, or delivery of audiovisual materials. Courts have applied this definition to digital content providers whose websites include video as a meaningful component of their offering. A website with a single decorative background video is unlikely to qualify; a content platform with substantive video programming almost certainly does.
Advertising pixel infrastructure. The Meta Pixel or a comparable advertising tag must be deployed on pages with video content or active during video viewing sessions. This is the mechanism through which the VPPA-prohibited disclosure occurs — the pixel transmits user identity data alongside behavioral data that includes the video content being consumed.
Authenticated users. The VPPA’s disclosure prohibition is most clearly triggered when the user whose viewing data is transmitted is identifiable — specifically, when their Facebook account is linked to the identity information the pixel transmits. For this to occur, the user must typically be simultaneously logged into Facebook while watching video on the defendant’s platform. Authenticated users who maintain persistent Facebook login sessions on their devices meet this element even if they do not actively navigate to Facebook during the session.
When all three elements coexist — video content, advertising pixel, authenticated users — the pixel’s transmission of the user’s Facebook ID alongside their viewing data to Meta constitutes a disclosure of personally identifiable information in connection with video materials under the VPPA.
Dovel & Luner’s VPPA Case Development
What distinguishes Dovel & Luner’s VPPA cases from many competitors is the depth of technical documentation at the complaint stage. Rather than describing how pixels generally work and alleging that the defendant’s configuration fits the theory, the firm’s complaints typically include specific, documented evidence of the exact pixel behavior at issue — the specific data transmitted, the specific pages on which transmission occurred, the specific mechanism by which user identity is linked to viewing data.
This front-loaded technical evidence is a function of the firm’s trial-oriented case development process. Defendants who receive a Dovel & Luner VPPA complaint and attempt to defeat it on the grounds of insufficient factual pleading face a significantly harder challenge than defendants who receive a more generically-pleaded complaint.
Google Pixel and Analytics: Beyond Meta
While much of the healthcare pixel litigation spotlight has focused on Meta Pixel, Dovel & Luner has also pursued cases involving Google Analytics and Google Ads tags on healthcare and sensitive-content websites. This targeting reflects an important compliance reality that many organizations miss: the healthcare pixel problem is not uniquely a Meta problem.
Google Analytics, Google Ads conversion tracking, and Google Tag Manager deployments can transmit sensitive user behavioral data — including URL paths indicating medical content, search queries on health topics, and interaction data on appointment or symptom pages — to Google’s infrastructure. If that data can be linked to individual user identity (through Google account logins, which are persistent across Android devices and Chrome browsers for logged-in users), the same HIPAA and CIPA concerns that apply to Meta Pixel apply with equal force.
For compliance teams, this means that a healthcare pixel audit must examine all advertising and analytics tags — not merely the Meta Pixel. A hospital that removes Meta Pixel from its patient-facing pages but retains Google Analytics without an adequate consent mechanism has not resolved its tracking compliance exposure.
The Technical Evidence That Wins and Loses These Cases
Understanding exactly how Dovel & Luner builds and uses technical evidence is essential for compliance teams trying to assess and reduce their exposure.
Network Traffic Capture as Foundational Evidence
The foundation of every pixel tracking case is captured network traffic — the actual data packets transmitted from a user’s browser to pixel vendor servers during a session on the defendant’s website. This evidence is collected through browser developer tools, network monitoring software, and sometimes purpose-built testing infrastructure.
Network traffic capture reveals:
Exactly what data was transmitted. Not an inference about what pixels generally transmit, but the actual content of specific transmissions: the specific URL visited, the specific Facebook IDs or other identifiers included in the transmission, the specific event parameters fired, and the specific server endpoints receiving the data.
The timing relationship between user actions and transmissions. Whether the pixel fires on page load (before any user consent), on specific user interactions (appointment scheduling button clicks, form submissions), or in response to URL changes that indicate navigation between health-related pages. Timing evidence is crucial for establishing that the pixel captured data the user did not intend to share.
The absence of consent gating. Whether the pixel fires regardless of cookie consent status — confirming that the defendant’s consent mechanism, if any, did not actually prevent the transmission.
This network traffic evidence is factually difficult to dispute. Defendants cannot argue that the pixel did not transmit the data when the network capture shows exactly what it transmitted. What they can argue — and do argue — is the legal significance of that transmission: whether the data constituted PHI, whether it was individually identifiable, whether the user consented to the transmission through general website terms of service.
The PHI Identifiability Argument
One of the most significant and contested legal questions in healthcare pixel litigation is whether the data transmitted by a tracking pixel constitutes “individually identifiable” health information — which is required for a HIPAA violation — or merely non-identifiable behavioral data that happens to be collected on a healthcare website.
Defense teams frequently argue that a URL transmitted by a pixel — even a URL indicating a specific medical condition page — does not constitute individually identifiable health information because the pixel vendor (Meta or Google) receives only the URL, not the patient’s medical records or explicit health information. The URL “hospital.com/conditions/diabetes” transmitted alongside a pseudonymous device identifier does not, the defense argues, reveal a specific person’s health condition — it merely reveals that someone with a particular device identifier visited a page about diabetes.
Dovel & Luner’s technical evidence development is designed specifically to defeat this argument by establishing the re-identifiability of the transmitted data. If Meta or Google can link the pseudonymous device identifier to a real Facebook account or Google account — which they can, for logged-in users — then the URL plus the identifier equals individually identifiable health information. The technical evidence of how advertising platforms link device identifiers to real accounts is the factual foundation for defeating the non-identifiability defense.
The “Off-Facebook Activity” Evidence
Meta’s “Off-Facebook Activity” tool — which allows Facebook users to see and disconnect data that websites have sent to Meta about their browsing behavior — has become an unexpected source of evidence in healthcare pixel cases. The tool demonstrates, in Facebook’s own interface, that specific websites transmitted user behavioral data to Meta, and it allows users to see what data was transmitted.
Dovel & Luner and other plaintiff firms have used Off-Facebook Activity records as evidence confirming that the defendant’s pixel transmitted data to Meta about specific healthcare website visits. This self-authenticating evidence — produced by Facebook’s own systems — is difficult for defendants to challenge and powerfully illustrates the mechanism by which patient health information reached Meta’s advertising infrastructure.
The Regulatory Ecosystem That Amplifies Dovel & Luner’s Cases
HHS OCR Enforcement and Guidance
As noted in the Advocate Aurora context, the healthcare pixel litigation wave directly influenced HHS Office for Civil Rights regulatory guidance. OCR’s December 2022 bulletin on tracking technologies, updated in March 2024, explicitly states that regulated entities using tracking technologies on their websites and mobile applications must ensure that such use does not result in impermissible disclosures of PHI to tracking technology vendors.
OCR’s guidance covers:
- Authenticated user pages (patient portals, appointment scheduling systems) — where any tracking pixel that can link user identity to page content is presumptively transmitting PHI
- Unauthenticated user pages — where pixels may still transmit PHI if the page content reveals health conditions combined with IP addresses or other identifiers
- Mobile health applications — where third-party SDKs raise the same issues in the mobile context that pixels raise on websites
- Business Associate Agreement requirements — explicitly confirming that tracking technology vendors that receive PHI must sign BAAs
OCR has also initiated enforcement actions against healthcare organizations for pixel-related PHI disclosures — creating regulatory liability that compounds private litigation exposure. A healthcare organization defending a Dovel & Luner class action while simultaneously managing an OCR investigation faces the same compounding institutional pressure we see across the privacy litigation landscape.
State Attorney General Activity
California, New York, and other state attorneys general have been increasingly active in addressing healthcare pixel compliance — issuing guidance, sending inquiry letters to healthcare organizations, and in some cases initiating formal investigations. This regulatory activity parallels and reinforces private litigation, creating a compliance environment in which the cost of non-compliance extends well beyond individual class action settlements.
The FTC’s Health Data Enforcement Focus
The Federal Trade Commission has made health data privacy a specific enforcement priority, pursuing actions against companies that shared health-related information with advertising platforms without adequate disclosure or consent. The FTC’s enforcement framework — which focuses on deceptive and unfair practices rather than HIPAA’s covered entity structure — applies to health information businesses that are not HIPAA covered entities, expanding the regulatory universe beyond the healthcare provider context.
Understanding Dovel & Luner’s Competitive Position Among Privacy Plaintiff Firms
Trial Capability as a Differentiator
The 85 percent trial win rate distinguishes Dovel & Luner from virtually every other plaintiff privacy boutique. To understand why this matters for defendants, consider the typical plaintiff firm’s settlement incentive structure.
A plaintiff firm with five active class actions has a powerful economic incentive to settle all five for modest amounts rather than try any of them. A trial requires months of attorney time — time not spent filing new cases or developing the next settlement. If the firm loses at trial, it receives nothing for all of that invested time. The economic calculus almost always favors settlement, often at amounts that understate the genuine litigation value of the case.
Dovel & Luner’s economics are different. A firm with an 85 percent trial win rate has demonstrated — through actual courtroom results — that its trial investment generates returns. That track record allows the firm to credibly threaten trial in ways that most plaintiff boutiques cannot. Defendants who refuse to settle for what Dovel & Luner considers fair value face an adversary that will actually try the case — and that wins when it does.
This dynamic shifts settlement negotiations fundamentally. The defendant cannot assume that an aggressive negotiating posture will ultimately result in a modest settlement driven by the plaintiff firm’s economic need to book a recovery. It may result in a trial where the defendant faces the full litigation value of the case, before a jury, argued by lawyers with proven trial capability.
How Dovel & Luner Compares to Other Pixel Tracking Firms
Versus Milberg Coleman Bryson Phillips Grossman: Milberg has broader industry coverage and more simultaneous docket capacity, but operates primarily as a settlement-focused operation at scale. Dovel & Luner’s trial orientation makes it more dangerous in individual cases even if Milberg files higher volumes.
Versus Lieff Cabraser Heimann & Bernstein: Lieff Cabraser operates at comparable or higher precedent-setting ambition with larger firm resources. The firms may occasionally pursue the same defendants or the same legal theories; Lieff Cabraser’s national and international reach exceeds Dovel & Luner’s more California-focused practice.
Versus healthcare-specialized plaintiff firms: Several smaller plaintiff boutiques focus specifically on HIPAA and healthcare privacy litigation. Dovel & Luner brings to that space the trial capability and technical sophistication that most healthcare-focused plaintiff boutiques lack.
The practical implication: A company that receives a class action complaint from Dovel & Luner should not evaluate it on the assumption that the firm will accept an early, modest settlement. It should evaluate it as a case the firm intends to litigate fully — which means the genuine settlement value of the case, if any, reflects the firm’s credible trial threat.
The Compliance Priorities That Reduce Dovel & Luner’s Targeting Profile
Healthcare Pixel Compliance: A Non-Negotiable Priority
For any healthcare organization — hospital, health system, telehealth provider, healthcare technology company, health insurer, pharmacy benefit manager, or any company whose website handles health-related user data — the healthcare pixel compliance audit is an immediate, urgent priority that cannot be deferred.
Complete pixel inventory on all patient-facing properties. Every third-party tag, pixel, analytics tool, and advertising technology deployed on any website page that could be accessed by patients or visitors researching health topics must be documented. This includes not just Meta Pixel and Google Analytics but every tool running through Google Tag Manager or any other tag management system — because tags can be added, updated, or inadvertently re-enabled through tag management systems without legal review.
Page-by-page sensitivity classification. Classify every page on your website by its sensitivity from a PHI perspective. The classification should consider: whether the page is in a patient-authenticated environment (portal, scheduling system, account management); whether the page’s URL or content indicates a specific health condition; whether the page facilitates a healthcare transaction (appointment scheduling, prescription refill, lab results access); and whether the page collects any health-related form input.
Per-page pixel configuration audit. For each page category, audit which pixels fire and whether they fire before or after user consent. On any page that qualifies as PHI-adjacent — pages where authenticated users access health-specific content — advertising pixels from platforms that have not signed BAAs should not fire at all, regardless of consent status. Consent is not a substitute for the BAA requirement in the healthcare context.
BAA analysis for all analytics vendors. Review whether each analytics or advertising vendor receiving data from your healthcare website has signed a BAA for the specific purpose of receiving that data. If not, assess whether the data you are transmitting includes PHI. If it does, you must either obtain a BAA, reconfigure your tags to exclude PHI, or cease using the vendor on PHI-adjacent pages.
Documentation of all remediation steps. Document everything: when the audit was conducted, what was found, what changes were made, when those changes were implemented, who approved them, and how compliance is being maintained on an ongoing basis. This documentation is your litigation defense if historical pixel activity is ever challenged.
VPPA Compliance for Content Platforms
For any company that publishes video content and operates advertising pixel infrastructure:
Map video pages to pixel deployments. Identify every page or application state in which video content is presented to users. For each of those pages, document which advertising pixels are active during video playback.
Assess authentication status of video audiences. Evaluate whether users watching video content on your platform are likely to be simultaneously authenticated to Facebook or Google accounts. If your platform requires user accounts (subscription services, authenticated content portals), the authentication-pixel-video triangle is almost certainly present.
Implement specific video viewing consent. The VPPA requires specific consent for the disclosure of video viewing records to third parties. General website terms of service acceptance is not sufficient. Implement a specific, affirmative consent mechanism for advertising pixel tracking during video viewing — ideally at the account creation or subscription sign-up stage, in clear, specific language.
Separate advertising pixels from video delivery infrastructure. Consider whether advertising pixels can be excluded from pages or application states where video content plays, with analytics needs met through first-party measurement infrastructure that does not transmit user identity data to third parties.
Frequently Asked Questions About Dovel & Luner Pixel Tracking Litigation
What does Dovel & Luner’s 85 percent trial win rate actually mean for defendants?
It means the firm is not bluffing when it indicates willingness to try a case. Most plaintiff class action firms settle because their economics require it — they cannot sustain the resource investment of trial without the certainty of settlement revenue. Dovel & Luner has demonstrated through actual trial outcomes that it delivers better results by trying cases than by settling them early. Defendants who treat Dovel & Luner like a settlement-focused boutique are significantly miscalibrating their risk.
Is Meta Pixel liability limited to HIPAA-covered entities?
No. HIPAA applies only to covered entities and their business associates — healthcare providers, health plans, and healthcare clearinghouses. But CIPA, the California Constitutional right to privacy, ECPA, and other applicable frameworks apply to any company that deploys tracking pixels that intercept user communications. Non-HIPAA companies that deploy pixels on pages with sensitive health-related content face CIPA and related liability even without HIPAA coverage.
Can a consent banner resolve healthcare pixel liability?
Partially and incompletely. A consent banner that gates advertising pixels behind user consent addresses the CIPA wiretapping dimension of the claim — a user who consents to advertising tracking has arguably consented to the interception that CIPA requires consent for. However, consent does not resolve the HIPAA BAA problem. Even a consenting patient cannot waive the hospital’s obligation to have a BAA with the vendors receiving their PHI. On PHI-adjacent pages, advertising pixels from platforms without BAAs should not be deployed regardless of user consent status.
How long is the typical class period in a healthcare pixel case?
The class period typically runs from the date the pixel was first deployed (or the beginning of the applicable limitations period, whichever is later) through the date the defendant removed or adequately remediated the pixel. Many healthcare organizations deployed Meta Pixel years before the 2022 litigation wave — meaning class periods of three, four, or five years are common. The length of the class period directly multiplies the number of affected patients and the aggregate damages exposure.
What is the first thing a healthcare organization should do after receiving a Dovel & Luner complaint?
Retain experienced HIPAA and privacy litigation counsel immediately. Preserve all documentation related to pixel deployments, including when pixels were added, what configurations were used, what data they transmitted, and what remediation steps, if any, were taken. Do not make additional changes to pixel configurations without legal guidance, as changes after a complaint is filed may be characterized as spoliation or evidence of liability consciousness. Begin the factual investigation into the specific pixel deployments alleged in the complaint.
Conclusion: The Firm That Makes the Threat Real
Most of the plaintiff firms that file privacy class actions represent known, manageable risks. You receive a complaint, your defense counsel assesses the settlement value, you negotiate, you settle. The process is expensive and uncomfortable but it is predictable.
Dovel & Luner makes the threat real in a way that most plaintiff boutiques do not. The 85 percent trial win rate is not marketing language — it is the documented output of a litigation approach built around the genuine intention and genuine capability to go to trial. When this firm files a pixel tracking case against a healthcare provider, content platform, or any other business with advertising pixel exposure, the defendant is not facing a settlement process with a known outcome. It is facing a trial-ready adversary with technical depth, healthcare privacy expertise, and a track record that demands to be taken seriously from day one.
For compliance professionals, the practical implication is urgent: healthcare pixel remediation is not a deferred compliance project. VPPA exposure on video platforms is not a low-priority risk to address eventually. These are live, immediate vulnerabilities that firms like Dovel & Luner are actively investigating and systematically pursuing.
The businesses that have done the compliance work — that have audited their pixels, implemented consent gating, documented their BAA coverage, and addressed their video-advertising-authentication exposure — are not just better positioned legally. They are not interesting targets. And in the landscape that Dovel & Luner operates in, not being an interesting target is the most valuable privacy compliance outcome of all.
