European Wax Center, one of the United States’ largest franchised waxing salon chains, has agreed to a significant privacy settlement following allegations that the company collected, stored, and shared customer personal data without adequate notice or consent. The settlement, valued at approximately $1.5 million, sends a clear signal to service-sector businesses across the country: privacy compliance is not optional, and the cost of ignoring it can be steep.
The lawsuit, filed in California federal court, accused European Wax Center of violating the California Consumer Privacy Act (CCPA) and related state privacy statutes by failing to properly disclose how it collected personal information from customers — including names, contact details, purchase history, and health-related preferences tied to waxing services — and by sharing that data with third-party marketing partners without providing consumers a meaningful opportunity to opt out. For a business that prides itself on delivering intimate, trust-based services, the allegations hit particularly hard.
The Allegations in Detail
Plaintiffs in the class action alleged that European Wax Center’s mobile app and website deployed third-party tracking technologies — including pixels and session replay tools — that captured sensitive behavioral and personal data from users without their knowledge. These technologies, which send data to advertising networks and analytics platforms, allegedly operated in the background without clear consent notices or functional opt-out mechanisms.
The complaint also alleged that European Wax Center’s privacy policy failed to meet the transparency requirements established under the California Consumer Privacy Act, which requires businesses to clearly disclose the categories of personal information they collect, the purposes for which it is used, and the third parties with whom it is shared. Critics of the company’s practices argued that its disclosures were buried in dense legalese and did not reflect the actual scope of data collection occurring on its digital platforms.
Additionally, the plaintiffs raised concerns about the company’s handling of health-adjacent data. Because waxing services inherently involve disclosures about body hair, skin conditions, and sometimes medical circumstances, the information collected by European Wax Center arguably touched on health and wellness data — a category that regulators increasingly treat with heightened scrutiny. The intersection of consumer health data and digital tracking has become a growing flashpoint in privacy litigation, particularly in California and Illinois.
The Settlement Terms
Under the terms of the settlement, European Wax Center agreed to pay approximately $1.5 million into a class fund, which will be distributed to eligible class members — primarily California consumers who used the company’s app or website during the relevant period. In addition to the monetary relief, European Wax Center committed to a series of injunctive measures designed to bring its data practices into closer alignment with applicable privacy laws.
These operational changes include revising its privacy policy to more accurately describe data collection and sharing practices, auditing and updating its cookie and tracking consent mechanisms, and restricting the use of certain third-party advertising technologies that were alleged to have operated without proper consumer consent. The company did not admit wrongdoing as part of the settlement, which is standard in class action resolutions of this type.
The settlement also requires European Wax Center to implement enhanced internal training for staff responsible for managing digital marketing and data operations, and to conduct periodic reviews of its privacy compliance posture for a defined period following the settlement’s effective date. These structural commitments are increasingly common in privacy settlements, as regulators and courts recognize that one-time payouts without lasting operational change often fail to meaningfully protect consumers.
Why This Case Matters Beyond the Dollar Amount
At first glance, a $1.5 million settlement might seem modest compared to the nine-figure penalties levied against tech giants like Google or Meta. But the European Wax Center case carries outsized significance for several reasons.
First, it demonstrates that CCPA enforcement is expanding beyond traditional data breaches into the realm of everyday digital tracking practices. Companies no longer need to suffer a catastrophic data leak to face class action exposure — simply deploying analytics tools or advertising pixels without proper notice and consent architecture is now sufficient to trigger liability. This is a fundamental shift in how courts and plaintiffs’ attorneys are interpreting the law.
Second, the case highlights the particular vulnerability of consumer-facing service businesses that operate in the health and wellness space. European Wax Center is not a technology company, yet its use of digital marketing tools exposed it to the same legal risks faced by Silicon Valley giants. Any business that collects personal data through a website or app — regardless of its industry — must treat its privacy policy and consent architecture as critical legal infrastructure, not an afterthought.
Third, the settlement reinforces the growing importance of the CCPA’s opt-out and disclosure requirements in the context of third-party data sharing. Many companies mistakenly believe that sharing data with advertising networks through passive means — such as allowing a Meta Pixel or Google Analytics tag to fire on their website — does not constitute a “sale” of personal information under the CCPA. Courts and regulators have increasingly rejected that interpretation, and the European Wax Center case adds to a body of precedent suggesting that businesses need to take a hard look at their ad tech stack.
The Illinois BIPA Dimension
While the primary claims in the European Wax Center litigation arose under California law, the case also touched on concerns relevant to Illinois’ Biometric Information Privacy Act (BIPA) — one of the most powerful and frequently litigated privacy statutes in the United States. BIPA imposes strict requirements on businesses that collect, store, or use biometric identifiers, and its private right of action has made it a favorite tool for class action plaintiffs.
For a salon chain that may use fingerprint-based point-of-sale systems or digital check-in technology in its Illinois locations, BIPA compliance remains a critical concern. The 7th Circuit Court of Appeals recently addressed the question of how damages caps apply retroactively under BIPA, providing some relief to businesses facing pending lawsuits — but the fundamental obligations under the statute remain unchanged. Companies operating in Illinois must obtain written consent before collecting biometric data and must maintain a publicly available retention and destruction schedule.
The European Wax Center case, even where it did not directly trigger BIPA claims, serves as a reminder that wellness and beauty service providers are operating in a legal environment where the hidden costs of inadequate data practices can quickly escalate. Wegmans and other large consumer-facing chains have learned this lesson expensively, and the waxing industry is now navigating the same terrain.
A Pattern of Pixel-Based Privacy Litigation
The European Wax Center settlement is one piece of a much larger litigation wave targeting businesses that deploy tracking pixels and session replay technologies on consumer-facing websites. Federal courts across the country have seen a surge in pixel-based privacy lawsuits targeting everything from healthcare portals to retail e-commerce platforms, with plaintiffs arguing that these tools violate wiretapping statutes, the CCPA, and the Video Privacy Protection Act.
The common thread running through these cases is the question of whether companies have obtained meaningful, informed consent before allowing third-party technologies to intercept and transmit user communications and behavioral data. The standard legal answer — a buried cookie consent banner that defaults to acceptance — is no longer sufficient in the eyes of many courts. Businesses need robust consent management infrastructure that actually informs users, gives them genuine choices, and respects those choices across all digital touchpoints.
For companies that have relied on boilerplate privacy policies and passive opt-in mechanisms, the European Wax Center settlement is a warning shot. The plaintiffs’ bar has developed sophisticated playbooks for identifying businesses with vulnerable data practices, and service-sector companies that collect personal information through digital channels are increasingly in the crosshairs.
What Businesses Should Take Away From This Settlement
The lessons from the European Wax Center settlement extend well beyond the beauty and wellness industry. Any business that operates a consumer-facing website or app, collects customer data, and works with third-party marketing partners needs to conduct an honest assessment of its current privacy practices against the following benchmarks.
Privacy notices must reflect reality. The gap between what a company’s privacy policy says and what its technology actually does is the single most common source of CCPA liability. If your ad tech stack shares data with dozens of third parties, your privacy policy needs to say so explicitly, in plain language. A CCPA-compliant privacy policy is not a one-time document — it requires ongoing maintenance as your technology stack and business relationships evolve.
Consent must be genuine and granular. The era of passive consent — where continued website use is treated as agreement to any and all data collection — is coming to a close. Businesses need to implement clear and affirmative consent mechanisms that distinguish between essential data processing and optional tracking for marketing purposes. Users must be able to say no to the latter without losing access to the core service.
Third-party vendor relationships require scrutiny. Many businesses are surprised to discover the full extent of data sharing that occurs through their marketing and analytics tools. A thorough data mapping exercise can reveal previously unknown data flows that create legal exposure. Understanding where data goes — and getting contractual commitments from vendors about how they handle it — is an essential component of CCPA compliance.
Health and wellness data deserves extra care. Any business that collects information touching on health status, medical conditions, or body-related preferences faces heightened scrutiny under both existing privacy laws and emerging state health data privacy frameworks. The Washington My Health My Data Act and similar state-level statutes are expanding the definition of “consumer health data” in ways that could sweep in information routinely collected by spas, gyms, and wellness providers.
The Broader Enforcement Landscape
The European Wax Center settlement arrives at a moment of intensifying privacy enforcement across the United States. The California Privacy Protection Agency has signaled aggressive enforcement intentions for 2026, and the new CCPA regulations taking effect this year introduce additional requirements around automated decision-making, sensitive personal information, and data minimization that will affect a broad swath of consumer-facing businesses.
At the same time, state attorneys general from Texas to Illinois are ramping up privacy investigations targeting companies that collect and monetize consumer data without adequate transparency. The Federal Trade Commission continues to pursue enforcement actions under its unfair and deceptive practices authority, particularly against companies that collect sensitive health and behavioral data and share it with data brokers or advertisers without meaningful consumer notice.
For businesses that have not yet undertaken a comprehensive privacy compliance review, the European Wax Center case provides compelling motivation to act. The cost of proactive compliance — updating privacy notices, implementing proper consent management, mapping data flows, and training staff — is a fraction of the cost of defending and settling a class action lawsuit. Documenting your compliance efforts also provides critical protection if litigation does arise, demonstrating good faith and reasonable care.
The message from the European Wax Center settlement is simple: in an era of aggressive privacy enforcement and an active plaintiffs’ bar, businesses that treat data privacy as a compliance checkbox rather than a genuine operational commitment are taking on significant legal and reputational risk. The time to close that gap is before the lawsuit lands — not after.
