California resident Nathaniel Bee filed a lawsuit this week alleging that the ATP Tour’s website used third-party tracking technology that captured details on how visitors interacted with the site, including what content they viewed; how they navigated the website; and what type of device they used, without user consent in violation of the California Invasion of Privacy Act. According to the complaint, that information was transmitted to third parties, including Google and Comscore Inc., and was used for targeted advertising and analytics.

The lawsuit centers on what users were told and what the website allegedly did anyway. The plaintiff alleges that users first visiting the ATP Tour website are presented with two options: accept “essential cookies only” or accept “cookies.” The plaintiff argues that the “essential cookies only” option gives visitors the impression that they can opt out of tracking that shares information with “social media, advertising and analytics partners.” However, even after a user selects “essential cookies only,” the ATP Tour allegedly continued transmitting non-essential information that could be used for targeted advertising. The complaint states that “even when users attempted to limit tracking by rejecting nonessential cookies, ATP Tour failed to prevent third parties from receiving information generated by users’ website communications.”

Even at the allegation stage, the case highlights a pressure point for many consumer-facing websites where consent interfaces are only as reliable as the technical controls behind them.

If a website offers an “essential cookies only” option, the expectation is that third-party tags, pixels, and scripts tied to advertising and analytics are actually disabled or prevented from transmitting data when a user opts out.

Regardless of how the claims ultimately shake out, the complaint underscores a simple but increasingly litigated reality: privacy disclosures and consent banners are only as defensible as the engineering behind them. If a site presents an “essential cookies only” option, users reasonably expect that advertising and analytics tags, pixels, and scripts are actually blocked from firing and from transmitting data to third parties. For consumer-facing organizations, this case is a reminder to align what the interface promises with what the site does in practice, and to validate that opt-out choices are enforced consistently across all third-party tools and integrations.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn Rattigan
Show more Show less