A new class action in the U.S. District Court for the Northern District of California alleges that Ace Hardware tracked users’ online activity through third-party tools before users could make meaningful choices through cookie consent tools, and that it continued even after users took steps to opt out. The plaintiffs claim that the Ace Hardware website intercepted browsing data before consent choices could be made, promised opt-out control but did not honor it, and used multiple third-party tools to collect detailed activity. Specifically, the complaint alleges tools from Google Analytics, Bazaarvoice, and other companies were used to collect information such as search terms, product views, and device identifiers.
In plain terms, the lawsuit frames the issue as a mismatch between what users were told about their privacy choices and what allegedly happened behind the scenes. While the lawsuit focuses on Ace Hardware’s website practices, it also reflects on the broader scrutiny of third-party analytics and marketing tools, especially where consent mechanisms are alleged to be ineffective or misleading.
Even when companies believe they have implemented standard consent banners, plaintiffs increasingly focus on what the underlying scripts actually do in real time. This case is a reminder that privacy risk often turns on implementation details, not policy language. Companies should pressure-test consent flows against what tags and pixels actually transmit, including on first page load and after opt-out selections. Aligning disclosures, consent settings, and real-time script behavior is increasingly where litigation exposure is won or lost.