07/01/26
OBL has recently become aware of an uptick in demand letters, class action litigation, and threats of litigation targeting banks and other businesses over commonly used website technologies. These claims generally focus on whether a business’s website, email marketing platform, search function, online form, analytics tool, advertising pixel, chatbot, or other embedded software collects or transmits visitor information to third-party vendors without sufficient notice or consent.
Although the specific allegations vary, many of these claims rely on older privacy and wiretapping statutes that were not written with modern websites in mind. Recent demand letters have cited laws such as the California Invasion of Privacy Act, the federal Electronic Communications Privacy Act and Wiretap Act, the Video Privacy Protection Act, and similar state privacy or communications laws. Plaintiffs’ attorneys are increasingly arguing that common digital tools may “intercept,” record, or disclose website visitor communications, user inputs, device identifiers, browsing activity, IP addresses, search terms, or engagement data when that information is transmitted to vendors such as analytics, advertising, marketing, or customer engagement platforms.
These claims are not limited to institutions located in California, Florida, or other states where some of the statutes are being invoked. Demand letters often focus instead on where the website visitor was located when accessing the website or receiving a marketing communication. As a result, even banks with a primarily Ohio-based customer footprint may receive demand letters if their websites are publicly accessible and use third-party technologies.
The technologies being targeted are also not unusual or inherently suspicious. Many banks use standard website tools to understand site traffic, improve user experience, measure advertising effectiveness, operate chat features, manage digital campaigns, or evaluate customer engagement. However, plaintiffs’ firms are scrutinizing whether these tools transmit data to third parties before a visitor receives notice or provides consent, whether user-entered information is captured, whether tracking occurs on sensitive pages, and whether the bank’s privacy disclosures accurately describe the technologies in use.
Banks should not panic, but they should take the issue seriously. Institutions may want to work with legal counsel, marketing teams, IT staff, website vendors, and privacy/compliance personnel to understand what tracking technologies are currently active on their public websites, digital ads, landing pages, forms, chat tools, and email marketing platforms. Banks should also consider reviewing privacy notices, cookie banners, consent tools, vendor contracts, and internal procedures for approving new website technologies.
If a demand letter or complaint is received, banks should avoid informal responses and should not ignore the communication. A prompt, coordinated review can help determine what technology is actually present, what data may be collected or transmitted, whether the allegations are accurate, and what defenses or remediation options may be available.
OBL is compiling additional information on this developing issue and will provide further updates to members. OBL also plans to host a webinar later this summer to discuss the litigation trend, practical risk considerations, and potential steps banks may wish to evaluate with counsel and their technology partners.
Banks that have received a demand letter, litigation threat, or lawsuit, or that have questions about this issue, should contact OBL Senior Vice President and General Counsel Don Boyd.