May 07, 2026 · 8 min read

Forbes Just Settled a $10 Million Lawsuit Because California Calls Its Web Trackers Illegal Wiretaps—The Same Mechanism Reads Your Email

A federal class action says the LinkedIn and Microsoft trackers on Forbes.com are "pen registers" under California's wiretap statute. Forbes paid $10 million rather than fight the theory. The same theory points straight at the pixels in your inbox.

On May 4, Forbes Media agreed to pay $10 million to end a class action that asked a federal judge to treat the LinkedIn and Microsoft trackers on Forbes.com as illegal wiretaps. The legal theory is the part to pay attention to: under California's Invasion of Privacy Act, the plaintiffs argued, an embedded third party tracker that fires automatically when a visitor loads a page is a "pen register" — the same category as a phone tap device. Forbes did not admit wrongdoing. It just decided that fighting the theory was more expensive than paying.

About 3.9 million Californians who visited Forbes.com after December 20, 2023 are eligible for between $32 and $189 each. The settlement also forces Forbes to give California users "enhanced notice" and a banner level opt out for third party trackers. The agreement is now waiting on preliminary approval from a California federal judge.

That is the surface story. The deeper one is that the legal mechanism behind this settlement — the idea that an automated identifier grabber sitting on a webpage is functionally a wiretap — is the exact same mechanism that sits inside almost every marketing email in your inbox. If California courts continue to accept the pen register theory, the email tracking pixel becomes the next obvious target.

A laptop screen showing a financial news article with a faint magnifying glass overlay revealing hidden tracker code embedded in the page

What CIPA Section 638.51 Actually Says

California Penal Code Section 638.51 is the operative statute. It bars anyone from installing or using a "pen register" or "trap and trace device" without a court order. Both terms come from telephone era surveillance law. A pen register captures the numbers a phone dials. A trap and trace device captures the numbers calling in. They were the original metadata collectors — they did not record the call itself, just who was on each end.

When the legislature defined those terms it used broad language about "any device or process" that records "dialing, routing, addressing, or signaling information." That broad language is what plaintiffs' lawyers have been using since 2023 to argue that web trackers fit. A LinkedIn Insight Tag fires when you load a page. It captures your IP, your browser fingerprint, and a unique identifier that LinkedIn can match back to a real account. To the plaintiffs, that is exactly what a trap and trace device does on a phone line: it records routing and signaling information without recording the conversation.

Three federal judges in California have agreed with the theory in 2024 and 2025 rulings. Two have rejected it. The Ninth Circuit has not weighed in. That uncertainty is the reason settlements like Forbes' are happening — the downside risk for a publisher with millions of California visitors is enormous, and the cost of changing tracker behavior is small by comparison.

What Forbes Was Actually Doing

The Forbes complaint, filed in late 2024 by named plaintiff Jared Berman, focused on three categories of tracker:

LinkedIn Insight Tag. A 1x1 pixel that LinkedIn customers embed on their sites. It fires on page load, captures the visitor's IP, browser metadata, and a LinkedIn identifier cookie. LinkedIn matches that data back to logged in member profiles to build retargeting audiences.
Microsoft trackers. Plaintiffs identified Microsoft Clarity (a session replay tool) and the Bing UET tag (Microsoft's advertising pixel) on Forbes pages. Both transmit unique identifiers and behavioral signals to Microsoft servers as the user reads.
Other ad tech beacons. The complaint mentioned additional third party tags but focused the wiretap argument on the LinkedIn and Microsoft signals.

The plaintiffs did not have to prove that Forbes or LinkedIn read the content of any article. The CIPA pen register theory only requires showing that a device captured "addressing and routing" information automatically. The IP and the unique identifier are enough.

Why the Forbes Case Matters More Than the Dollar Amount

This is Forbes' second major privacy settlement in a year. In 2025, Forbes paid $7.5 million to resolve a separate class action under the Video Privacy Protection Act over Meta Pixel data sharing on its video pages. Combine the two and Forbes has now spent $17.5 million on tracker related litigation in twelve months.

The pattern is the point. CIPA pen register cases are not isolated lawsuits anymore. They are an industry. Plaintiffs' firms have spun up dedicated practices, public dashboards track new filings, and class action discovery is being templated. As of early 2026, more than 200 active CIPA Section 638.51 cases are pending against website operators. Every settlement raises the floor for the next one.

The same dynamic has already driven the healthcare sector into a similar wave of settlements. Hospitals have collectively paid more than $100 million over the same Meta and Google pixels embedded in patient portals — and 20 state health exchanges were caught sending citizenship status, race, and prescription drug names to TikTok and Meta through the same pixel mechanism. The publishing sector is just catching up to where healthcare and government were eighteen months ago.

For compliance officers reading this, the Forbes deal is the new benchmark. A publisher with about 3.9 million California visitors and a few common ad tech tags ends up at $10 million, plus a mandatory consent banner, plus monitoring obligations. That is not a hypothetical risk anymore. It is a line item.

Why This Should Worry Email Marketers More Than Web Publishers

Here is the part the legal coverage tends to skip. The CIPA pen register theory does not contain anything specifically about websites. It is about devices that capture addressing and signaling information. It applies to whatever fits.

A marketing email opens with a 1x1 transparent image hosted on the sender's tracking domain. When your mail client fetches that image, the sender's server logs:

Your IP address
Your User Agent string (which client, which platform)
The exact time you opened the message
Whether you forwarded it (because the image gets re fetched from a new IP)
A unique identifier the sender baked into the URL so they can match the open back to your address

Compare that list to what the LinkedIn Insight Tag captures on Forbes.com. The two are functionally indistinguishable. Both are automated, both fire without user action beyond opening the page or message, both transmit a unique identifier plus routing data, and neither asks for consent.

The reason email pixels have not been the lead defendants in the CIPA wave so far is procedural, not substantive. Most email tracking happens server to server, the recipient never sees the pixel, and the sender's contract terms typically include consent language buried in subscription flows. Web tracking has been an easier target because the visitor never agreed to anything.

But that gap is closing. France's CNIL issued a recommendation in early 2026 that requires explicit consent for tracking pixels in email — including transparent images that fire on open. Germany's data protection authorities are reviewing similar guidance. The EU's ePrivacy framework already covers any device that stores or accesses information on a user's terminal, which arguably includes the cached image load mechanism that pixels rely on. Once one of these regulators issues a major fine against an email sender, US plaintiffs' firms will have a template.

What This Means for Your Inbox

If you are reading this from a Gmail account on a personal device, every marketing email you have opened in the last decade has been logged. Senders know the time you opened, often the city you opened from, and whether you opened it more than once. Some senders enrich that data with mobile carrier, device model, and the rough location of the network you were on.

The reason this has not felt like a privacy emergency is that the data has been in the hands of senders, not adversaries. That assumption no longer holds. In the past eighteen months, every major email marketing platform has been breached at least once. The Mailchimp incidents, the Salesforce supply chain breaches that hit Pitney Bowes and Vimeo, the SES credential leaks, the Adobe support ticket dump — all of them included open tracking metadata that survives and travels with the email logs. Once the tracking data is exfiltrated, it is part of every aggregator's profile of you forever.

The mitigation is mechanical, not legal. The tracking pixel does not work if the image never loads. Image blocking has been a privacy practice in the security community for two decades, but it breaks too many normal emails to be the default for most people. The newer approach is selective blocking — letting your client load the body of the message but refusing the requests to known tracking domains. That is what Gblock does for Gmail in Chrome and Edge: it inspects each external image request, recognizes the patterns that identify open trackers and click trackers, and silently drops them. The email looks identical. The sender just gets nothing back.

If you handle compliance for a company that sends marketing email, the Forbes settlement is also the point at which the cost benefit math on email pixels changes. Replacing open tracking with consented analytics, or moving to send side metrics like deliverability and bounce rates, is now cheaper than the CIPA exposure that is coming. The Forbes lawyers did not get rich because the trackers were exotic. They got rich because the trackers were standard.

What to Watch Next

Three signals will tell you how fast the email pixel theory moves:

A CIPA case naming an email pixel as the device. As of May 2026, no major filed case has yet centered on email tracking specifically. The first one will be the bellwether.
A regulator other than CNIL issuing fines. Germany, Italy, and Spain are all considering similar guidance. A six or seven figure penalty against an EU sender will accelerate US litigation.
A platform pulling email pixels by default. If Apple Mail's existing pixel blocking gets matched by Gmail or Outlook at the platform level, the legal pressure point shifts to senders trying to circumvent blockers — and that is where the worst penalties tend to land.

Forbes paid $10 million because California decided that an automated identifier sitting on a webpage is the same as the listening devices the pen register statute was written about. That logic does not stop at the browser tab. It walks straight into the inbox.