There has been a significant surge of litigation filed against companies accused of using software tools to track website user behavior without users’ knowledge or consent — commonly called pixel tracking litigation, or pixel privacy litigation.
For this episode, we were joined by Alex Proctor, Chief Trust and Privacy Officer at Captain Compliance, a privacy technology startup focused on helping organizations navigate privacy, compliance, and risk management challenges. Alex brings over 15 years of experience in privacy and data protection, leading cybersecurity and privacy governance, risk, and compliance programs across highly regulated industries.
The following conversation has been edited for clarity and length.
Tell us about Captain Compliance.
Captain Compliance is a purely focused privacy technology company. We’re involved in the world of CMPs (consent management platforms), dynamic privacy notices, and data subject request processing with automation.
One thing I’ve learned from working in the CMP space is that it is extremely difficult to get right. It’s not always obvious at first glance. You think these things consist of a pop-up on a website and a couple of buttons. How hard can that be? But the reality is, the level of integration necessary to meet the standard for a maximally defensible website, with regard to this wiretapping litigation, and to hold up under the scrutiny of a state regulator, is a very high bar. There are considerations including how you handle cookies and scripts, and those are not handled in the same way. You’re also dealing with integrations with things like Google Consent Mode, and if you’re a Shopify shop, Shopify API integration. There are just so many opportunities to get things wrong.
I’ve been on the other side buying privacy technologies in my past, and I never felt like I had time to truly invest in understanding them. What I love about Captain Compliance is being able to take on a lot of that load for our clients and give them the peace of mind that their technology is going to work correctly if it ever gets scrutinized.
Why do so many companies struggle to get website consent right?
It’s very easy to not configure website consent to the degree it actually needs to be. Most consent technologies operate in multiple layers. The two I’d like to highlight are the cookie auto-blocking layer and the script-gating layer. The auto-blocking layer does things like delete cookies from your browser if someone opts out and controls browser-level storage. The script-gating layer is where you put logic in your tag triggers to look for consent signals.
It’s very easy to drop a script on a website, make sure the banner looks good, and think you’re mostly there. But privacy testers will be testing much more than just cookies. They’ll be looking for network transactions to third parties that don’t rely on cookies at all. To truly maximize your defensibility, you need to go somewhat deeper, and that does involve some manual setup.
Why are tracking cases difficult for companies to navigate?
All of this private litigation is generally not happening via our modern privacy laws, which typically don’t give a private right of action. What plaintiffs are doing is using old wiretapping laws, some dating back as far as the 1960s. The California Invasion of Privacy Act was literally created before the internet existed. But these old laws do have a private right of action, and so you have cases where decades-old statutes are being used to challenge the most modern website technologies available.
The difficulty is that courts are completely split on how to deal with these allegations. Some cases get thrown out—especially in certain jurisdictions—while in others, they regularly proceed. And when they do, the case law can differ significantly. In some of the most extreme cases out of California, courts have found that retroactive consent is invalid—you must opt in prior to firing any trackers. Because companies care deeply about their marketing data and targeted advertising, running that kind of opt-in model is not great for the marketing department. It creates risk-based decisions where companies need to weigh whether that residual risk is worth it when choosing between opt-in and opt-out models. It’s tough to navigate because of the ambiguity.
How should companies balance legal requirements against marketing needs?
It has to be a business risk decision, first and foremost. From our internal data, most people don’t interact with consent banners. You’ll be lucky to get five percent of people clicking “allow” and five percent clicking “reject”—most people are going to be stuck with the default policy. So if that default is restrictive, it’s going to have a major impact on marketing. For many companies, they simply can’t tolerate that unless they’re in a region where it’s absolutely required.
You do see some companies that are sensitive to the litigation trying to find incremental solutions. One example: instead of running an opt-in model across all states, a company might choose to run opt-in in California and in other two-party consent states where similar claims are emerging, like Florida, while leaving most of the US on an opt-out model. It’s a compromise, but that’s the type of decision being made.
There are also things companies can do from a UI perspective, though it’s important to stay clear of dark patterns or deceptive designs. You will see companies, when they’re in an opt-in model and want to maximize interaction rates, do things like place the banner in the center of the webpage or require interaction before accessing the site, to try to preserve at least some analytics while still honoring the opt-in model.
How can companies assess whether their CMP deployment is working?
If you’re validating the quality of your CMP deployment, you want to be working with your legal team. Someone with a legal background should be providing a critical eye, because a lot of the technical aspects will require legal analysis.
Beyond that, there needs to be ongoing review. This can take different forms—a quarterly assessment, monitoring technology that flags issues for legal review, or a third-party provider. But the main theme is that somebody should be doing ongoing review, at minimum quarterly, with legal involvement. This is not something you can set and leave alone for months.
Thank you Alex Proctor for sharing your insights.


