What every business with a website should learn from a $5M payout.
On April 30th, a Florida court gave preliminary approval to a $5 million settlement in Cumor, Dunn v. European Wax Center, Inc. The allegation isn't a data breach or a hack,. It's much more ordinary than that:
Like millions of other businesses, European Wax Center ran tracking pixels, cookies, and analytics scripts on its website. Plaintiffs argued that those tools transmitted information about visitors, including people who booked appointments, to third parties without permission. EWC denies wrongdoing and settled, in the company's words, to avoid the cost and disruption of litigation.
That last detail is the part nobody wants to dwell on: EWC didn't lose at trial. They paid $5 million to end the lawsuit.
In the world of data privacy, especially when dealing with customer data, this is the new normal. Time and time again, when we speak with our customers, they experience the same situation and the same liability theory. Below, we'll walk through what actually happened, why it happened to European Wax Center, and what you can do this week to hopefully keep your name off the next case caption.
Strip away the legalese, and the lawsuit is straightforward.
EWC's website, like an estimated 47% of websites globally, ran a Meta Pixel and similar tracking technologies. When a visitor landed on their website, browsed services, and booked an appointment, those tools transmitted data about the visit to third parties (Meta and others) for advertising and analytics.
The plaintiffs argued that this occurred before consent, without sufficient disclosure, and that it amounted to allowing a third party to "listen in" on a private interaction. The legal hook isn't brand-new; it's based on wiretap and invasion-of-privacy laws that have been in place for decades. These laws were written even before tracking pixels existed, and they're now repurposed for the modern web.
And here's the unfortunate part: it’s not uncommon for some of these cases to proceed. Hundreds of California Invasion of Privacy Act (CIPA) lawsuits were filed in 2025, and now plaintiffs are increasingly using the Florida Security of Communications Act (FSCA) and the federal Electronic Communications Protection Act (ECPA) to expand their reach. The plaintiffs have built a repeatable playbook, and they're working through companies methodically.
Here's what we want everyone reading this to internalize: EWC almost certainly did not believe they were breaking the law.
They had a privacy policy. They were running the same marketing stack as basically every consumer brand in America. Their pixel setup was probably standard.
That's exactly the problem. The standard setup doesn’t ensure you’re completely compliant.
A few things converged to make ordinary websites a tempting litigation target:
1. Pixels fire by default, before any consent is given. When a visitor lands on a page, the Meta Pixel typically transmits the URL, IP address, browser data, and cookie identifiers to Meta in real time. If your visitor is in California (or Florida, or Illinois, or Pennsylvania), and you didn't get permission first, plaintiffs argue you just “helped Meta wiretap them”. Per CIPA, that's $5,000 per violation. Multiply that by every visitor.
2. A cookie banner is not a privacy program. These lawsuits often allege that a website had a banner offering one thing, but, on the back end, third-party trackers still fired. The banner technically did what it was supposed to do; The banner technically did what it was supposed to do, but if it's not set up correctly then the business could be exposed to legal risk
3. Privacy policies in the footer might not constitute consent. Courts have been clear: Courts have been clear, privacy terms buried at the bottom of a page do not equal consent for trackers that start firing as soon as a page loads
4. Plaintiffs' firms are scanning, not searching. This is the part that surprises every business owner we talk to. The law firms behind these cases aren't reading reviews of your business and deciding to sue. They're running scanners across the internet that flag any site with a misconfigured pixel, then sending demand letters and filing suit. It's not personal to you, it's algorithmic.
We're going to translate the EWC case into the same four parts we use with every customer who comes to us mid-panic after receiving a demand letter:
1. If you're running If you're running ad trackers or third-party analytics, you might have a consent problem.
The single most common mistake we see: pixels firing on page load, before any consent banner is shown, before the user has clicked anything, before any disclosure has been read.
What we’ve seen people do: Audit every script your site loads. Block all non-essential trackers, Meta Pixel, Google Ads tags, TikTok Pixel, analytics tools, until the user has made an affirmative choice. "Affirmative" means they clicked something. Pre-checked boxes don't count. A banner that loads after the trackers already fired doesn't count.
If you don't know what's currently firing on your website before consent, that's the first thing to find out.
2. Your cookie banner is the smallest part of the program and probably the easiest to mess up
A banner that says "Accept" and buries an opt-out behind multiple clicks, or one that visually nudges users toward acceptance (also called "dark patterns"), might be a liability. And if your banner says one thing while your tag manager does something else, that further exposes you to risk.
What we’ve seen people do: Use a consent management platform that actually controls what fires. Not a banner that displays opinions about what should fire while the tags do whatever they want. The two systems have to be wired together. If your "Reject All" button doesn't actually reject all, you have a bigger problem than no banner at all.
3. You probably haven't mapped your data, and that's where the real exposure lives
Most brands can't answer the basic, but sometimes hard question: where does the personal data we collect actually go? Customer info goes from the website to Shopify, to Klaviyo, to Meta, to Google, to your CRM, to your analytics tool, to a couple of marketing apps somebody installed two years ago and forgot about.
Each of those data flows is a potential disclosure. Each one might or might not be covered by a proper vendor contract. Each one might or might not match what your privacy policy says you do.
What to do: Run a data map. Not a spreadsheet someone made once, but instead an evergreen document of every system that touches personal data, what data it sees, and what it does with it. This is the foundation of every other privacy obligation. You can't comply with rules about data you haven't located and don’t know exist.
4. Compliance is not a project. It's a system.
The EWC class period runs from June 30, 2023, through April 2, 2026. That's almost three years of alleged violations. Three years of "we'll fix that later." Three years where, presumably, the website was reviewed for compliance at some point, and someone signed off.
Privacy law and compliance is tough and require frequent oversight. New states are passing laws frequently, and oversteps are happening. Platforms change their APIs, marketing teams add a new campaign pixel and forget to notify legal, a vendor updates their script, and suddenly, the program you built last year is opening you up to risk, and you don't realize it until a demand letter arrives.
What to do: Treat compliance as a journey, not just a destination. Monitor changes to the laws you're subject to. Re-scan your website regularly. Re-review your data map when you add a tool. The businesses that win at this don't get noticed and do more work than the ones that lose; they do small amounts of work consistently, instead of a panicked sprint after they get sued.
We hear this a lot. The implicit argument is that plaintiffs' firms go after only companies big enough to write a $5M check.
This used to be partially true. It is no longer true.
The economics of pixel litigation work at a much smaller scale than people think. Demand letters are cheap to send. Settlements in the $25,000 to $250,000 range are common and rarely reported. Plaintiffs' firms are running these as volume businesses. Some are even sending demand letters to financial institutions in states where those institutions don't operate, on the theory that an in-state resident accessed the website.
The threshold for being a target is not "famous." It's "has a website that runs a pixel." That's it. That's the threshold.
If anything, an e-commerce brand is an easier target than a large enterprise, because an SMB is more likely to settle quickly to make the problem go away. The plaintiff's firm doesn't need to win at trial; they need you to write a check.
A compliance program for a typical e-commerce brand doesn't have to be overly complex. It's the boring fundamentals, done consistently:
That's it. It’s not the most glamorous, and it does not involve a 200-page strategic privacy roadmap. It involves doing the boring fundamentals well.
We built TrueVault because we kept watching businesses like European Wax Center get caught in this exact trap. They weren't bad actors, and they probably didn’t have ill intentions. They were running a normal marketing operation with a standard tech stack, and the rules changed underneath them. The tools they were sold to "be compliant" turned out to be cookie banners that didn't do the compliance part.
Privacy law is genuinely complicated for many, especially those who are not lawyers. It is also solvable for an e-commerce brand with a website, without hiring a $1,200/hour outside firm and without becoming a part-time privacy lawyer.
TrueVault gets you compliant from the start and has your back by enabling you to stay compliant. Through guided data mapping, privacy notices that match what your site actually does, and cookie consent that blocks the trackers it claims to block. We also provide consumer rights workflows , and we always have our eyes on the law, flagging any changes relevant to you. We’re built by privacy experts who speak in plain language so you understand how some of these laws impact your business.
The TL;DR for anyone who skipped to the bottom: A national consumer brand just paid $5 million because their website ran tracking pixels the way almost every website runs tracking pixels. The plaintiffs' bar has automated the process of finding the next defendant. A cookie banner is not a privacy program. The fix isn't dramatic: it's a data map, a consent system, consumer rights workflows, and ongoing monitoring. The businesses that handle this well treat it as an evergreen system.
If you'd like a walkthrough of any gaps on your website, reach out to TrueVault.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
