Greetings CIPAWorld! Twice in one day? You know it must be big. This case is an absolute must-read for data privacy professionals and law students looking to break into the field. If you’re studying privacy law or tech policy or just want to see how cutting-edge legal arguments are shaping the future of digital rights, this one’s for you. Brace yourselves because we are about to dive deep into this well-drafted Complaint recently filed. A California resident has filed a sweeping class action lawsuit against E! Entertainment Television, alleging the media company’s website secretly tracks and monetizes visitor data without consent—turning users into unwitting participants in a vast digital advertising machine. See Weiler v. E! Ent. Television, LLC, No. 25STCV02509 (Cal. Super. Ct. filed Jan. 29, 2025). The Complaint, filed in Los Angeles Superior Court by Plaintiff, provides an unprecedented look into the complex web of online tracking, data brokerage, and real-time ad auctions that powers many popular websites. Plaintiff, who has regularly visited the website from 2016 through October 2024, represents potentially thousands of California residents who have had their data collected without consent.

When visitors access eonline.com, the website allegedly automatically installs two powerful tracking systems on their browsers—the Bounce Exchange Tracker operated by data broker Wunderkind and the ADNXS Tracker run by Microsoft. These trackers immediately start collecting visitors’ IP addresses, which reveal their approximate physical location, along with detailed device information like browser type, operating system, and other identifying characteristics that create a unique digital fingerprint.

Let me simplify this. Think of it like a digital license plate—once a site tags you, your activity can be traced across the web, even if you think you’re browsing anonymously. Much like a telephone number guides a call to its destination, an IP address routes data packets between devices on the internet. The traditional IPv4 format offers approximately 4.3 billion unique addresses, while the newer IPv6 system provides vastly more combinations to accommodate the growing internet.

I know I’m geeking out with these technical sophistications here, but this is fascinating as technology advances! Public IP addresses assigned by Internet Service Providers are globally unique and can reveal a user’s approximate location, while private IP addresses are used only within local networks. This distinction is essential to address, no pun intended, because private IP addresses don’t reveal geolocation, while public ones do and are extensively used in advertising.

The trackers also collect what’s known as “Device Fingerprint Information,” which includes the user-agent string (detailing precise browser and system specifications), device capabilities, supported image formats, compression methods, and persistent identifiers like PUID, GUID, UID, and PSVID. If cookies are the old-school way of tracking you, device fingerprinting is the cutting-edge upgrade—harder to delete, more invasive, and nearly impossible to avoid. Under California’s Invasion of Privacy Act (“CIPA”) § 638.50(b), these trackers qualify as “pen registers” because they capture “routing, addressing, or signaling information” without obtaining required court approval. What’s more, the lawsuit argues that these trackers also function as “trap and trace devices” under CIPA because they don’t just track outbound signals—they monitor inbound data as well, identifying where users connect from, which could further bolster the claim that E! Entertainment is violating privacy laws by monitoring user activity without disclosure.

Wunderkind’s technology goes far beyond simple data collection. According to the Complaint, it “analyze[s] everything about visitor behavior, from purchase history to traffic sources to engagement patterns to even the moment a visitor is abandoning a site using its patented exit-intent technology.” In other words, it’s not just watching—it’s waiting for the exact moment you hesitate before clicking away to push you toward engagement. Black Mirror episode, anyone? The company maintains what it calls “the largest first-party data set out of comparable solutions on the market,” using this vast collection of information to track users across multiple devices and platforms. This means that Wunderkind isn’t just tracking user behavior on E! Online—it’s enriching Microsoft’s bidstream data with additional details, allowing advertisers to bid on pre-profiled users rather than just generic ad impressions.

The lawsuit explains how this data collection feeds into a sophisticated advertising ecosystem called “real-time bidding” (“RTB”), where users’ personal data is turned into a commodity in a split-second auction. Imagine a stock market for human attention—except you don’t get a say in who’s buying or selling access to you. At the center of this system is Microsoft’s ADNXS Tracker, which functions as a “demand-side platform” (“DSP”). Its “impression bus” system processes ad requests, applies user data, and manages the entire bidding process. When someone visits E! Online, Microsoft’s ADNXS system doesn’t just load a webpage—it launches a high-speed digital auction. First, a “Supply Side Platform” sends user data to Microsoft’s Advertising Exchange, which includes device identifiers, IP address, zip/postal code, GPS location, browsing history, and other personal information, collectively known as “bidstream data.” Microsoft’s system then overlays segment data from its server-side cookie store, accumulating information through Microsoft Advertising segment pixels and client-uploaded data files.

The Advertising Exchange then broadcasts this data to multiple DSPs, who evaluate it to determine whether to bid for their advertising clients. At this point, your data isn’t just floating around in cyberspace—it’s being assessed, categorized, and priced in milliseconds. The Complaint alleges that Microsoft’s impression bus processes and facilitates RTB transactions but also plays a broader role in Microsoft’s ad-serving infrastructure, meaning data could be stored beyond just a single ad request. The lawsuit raises a major concern: even advertisers who lose the auction still receive and retain the visitor’s data. This means that a single visit to E! Online can result in personal data being shared with countless third parties—many of whom the visitor has never even heard of.

The Federal Trade Commission (“FTC”) has raised serious concerns about this real-time bidding process. The FTC warns that RTB incentivizes websites to share as much user data as possible to get higher ad valuations, particularly location data and browsing history. The process also enables sensitive data to be transmitted across geographic borders without restriction. The FTC has previously taken enforcement action against real-time bidding companies, such as Xandr (formerly owned by AT&T and later acquired by Microsoft), highlighting the potential legal exposure of E! Entertainment’s practices.

Wunderkind, meanwhile, allegedly uses the tracking data to build highly detailed consumer profiles that follow people long after they leave E! Online. As a registered data broker in California, Wunderkind maintains vast databases of consumer information that it sells to advertisers, brands, and even other data brokers. The complaint alleges that Wunderkind’s code on E! Online captured Weiler’s browser details and transmitted this information to its servers. The lawsuit argues that by allowing this data collection without obtaining explicit consent, E! Entertainment has essentially turned its audience into a product—monetizing their personal information while keeping them in the dark.

The Complaint argues these practices violate the CIPA, prohibiting certain tracking technologies without court approval. The Complaint cites explicitly recent court decisions from 2024, including Shah v. Fandom, Inc., No. 24-CV-01062-RFL, 2024 WL 4539577, at *6 (N.D. Cal. Oct. 21, 2024) and Mirmalek v. L.A. Times Commc’ns L.L.C., No. 24-cv-01797-CRB, 2024 WL 5102709, at *3-4 (N.D. Cal. Dec. 12, 2024), which found that similar trackers constituted “pen registers” due to CIPA’s “expansive language.” If the court agrees that Microsoft’s and Wunderkind’s trackers fall under this classification, E! Entertainment could face serious legal and financial consequences—including statutory damages of up to $5,000 per violation.

As digital privacy gains continued importance and online tracking faces scrutiny, this case may significantly impact how media and entertainment companies manage visitor data. While companies like E! Entertainment may argue that data-driven advertising is necessary in today’s economy, privacy advocates see lawsuits like this as long-overdue accountability for an industry that has long operated in the shadows. This case challenges E! Entertainment, and an entire industry focused on tracking, profiling, and monetizing consumers without their knowledge.

Remember, just because you can’t see tracking happening doesn’t mean it isn’t there.

As always,

Keep it legal, keep it smart, and stay ahead of the game.