Home

Wednesday, April 23, 2025

View Back issues

NFL accused of collecting, sharing website users' private data

Fans claim that even after opting out of sharing cookies, NFL.com still secretly runs trackers on the site as soon as a webpage opens.

(CN) — Website users hit the National Football League with a class action in California state court, claiming it secretly installs hundreds of tracking technologies on visitors’ web browsers to collect personal information and browsing behavior without their consent.

California resident and lead plaintiff Thelma Kimmons claims in the lawsuit filed in Alameda County Superior Court that NFL Enterprises LLC violated state and federal privacy laws by embedding tracking software from advertising and analytics companies on NFL.com that monitored users’ online activity in real time.

“By embedding this code, the website automatically transmitted extensive information about users’ browsing behavior and identity to each of these third-party networks, including page views, product views, content interaction, IP addresses, and device and browser characteristics,” Kimmons writes in the suit.

According to the plaintiff, visitors to NFL.com automatically received trackers developed by companies including Google and Facebook.

Kimmons claims the technologies collected identifying information and detailed data about users’ behavior on the website, then shared that information with third parties for advertising and marketing purposes without obtaining users’ consent.

“In the internet context, courts repeatedly recognize that a third party becomes an unauthorized interceptor when a website embeds tracking technology that captures user communications in real time and permits the third party to use the intercepted communications for its owner commercial purposes,” she writes in the suit.

Citing forensic testing, Kimmons claims NFL.com deployed 182 third-party trackers before users could make privacy choices, including 24 cookies, four canvas fingerprinting scripts and one session-recording tool. The session replay software also even recorded users’ mouse movements, clicks, scrolling behavior, navigation paths and keystrokes entered into search fields, she claims.

“Upon installing the trackers on its website, defendant uses the trackers to collect the identifying information and user behavior and activity from class members and transmits that data to the third-parties that developed and operate the trackers in real time,” Kimmons claims.

“The operators of the trackers then use the correlated information of users, including those of plaintiff and class members, for their own commercial purposes, including targeted advertising, marketing and website analytics,” she adds.

Kimmons says in the suit that she visited NFL.com in January 2026 to check scores and schedules as a fan of the San Francisco 49ers. During that visit, she claims, the website generated a unique device fingerprint, recorded her browsing session and shared her information with third parties for targeted advertising.

She also contends the website’s cookie consent banner is misleading because trackers begin operating as soon as a visitor lands on the site, before users have an opportunity to opt out.

“Notably, while there is a pop-up banner which allows website visitors to opt-out cookies, this banner gives users a false and misleading sense of security over their online privacy,” she writes. “Even when a user chooses to opt-out of the cookies, the website continues to run 186 third party trackers, including 25 cookies, 4 canvas fingerprints and 1 session recorder.”

In the suit filed Thursday, Kimmons brings claims under the California Invasion of Privacy Act, the federal Electronic Communications Privacy Act, the California Computer Data Access and Fraud Act, the California Constitution’s right to privacy and California’s unfair competition law.

She seeks to represent a nationwide class of website visitors whose information was allegedly collected without consent.

Kimmons and the proposed class, represented by San Francisco-based firm Potter Handy, are asking for statutory damages, injunctive relief, restitution and attorneys’ fees, including up to $5,000 per violation under California’s privacy law and statutory damages under the federal Wiretap Act.

Neither representatives for the plaintiffs nor the NFL responded to requests for comment.

Categories / Civil rights, Consumer law, Sports

Subscribe to our free newsletters

Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.

Loading...