Job Applicants Are Being Spied On - And It's Costing Companies Millions in Lawsuits

You probably don't think about it, but right now, invisible trackers are watching everything people do on your website. These tiny pieces of code called "pixels" are silently recording what visitors click on, where they go, how long they stay, and sometimes even sensitive personal information. For years, companies installed these trackers without much thought. For them it was just checking a box in their marketing software and moving on. But in 2025 and 2026, something changed. Lawyers started suing companies over these invisible trackers, and the lawsuits are enormous.

What's making this problem even worse? The most dangerous tracking is happening on the places where companies collect the most sensitive information: job application pages. When someone applies for a job on your website, they might upload their resume, fill out forms about their health or disabilities, answer questions about their veteran status, and reveal all sorts of personal details. Meanwhile, invisible pixels are recording all of this activity and sending it to companies like Meta and TikTok. That's why employers are becoming the biggest targets in what's turning into one of the biggest privacy crises of 2026.

What Is Pixel Tracking, and Why Should Anyone Care?

Let's start with the basics. A pixel is a tiny, invisible image file (sometimes just one pixel big, which is why it has that name). When you embed a pixel on your website, something magical and terrifying happens: every time someone visits that page, the pixel "fires," meaning it sends information about that visitor to another company.

That information usually includes your IP address (which can reveal your location), what device you're using, when you visited, what you clicked on, and sometimes what you typed into forms. Facebook pixels, TikTok pixels, Google pixels etc.. these are all doing the same thing. They're watching.

Here's the thing: This tracking is happening without most visitors even knowing about it. Companies hide these trackers in their privacy policies, buried in dense legal language. Some websites don't even mention them at all. Visitors click "agree" to vague terms without understanding that they've just consented to being monitored by advertising companies.

For job applicants specifically, this becomes genuinely creepy. Imagine you apply for a job and disclose that you have a disability and need accommodations. That information gets tracked. Or you reveal that you're a military veteran. That gets tracked too. Your sensitive personal information is being collected and sent to advertising companies, often without any real consent.

Why This Is Becoming a Legal Nightmare

Three main laws are being used to sue companies over this tracking, and each one allows for huge financial penalties.

The first is an old California law about wiretapping. It was written back in 1967 to stop people from illegally listening to telephone calls. But lawyers figured out that you can use this law to sue companies over website tracking. Here's the argument: A pixel that collects your IP address and device information is basically doing the same thing as an illegal wiretap. It's capturing information about your activity without permission. The law allows victims to sue for $5,000 per violation. If 10,000 people visited a website with a tracking pixel, that's $50 million in potential damages, even if nobody can prove they were actually harmed.

The second law is the Video Privacy Protection Act from 1988. This was originally written to protect people's video rental privacy. It came after a Supreme Court nominee's video rental records were leaked to the press. Lawyers are now using this law to sue companies that track what videos people watch on their websites. Courts are awarding $2,500 per violation. In one recent case called Carbone v. Limited Run Games, a court ordered a company to pay $2.72 million to settle claims that it was tracking video watching without permission.

The third issue involves state wiretapping laws. Many states have laws saying that if you're going to record or intercept someone's communications, you need permission from everyone involved in the conversation. Some states have even stricter rules and they require consent from every single party. When a pixel tracks information being sent from a visitor's computer to a company's server, plaintiffs' lawyers argue that's "interception" of communications, and it violates these wiretapping laws.

The Court Cases That Changed Everything

For most of 2025, companies thought they were safe. They had privacy policies. They had consent banners. They believed this was enough. Then a case called Camplisson v. Adidas came along and changed everything.

Adidas had TikTok and Microsoft Bing pixels tracking activity on their website. They argued that this should be legal because:

1 - they had a privacy policy,

2 - they were only collecting basic information like IP addresses, not super sensitive stuff, and

3 - visitors had implicitly consented by using the website.

The court said no to all three arguments. The court decided that even if you're only collecting basic information like IP addresses, that's still illegal tracking without proper consent. A privacy policy buried in the footer doesn't count as real consent. People have to actively say yes before any tracking happens. And most importantly, the court said that it doesn't matter if the information collected seems sensitive or not. The violation itself is the harm.

This decision opened the floodgates. If Adidas couldn't get away with basic pixel tracking even with a privacy policy, could anyone? Other courts started reaching similar conclusions. In another case called Wright v. TrueCareProperty Holdings, a court let a lawsuit proceed where a woman claimed that Meta Pixel was tracking her hospital visit. The court agreed that this seemed like a legal violation worth taking seriously.

But not every court has agreed. Some courts in Massachusetts and other parts of the country have said that ordinary website browsing shouldn't be protected by old wiretapping laws. One case involving GameStop said that just tracking mouse clicks and cart activity probably isn't illegal. The problem is that careers pages are different. They involve genuinely sensitive information, so these defenses are weaker.

Why Job Applicants Are the Biggest Risk

If you're an employer, your careers page is now your most legally dangerous web property. Here's why: Most employers who use pixels are tracking them on pages where people reveal the most sensitive information about themselves.

A retail company's product page? Someone might click around and look at items. But a job application page is different. People are uploading resumes with personal information, answering questions about medical conditions and disabilities, revealing their military service, and sometimes typing personal information into free-text fields. All of this activity is being tracked and sent to advertising companies.

Federal contractors face even bigger problems. The government requires them to ask applicants questions about whether they have disabilities or are veterans. The government also wants them to accommodate people's medical needs during the application process. When companies put tracking pixels on these pages, they're potentially transmitting protected information about people's health and military status to Meta and TikTok. To a plaintiff's lawyer, this looks like a massive privacy violation.

The practical reality makes this even worse. Most companies have no idea what pixels are actually firing on their websites. A marketing vendor installed something years ago. A web developer added tracking code without telling anyone. Nobody in the legal or compliance department knows what's happening. The company's privacy policy says one thing, but the website is actually doing something completely different. When a lawyer discovers this mismatch (which happens constantly) it looks like intentional deception, and that makes damages higher.

What Companies Should Do Right Now

If you're running a website with tracking pixels, here are the practical steps to protect yourself:

1. Figure out what's actually tracking on your site. Do a complete audit. Find every pixel, cookie, analytics tool, and tracking script currently firing on your website. Write down exactly what information each one collects, when it fires, and where that information goes. Most companies discover they're tracking way more than they thought. Many find pixels that nobody can even explain anymore.
2. Fix your consent system. A privacy policy link in the footer is not consent. You need a cookie banner or something similar that actually requires people to actively click and agree before any tracking happens. The language needs to be clear and specific and not legal jargon, but plain English explaining what tracking is happening and why. And you have to give people a real choice. Some websites use "dark patterns," which means they make it easy to say yes but hard to say no. Courts are catching on to this, and it backfires badly.
3. Update your privacy policy. Make sure it actually describes what's really happening on your website, not what you wish was happening. Include the names of tracking companies that receive data. Be honest.
4. Remove unnecessary tracking. This is the big one. Get rid of Meta and other advertising pixels from your careers page, benefits portal, or any page where you're collecting sensitive information. If you're not using a tracking tool for a legitimate business purpose, delete it. The fewer pixels firing, the lower your legal risk. Most companies find they can delete 50% or more of their tracking without impacting their business.

The bottom line is simple: Your website visitors didn't agree to be watched by advertising companies, and courts are increasingly deciding that watching them anyway is illegal. Companies that act now to fix their tracking can avoid the demand letters and lawsuits that are coming for everyone else.