Captain Compliance Help Center
Requests
App Login
Superhero Support Starts Here!
In this article
Common Litigation PatternWhy Cookie Blocking Alone May Not Deter Wiretapping AllegationsMitigation Options to Consider
Home
Consent Management
Litigation Risk & Defensibility

How to Avoid Network-Traffic-Based Privacy Litigation

Edited

This article explains a class of website privacy claims that are based on observed network traffic rather than cookie storage, and outlines practical steps that can help reduce related risk.

In recent cases, some privacy demand letters have focused on outbound network requests made by a website, regardless of whether cookies were set, blocked, or nullified. These claims typically rely on what can be observed through standard browser developer tools rather than on stored identifiers or user profiles.

Common Litigation Pattern

Serial litigators frequently follow a consistent process to support these claims:

  • The plaintiff visits the website and interacts with the consent banner, often selecting Reject or adjusting preferences to opt out of non-essential categories.

  • They perform an on-site search using their own name or another unique identifier.

  • They monitor outbound network requests using browser developer tools.

  • They look for instances where the search term is embedded in a request URL, referrer header, or request payload and transmitted to third parties, such as analytics or monitoring vendors.

  • They allege that personal data was shared with third parties based on these network requests, even where cookies were blocked or nullified.

Importantly, these claims are frequently made without evidence of persistent identifiers, cookies, or stored user profiles. This is because hard-coded scripts, inline JavaScript, and template-embedded code can transmit data such as URL parameters without relying on client-side storage at all.

Why Cookie Blocking Alone May Not Deter Wiretapping Allegations

Client-side cookie controls remain an important privacy safeguard, but they do not address all litigation exposure.

  • Hard-coded scripts and beacons may still execute even when consent is rejected.

  • URL parameters and search terms can appear in outbound requests, referrer headers, or request metadata.

  • Network requests can occur without cookies, which is often the sole technical evidence cited in these demand letters.

As a result, a website may be fully compliant at the cookie layer while still generating observable third-party network requests. In these cases, the relevant question is not whether a cookie was set, but whether JavaScript executed and generated a third-party transmission.

Mitigation Options to Consider

The goal of the mitigations below is to prevent non-essential JavaScript from executing and generating third-party network requests unless and until the appropriate consent has been granted.

Minimize or Strip Search Terms From URLs

  • Avoid passing user-entered search terms in URL query strings where possible.

  • Prefer POST-based search requests over URL-based queries.

  • Limit the propagation of query parameters to third-party requests and referrer headers.

Reducing the visibility of search terms significantly lowers the likelihood that personal data appears in outbound network traffic. Even where additional controls are applied, this is a recommended first step.

Centralize Third-Party Scripts Using Google Tag Manager (GTM)

  • Loading scripts through a tag manager enables tag-level governance and conditional execution.

  • Tags can be gated behind consent states instead of firing automatically on page load.

  • Scripts embedded directly in site templates or inline code are not governed by GTM and may require separate remediation.

Centralizing script execution improves visibility and control, but does not automatically address hard-coded or auto-initializing scripts.

Gate Non-Essential Scripts and Beacons Using Explicit Consent Logic

Identify scripts and beacons that execute outside your tag manager, including:

  • Inline JavaScript such as fetch, sendBeacon, XHR, or new Image

  • Vendor SDKs that auto-initialize on page load

  • Hard-coded third-party scripts embedded directly in HTML

Then, apply explicit consent checks before loading or initializing non-essential scripts. Delay or suppress execution until the appropriate consent category has been granted.

This approach prevents JavaScript from executing and generating third-party network requests, even when no cookies are involved, and is particularly effective in reducing the types of network evidence relied upon in privacy demand letters.