The Trade Desk, a major ad technology company, is being sued in federal court for allegedly collecting sensitive personal information from millions of Americans without their knowledge or consent. Specifically, the lawsuits claim that Trade Desk’s tracking tools—called Unified ID 2.0 (UID2) and Adsrvr Pixel—intercept email addresses and phone numbers from web pages and use this data to build detailed consumer profiles that follow users across the internet. For example, if you visit a retailer’s website and enter your email to check out, Trade Desk’s technology may capture that email and use it to track your activity on thousands of other websites, enabling advertisers to target you based on your browsing habits, location data, and shopping behavior.
The litigation centers on Trade Desk’s business model as both a demand-side platform (DSP) that buys ads and a data broker that collects and shares consumer information with third parties. According to the plaintiffs, Trade Desk has violated California’s Invasion of Privacy Act by conducting unauthorized interception of electronic communications—essentially wiretapping by collecting identifiable personal information without proper disclosure or consent. The case was consolidated in the Northern District of California in June 2025, with the court denying Trade Desk’s initial motion to dismiss in December 2025, allowing the claims to proceed toward discovery and potential settlement. This litigation represents one of the most significant privacy challenges facing the ad technology industry in recent years, raising fundamental questions about how companies can legally collect and use personal data in digital advertising.
Table of Contents
- How Does Trade Desk Collect Data Without User Consent?
- What Are the Legal Violations Alleged in the Lawsuits?
- What Is UID2 and Why Does It Matter?
- What Should Consumers Know About Their Privacy Rights?
- What Are the Securities and Broader Business Impact Claims?
- What Has Happened in the Case So Far?
- What Comes Next and What Should You Watch For?
- Conclusion
How Does Trade Desk Collect Data Without User Consent?
Trade Desk operates in the background of the modern internet, collecting data through two primary mechanisms. The Adsrvr Pixel is embedded on thousands of websites and email systems, where it captures personally identifiable information—like email addresses entered into forms—and sends that data to Trade Desk’s servers. The Unified ID 2.0 (UID2) system takes this collected email and phone number data and uses it to create unique identifiers that allow Trade Desk to track the same person across different websites and devices. When you browse the web, these identifiers enable Trade Desk to follow your movements from a shopping site to a news site to a social media platform, all without you knowing it’s happening or having the ability to easily opt out. The real-world impact is significant.
If you shop for shoes on one website, Trade Desk’s technology can identify you and share that information with ad networks and data brokers, who then use it to show you shoe ads across the internet for weeks. But the tracking goes deeper: Trade Desk’s system combines this shopping data with your location history, online behavior patterns, and other digital footprints to create what plaintiffs describe as detailed “dossiers.” These profiles are sold to advertisers and other companies who use them to predict your behavior, target you with specific messages, or sell you to data brokers who compile and monetize this information. The critical issue is consent and disclosure. When you visit most websites, you don’t see a notice explaining that Trade Desk is collecting your email address or phone number. privacy policies may mention data collection in vague terms, but they typically don’t explain the specific tools being used or how your identifiable information flows to ad networks. This lack of transparency is central to the plaintiffs’ claim that Trade Desk violated privacy laws by collecting this data without meaningful consent.
What Are the Legal Violations Alleged in the Lawsuits?
The consolidated complaint filed in July 2025 asserts violations of California’s Invasion of Privacy Act (CIPA), specifically the wiretapping statute that prohibits unauthorized interception of electronic communications. This is a bold legal theory that treats Trade Desk’s data collection as if it were wiretapping a phone call—the idea being that when data flows through internet systems in ways that shouldn’t be intercepted, companies that intercept it without consent are breaking the law. The plaintiffs argue that Trade Desk intercepts email addresses and phone numbers from web pages and email systems where users had a reasonable expectation of privacy. Plaintiffs also argue Trade Desk violated FTC guidelines on high-risk data practices and failed to provide adequate disclosure of how it uses data in real-time bidding, the system where advertisers instantly bid for the right to show you an ad.
The lawsuits point out that Trade Desk’s privacy policies do not clearly explain that personal identifiers captured from one website are being used to create cross-platform tracking profiles. Additionally, plaintiffs claim Trade Desk failed to provide accessible opt-out mechanisms—meaning even if consumers wanted to prevent this tracking, there’s no easy way to do so. The limitation here is that consumer privacy cases are notoriously difficult to win because they require showing injury or damages, which courts have sometimes interpreted narrowly. The plaintiffs will need to demonstrate that consumers suffered real harm from this data collection and use.
What Is UID2 and Why Does It Matter?
Unified ID 2.0 is Trade Desk’s answer to the decline of third-party cookies, the old tracking mechanism that web browsers like Chrome, Firefox, and Safari have been phasing out. When browsers started blocking cookies due to privacy concerns, the ad technology industry scrambled to find new ways to track users. UID2 uses authenticated data—primarily email addresses and phone numbers—to create a unique identifier that functions like a digital fingerprint for tracking.
When you log into a website with your email, UID2 captures that identifier and can then recognize you across different sites and apps where UID2 is active. The problem, according to the litigation, is that UID2 enables the collection of sensitive personal information that was previously protected by being in logged-in accounts on individual websites. By linking email addresses across thousands of publishers and platforms, Trade Desk creates a more invasive tracking system than cookies ever were. For example, a publisher might implement UID2 expecting it to improve ad relevance on their own site, but the technology also enables Trade Desk to share that email-based identifier with ad networks and data brokers, creating an ecosystem where your identity is tracked and commodified far beyond what any individual website user would reasonably expect.
What Should Consumers Know About Their Privacy Rights?
Consumers have several legal protections that Trade Desk’s actions may have violated, depending on where they live. California residents are protected by strong privacy laws including CIPA and the California Consumer Privacy Act (CCPA), which give consumers the right to know what data companies collect about them, the right to delete that data, and the right to opt out of data sales. However, many consumers don’t realize these rights exist or how to exercise them because companies like Trade Desk operate in the background of the internet. The warning here is important: even if you feel you’ve been harmed by Trade Desk’s data collection, you need to understand that these lawsuits are opt-in class actions, meaning you typically need to actively join them to be eligible for a settlement.
If this case settles, eligible consumers may be able to receive compensation, though the amount per person in large privacy class actions is often modest—sometimes just a few dollars to a few hundred dollars per person. The comparison to understand is that while large companies may pay millions in settlements, that money is divided among hundreds of thousands or millions of affected consumers. Your actual recovery depends on factors like how many people join the class and whether the court approves the settlement. The tradeoff is that participating in litigation takes time—you need to submit a claim form and potentially wait years for the case to resolve—but the alternative is keeping your hands off entirely and allowing Trade Desk to face no consequences for practices that may have violated your rights.
What Are the Securities and Broader Business Impact Claims?
Beyond the consumer privacy litigation, Trade Desk is facing a separate securities class action lawsuit in the Central District of California alleging that the company made material misstatements about its Kokai platform adoption and revenue impact. This lawsuit reflects investor concerns that Trade Desk misrepresented how widely customers were adopting Kokai, a blockchain-based advertising platform, and how much revenue it was generating. While this is technically a different lawsuit from the data privacy litigation, it reflects broader scrutiny of Trade Desk’s business practices and the credibility of its revenue projections. Additionally, on June 5, 2026, the law firm Halper Sadeh LLC announced it was investigating whether Trade Desk’s officers and directors breached their fiduciary duties to shareholders.
This investigation suggests that even institutional investors are concerned about Trade Desk’s leadership and decision-making around these controversial practices. The limitation to understand is that Trade Desk has not been assessed any regulatory fines or penalties by the FTC or state privacy authorities as of June 2026, even though the company has faced these lawsuits. This doesn’t mean Trade Desk hasn’t violated privacy laws—it means regulatory bodies haven’t yet taken formal enforcement action. Trade Desk vigorously defended against these claims by filing a motion to dismiss, which the court denied on December 18, 2025, meaning the company must now respond to the allegations in full.
What Has Happened in the Case So Far?
The litigation started when plaintiffs filed initial complaints on March 28 and March 31, 2025, in federal court. The case moved relatively quickly, with the court consolidating all three actions into a single proceeding on June 18, 2025, and appointing Lieff Cabraser Heimann & Bernstein, LLP as interim lead counsel. The consolidated complaint was filed on July 18, 2025, laying out the full scope of allegations against Trade Desk. On December 18, 2025, the court rejected Trade Desk’s motion to dismiss (with the exception of the declaratory relief claim), a significant development that allowed the case to move forward.
Trade Desk filed its answer to the complaints on February 17, 2026, meaning the case is now in the discovery phase where both sides exchange evidence and conduct depositions. The timeline shows this is a relatively early-stage litigation. As of June 6, 2026—about a year after the initial filing—the case has not yet settled and no settlement announcement has been made. The parties are likely still exchanging initial disclosures and preparing for broader discovery, which typically takes many months or years. Discovery is the phase where the real nitty-gritty of the case is fought out, with plaintiffs’ lawyers seeking to obtain Trade Desk’s internal documents about how UID2 and Adsrvr Pixel work, what disclosures the company made, and how widespread the data collection was.
What Comes Next and What Should You Watch For?
The immediate next steps in this litigation involve extensive discovery, where both sides will obtain documents, depositions, and technical evidence about Trade Desk’s data practices. This phase typically takes 12 to 24 months or longer in complex cases. The plaintiffs will want to show how many people were affected by UID2 and Adsrvr Pixel tracking, what Trade Desk knew about the privacy implications, and whether the company deliberately obscured its data practices. Trade Desk will argue that its data collection was legal because it complied with applicable laws, that consumers had adequate notice through privacy policies, and that the data was used for standard advertising purposes.
A settlement could come at various points in the litigation. Some cases settle after discovery concludes but before trial, while others settle after summary judgment motions are decided. The amount of any settlement will likely depend on factors including the strength of the legal claims, the scope of injury to consumers, Trade Desk’s ability to pay, and the court’s assessment of the case. Given the scale of Trade Desk’s business and the millions of potentially affected consumers, a settlement could range from tens of millions to hundreds of millions of dollars, though any prediction at this stage is speculative. What’s clear is that this case represents a pivotal moment for the ad technology industry, potentially forcing companies to rethink how they collect and use personal data in light of emerging privacy concerns.
Conclusion
The Trade Desk data privacy litigation alleges that one of the ad technology industry’s largest companies has been secretly collecting sensitive personal information and using it to track millions of Americans across the internet without adequate disclosure or consent. The case raises fundamental questions about whether ad tech companies can legally build detailed consumer profiles using email addresses and phone numbers, and what obligations they have to inform consumers about these practices. While the case is still in early phases, the court’s denial of Trade Desk’s motion to dismiss in December 2025 suggests the plaintiffs have viable legal claims.
If you’ve been affected by this data collection and want to learn more about your rights, keep an eye on case developments and look for notices about claim deadlines if the case eventually settles. You can monitor updates through the Northern District of California court docket or through notices from the appointed lead counsel. The case may ultimately force significant changes to how ad technology companies operate, potentially requiring greater transparency and consumer control over personal data used in digital advertising.
You Might Also Like
- Oracle Data Breach Litigation Claims Customer Information Was Exposed
- Kaiser Privacy Settlement Claims Patient Website Data Was Shared With Third Parties
- Krispy Kreme Data Breach Settlement Claims Consumer Information Was Compromised
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: