A class action lawsuit filed on March 12, 2026, in the U.S. District Court for the Northern District of California alleges that Ace Hardware Corporation continued collecting and transmitting detailed user data even after visitors to its website explicitly rejected all non-essential cookies. The case, Pflaumer v. Ace Hardware Corporation, Case No. 26-cv-2151, was assigned to Judge Edward J. Davila in the San Jose Division.

The complaint, filed by law firms Janove PLLC and Levi & Korsinsky LLP, names three plaintiffs - Scott Pflaumer of California, Hans Cummings of Indiana, and Mark Rosenthal of Colorado - each representing a broader class of affected consumers. According to the complaint, the amount in controversy exceeds $5 million, exclusive of interest and costs.

The gap between the banner and the code

The lawsuit centers on a technical contradiction. Ace Hardware operates acehardware.com, a commercial website through which users browse hardware products, tools, home improvement supplies, and lawn and garden equipment. Like most modern e-commerce sites, the website displays a cookie banner and a "Cookie Settings" interface, purporting to give visitors meaningful control over what data the site shares with third parties.

According to the complaint, that control is illusory. The site begins placing and transmitting cookies and other third-party tracking technologies the moment a user visits - before the cookie banner can even be interacted with. According to the filing, "the Website begins placing and transmitting cookies and other third-party tracking technologies capable of transmitting users' data the moment users visit the Website, before they can interact with the Cookie Banner."

This timing matters technically. The complaint explains how browsers process webpage data in a mechanism called "parsing" - converting raw data received over the internet into structured objects used to render the visual display. Because parsing begins immediately as data packets arrive, any tracking script embedded early in the HTML executes before the page finishes loading. According to the legal filing, unless a software command is "physically last to arrive at a device, it is loaded and executed before the communication has finished being received." In practice, this means a tracking pixel or analytics tag embedded at the top of a webpage's code fires before a user sees any consent interface at all.

The Cookie Settings page on acehardware.com offered three mechanisms to disable tracking: clicking a "Necessary Cookies Only" button in the banner, toggling off "Share or sale of personal data" in the settings, and clicking the same button within the settings interface. According to the complaint, all three actions were supposed to produce the same result - limiting the site to strictly functional cookies and disabling the sale or sharing of personal data. None of them worked as described, the plaintiffs allege.

Google Analytics and the search intercept

The complaint identifies Google Analytics as one of the two primary tracking tools at the center of the case. According to the filing, Google Analytics "invisibly collects data about user interactions with a website, including link clicks, button clicks, form submissions, conversions, shopping cart abandonment, adding items to carts, removing items from carts, file downloads, scrolling."

The technical mechanism is specific. The complaint describes how Ace Hardware's implementation of Google Analytics involves a first-party cookie called "_ga," which contains a unique identifier. The complaint states the "_ga" cookie placed by the website for a test user was "GA1.1.2114169123.1773167047," with a corresponding "cid" value of "2114169123.1773167047" - the same identifier with the "GA1.1" prefix stripped. According to the filing, "the '_ga' cookie identifies specific users to Google, allowing Google to intercept the contents of users' communications on the Website and associate them with a specific profile."

The complaint includes a striking example. A test search made on acehardware.com for the term "power tools" resulted in Google Analytics intercepting that search query and redirecting it to Google, even after the user had declined non-essential cookies. Search terms, email addresses, the value of products purchased, and purchase currency can all be transmitted as parameters in this way, according to the filing.

According to the complaint, Google's tracking tools are not implemented by Google itself but require "several affirmative steps on the part of the website owner to implement and to effectuate their data sharing." That framing is legally significant: it positions Ace Hardware as the party that chose to deploy and configure these tools, not merely a passive host.

Bazaarvoice's BV Pixel

The second major tracking tool named in the complaint is the Bazaarvoice BV Pixel. Bazaarvoice is primarily known as a ratings and review platform that allows e-commerce website owners to manage and display product reviews. But it also offers an analytics integration called the BV Pixel, which enables website owners to collect and monitor user behavior.

According to the complaint, the BV Pixel captures user events such as product purchases, interactions with Bazaarvoice user reviews, and views of product pages containing Bazaarvoice content. The pixel goes further when configured to collect personally identifiable information. According to the filing, "when a user triggers a transaction or conversion event, the BV Pixel is required to send the user's email address, locale, nickname, and 'userId.'" Bazaarvoice also uses first-party cookies to consistently track users across sessions on the site, the complaint states.

Plaintiffs' specific visits

The three plaintiffs each describe concrete experiences that form the factual record of the case.

Scott Pflaumer, a resident of San Jose County, California, first visited acehardware.com around May 2025 to browse screwdriver product information. He does not maintain an account with Ace Hardware and has made no purchases through the site. He consistently declines non-essential cookies on all websites as a personal privacy practice and did so on Ace Hardware's site. On February 25, 2026, he revisited the site specifically in connection with the investigation of this case, again declined all non-essential cookies, and according to the complaint, the tracking tools continued operating regardless.

Hans Cummings, an Indiana resident, visited the website around February 2026 for browsing purposes. Unlike Pflaumer, Cummings maintains an account with Ace Hardware and has made purchases online and picked them up in store. On February 24, 2026, he revisited for the case investigation and declined all non-essential cookies. According to the complaint, the tracking tools transmitted his browsing activity, device identifiers, and related metadata to tracking entities anyway.

Mark Rosenthal, a Colorado resident, visited around January 2026 and reviewed barbecue product information. He maintains an account and uses Ace Hardware's mobile application. He declined non-essential cookies during that visit. The complaint alleges the same tracking behavior occurred despite his rejection.

All three plaintiffs say they visited in reliance on Ace Hardware's representations that declining non-essential cookies would disable marketing and tracking technologies.

The legal theories in the complaint are layered and span federal and state law. At the federal level, the complaint alleges violations of the Federal Wiretap Act, codified at 18 U.S.C. § 2510 et seq. The wiretap act prohibits the intentional interception of any wire, oral, or electronic communication without the consent of at least one authorized party. According to the filing, courts analyze claims under California's CIPA (California Invasion of Privacy Act) using the same framework applied to the federal wiretap act, citing Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 127 (N.D. Cal. 2020).

CIPA § 631(a) prohibits several forms of unlawful interception, including intentionally tapping a communication, willfully attempting to learn the contents or meaning of a communication in transit, and employing or agreeing with any person to do these things. The complaint also invokes CIPA § 638.51, which addresses unlawful use of a pen register or trap and trace device. According to the filing, the tracking technologies function as pen registers because they capture not just communication contents but also metadata - which pages were visited, what was searched, what was clicked, when, and how.

Beyond privacy statutes, the complaint includes claims under the California Consumer Legal Remedies Act (Civil Code § 1750), the California Unfair Competition Law (Business & Professions Code § 17200), and common law theories including invasion of privacy, intrusion upon seclusion, fraud and deceit, and unjust enrichment.

The federal jurisdiction is grounded in 28 U.S.C. § 1331 (federal question) and 28 U.S.C. § 1332(d)(2) (Class Action Fairness Act). The complaint states the amount in controversy exceeds $5 million, the class has more than 100 members, and there is minimal diversity of citizenship - satisfying the thresholds for CAFA jurisdiction.

The complaint quotes the language from Ace Hardware's own Cookie Settings interface. According to the filing, the page stated: "Under the CCPA and other applicable state laws, you have the right to opt-out of the sale or sharing of your personal information to third parties... You may exercise your right to opt out of the sale or sharing of personal information by toggling this switch to the left and selecting 'Confirm My Choices'. This will prevent further cookies from being placed on your device."

That language explicitly invokes the California Consumer Privacy Act and its opt-out framework. But according to the complaint, the promise was hollow. The complaint describes a situation where Ace Hardware's website "lulls users into a false sense of security, privacy, and control while simultaneously enabling third parties to monitor, intercept, and transmit users' online behavior in real time."

The complaint also notes the commercial logic driving the tracking. According to the filing, tracking tools "serve numerous commercial purposes, including: (i) analytics, such as measuring user engagement and website performance; (ii) personalization, including remembering user preferences; (iii) advertising and targeting, including delivering targeted or behavioral advertisements based on user profiles; and (iv) social media integration." The filing states that "tracking tools enable Defendant and Tracking Entities to earn more money and enhance marketing effectiveness through the collection, analysis, and dissemination of users' Sensitive Information."

Class definitions and relief sought

The complaint defines multiple classes. The broadest is a nationwide class of consumers who visited acehardware.com during the applicable limitations period and whose electronic communications were intercepted through the defendant's tracking tools. A California Subclass is defined as all consumers who visited and interacted with the website while located in California during the same period and whose communications were intercepted, disclosed, or shared through the tracking tools.

The plaintiffs are represented by Raphael Janove of Janove PLLC, based at 115 Broadway, 5th Floor, New York, and Edward Korsinsky of Levi & Korsinsky LLP, based at 33 Whitehall Street, 27th Floor, New York. Levi & Korsinsky's attorney appears pro hac vice. The complaint demands a jury trial.

Why the marketing industry is watching

The Ace Hardware case arrives at a moment of intensifying scrutiny over the gap between published privacy controls and technical implementation. For digital marketers and ad tech professionals, the case touches directly on infrastructure they manage daily.

The Healthline settlement of $1.55 million in July 2025 - which at the time marked the largest CCPA monetary penalty - established that even a "triple opt-out" through cookie banners, privacy links, and Global Privacy Control signals is not sufficient if tracking scripts continue firing on the backend. In that case, investigators observed 118 cookies from advertising companies still being placed after opt-out, transmitting data including sensitive health article titles.

California's privacy law updates that took effect January 1, 2026 expanded the consent requirements further, requiring companies to enter into specific agreements with any third party receiving consumer data and restricting how that data can be used. The Ace Hardware filing, made on March 12, 2026, takes place in the first quarter after those updated requirements became operative.

The German court ruling on Google Tag Manager in March 2025 from the Verwaltungsgericht Hannover found that the tool "automatically activates during page loading, storing JavaScript files on user devices and establishing connections to external servers before any consent interaction occurs." That ruling's analysis is strikingly parallel to the factual theory in the Ace Hardware complaint - both focus on the problem of scripts executing before users can interact with consent interfaces.

LinkedIn class action filed April 6, 2026, just days before this article, brought similar claims under the Federal Wiretap Act and CIPA, alleging LinkedIn's browser scanning system transmitted device fingerprints without disclosure. That case also invokes CIPA § 638.51's pen register provisions and California constitutional privacy protections. The Ace Hardware case draws on the same legal architecture.

For advertising and marketing technology professionals, the case highlights a specific operational risk: the timing of when tracking tags fire relative to when consent is collected and honored. A site may have a technically compliant consent management platform that functions correctly in isolation, but if the consent signal does not propagate back to every individual tag before that tag fires, the legal exposure described in the Ace Hardware complaint may still exist.

Ace Hardware Corporation is incorporated under Delaware law with its principal place of business in Oak Brook, Illinois. The company has not publicly commented on the complaint.

Timeline

  • May 2025 - Plaintiff Scott Pflaumer first visits acehardware.com, declines non-essential cookies, browses screwdriver product information
  • January 2026 - Plaintiff Mark Rosenthal visits acehardware.com, declines non-essential cookies, browses barbecue products
  • January 1, 2026 - California's updated CCPA requirements take effect, expanding consent rules for data transfers to third parties
  • February 2026 - Plaintiff Hans Cummings visits acehardware.com, declines non-essential cookies
  • February 17, 2026 - Plaintiffs' attorneys conduct technical investigation of acehardware.com, researching URL encoding, cookie behavior, and tracking tool operation
  • February 24, 2026 - Plaintiff Cummings revisits acehardware.com for investigation purposes; tracking tools continue despite cookie opt-out
  • February 25, 2026 - Plaintiff Pflaumer revisits acehardware.com for investigation purposes; tracking tools continue despite cookie opt-out
  • February 26, 2026 - Attorneys access Google cookie policy documentation as part of investigation
  • March 12, 2026 - Pflaumer v. Ace Hardware Corporation, Case No. 26-cv-2151, filed in the U.S. District Court for the Northern District of California, before Judge Edward J. Davila
  • April 6, 2026 - Ganan v. LinkedIn Corporation filed in the same court, raising parallel CIPA and Federal Wiretap Act claims over covert browser scanning

Related PPC Land coverage:

Summary

Who: Three plaintiffs - Scott Pflaumer (California), Hans Cummings (Indiana), and Mark Rosenthal (Colorado) - filed a class action on behalf of a nationwide class and a California subclass against Ace Hardware Corporation, represented by Janove PLLC and Levi & Korsinsky LLP.

What: The complaint alleges Ace Hardware deployed third-party tracking tools, specifically Google Analytics and the Bazaarvoice BV Pixel, that intercepted, recorded, and transmitted users' browsing activity, device identifiers, search terms, and related metadata to third parties - even after those users explicitly opted out of non-essential cookies through the website's consent interface. The case asserts violations of the Federal Wiretap Act, California's Invasion of Privacy Act (CIPA §§ 631 and 638.51), the California Consumer Legal Remedies Act, the California Unfair Competition Law, and common law privacy torts.

When: The complaint was filed on March 12, 2026. The plaintiffs' visits to acehardware.com took place between May 2025 and February 2026. The investigation visits that form the technical evidence base occurred on February 24 and February 25, 2026.

Where: The case is filed in the U.S. District Court for the Northern District of California, San Jose Division, as Case No. 5:26-cv-02151-EJD. Ace Hardware is incorporated in Delaware with its principal place of business in Oak Brook, Illinois.

Why: The complaint argues that the gap between what acehardware.com's Cookie Settings promised - specifically invoking CCPA opt-out language - and what the tracking code actually did constitutes fraud and unauthorized interception. According to the complaint, the commercial purpose of the tracking is to build detailed user profiles for advertising targeting and to enhance the marketing effectiveness of both Ace Hardware and the companies operating the tracking tools. The plaintiffs argue that by representing users could control their data and then continuing to collect and share it regardless, Ace Hardware deprived them of a meaningful privacy choice they had reason to believe they were exercising.

Share this article
The link has been copied!