PNC Bank Secretly Shared Website Visitors’ Data With LinkedIn

PNC Financial Services Group, the Pittsburgh-based bank holding company and parent of PNC Bank, faces a cluster of class action lawsuits alleging it embedded third-party tracking pixels from LinkedIn, Pinterest, and X on its website and used them to intercept and record visitors’ electronic communications without their knowledge or consent. The lawsuits allege PNC violated the Pennsylvania Wiretap Act, the California Invasion of Privacy Act, and the Federal Wiretap Act by allowing outside companies to capture users’ mouse movements, clicks, page URLs, browsing behavior, and persistent identifiers in real time as they navigated the bank’s website, including its personal finance and account pages.

The lead case, Birdsall v. The PNC Financial Services Group Inc. (Case No. GD-25-009654), was filed on September 15, 2025, in the Court of Common Pleas of Allegheny County, Pennsylvania, and removed to federal court. A second suit, Erakat v. PNC Bank, National Association (Case No. 2:26-at-00581), was filed in the U.S. District Court for the Eastern District of California in April 2026, making parallel allegations about pixel tracking on PNC’s personal finance pages. Both cases are in early litigation. No class has been certified, no settlement has been reached, and no claims portal is open as of mid-2026.

PNC Bank Website Communications Lawsuit Timeline and Updates

Background — The Rise of Website Wiretap Litigation

The PNC Bank cases did not emerge in isolation. From 2022 onward, a wave of class action lawsuits targeted companies across every industry for embedding third-party tracking technologies on their websites without obtaining affirmative, informed consent from visitors. The legal theory driving these cases was that allowing a third-party vendor to intercept user communications in real time constitutes wiretapping under state and federal law, regardless of whether the tracked data resembles what the public traditionally thinks of as a “wiretap.”

The California Invasion of Privacy Act, which dates to 1967 but has been interpreted by courts to apply to digital communications, became the most litigated statute in this wave. The Pennsylvania Wiretap Act, one of the broadest wiretapping laws in the United States, requires all parties to a communication to consent before any interception occurs. Banks became high-priority targets because visitors to financial institution websites share uniquely sensitive behavioral signals: they search for mortgage rates, review loan products, check credit card eligibility, and navigate account management pages. That data, linked to an individual’s identity through persistent cookies or advertising platform profiles, has significant commercial value for lenders, insurers, and advertisers.

September 7–10, 2025 — PNC Discloses an Internal Data Incident

The legal pressure on PNC intensified in early September 2025, when the bank notified customers that sensitive information had been mistakenly provided to another PNC client without authorization due to an internal disclosure error. PNC began mailing breach notification letters on September 10, 2025, and disclosed the incident to the Massachusetts Attorney General’s office on September 16. Separately, a threat actor using the alias “Market Exchange” posted on a dark web marketplace on September 7, claiming to have exfiltrated 740,000 PNC customer records including names, email addresses, Social Security numbers, account types, and phone numbers.

PNC publicly disputed the dark web claim, stating that its investigation found no evidence of a breach of its systems by any external threat actor and that the internal data misrouting incident was unrelated to the threat actor’s post. The bank confirmed that the dark web listing did not reflect an actual compromise of customer data.

September 15, 2025 — Birdsall Files the Lead Website Wiretap Case

Leslie Birdsall filed Birdsall v. The PNC Financial Services Group Inc. on September 15, 2025, in the Court of Common Pleas of Allegheny County, Pennsylvania, the county that includes Pittsburgh, where PNC is headquartered. The complaint was filed by Nicholas A. Colella of Lynch Carpenter LLP, a firm that has brought multiple digital privacy cases. The case number is GD-25-009654.

Birdsall alleged that PNC embedded LinkedIn’s Insight Tag, a proprietary tracking code offered by LinkedIn to advertisers and marketers, on pages across its website. The Insight Tag operates by dropping a cookie in the visitor’s browser, then transmitting behavioral data back to LinkedIn’s servers in real time as the visitor navigates the site. That data includes mouse movements, clicks, page views, and time spent on each page. LinkedIn then matches that behavioral data to LinkedIn user profiles, allowing PNC to build advertising audiences based on the professional and personal identity information LinkedIn holds on its members.

The complaint alleged this process constitutes unauthorized interception of electronic communications under the Pennsylvania Wiretap Act, which prohibits any person from intentionally intercepting any wire, electronic, or oral communication. Because LinkedIn is a third party receiving the data, Birdsall’s attorneys argued LinkedIn functions as an eavesdropper under the statute, and that PNC’s deliberate installation of the Insight Tag made PNC the party responsible for enabling that interception. The suit also alleged invasion of privacy and sought declaratory and injunctive relief along with actual, statutory, compensatory, consequential, punitive, and nominal damages on behalf of all Pennsylvania residents who visited PNC’s website while the tracking code was active.

September 23–28, 2025 — Data Breach Case Filed and Quickly Dismissed

Separately from the website tracking lawsuit, plaintiff Madonna Blunt filed a class action in the U.S. District Court for the Western District of Pennsylvania (Case No. 2:25-cv-01469) on September 23, 2025, alleging PNC failed to protect 740,000 customers’ personally identifiable information. The Blunt lawsuit relied on the dark web claim by Market Exchange as evidence of a breach broader than the internal error PNC had disclosed. PNC contested the allegation, and after the bank completed its investigation and confirmed no external breach had occurred, Blunt voluntarily dismissed the case on September 28, 2025, less than one week after filing. The data breach lawsuit is closed.

Late 2025 — Birdsall Case Removed to Federal Court

PNC removed the Birdsall case from Pennsylvania state court to federal court, a common procedural move by corporate defendants in class actions. Removal invokes federal jurisdiction and allows the defendant to seek dismissal under federal pleading standards. As of early 2026, the Birdsall case was pending in federal court with no ruling on class certification and no settlement reached.

April 2026 — Second PNC Pixel Tracking Case Filed in California

Plaintiff Shahd Erakat filed a second class action targeting PNC’s website tracking in the U.S. District Court for the Eastern District of California in April 2026 (Case No. 2:26-at-00581). The California complaint targeted a broader set of tracking tools than the Pennsylvania case. Erakat alleged that PNC embedded pixel trackers operated by Pinterest, LinkedIn, and X on its personal finance pages, and that these tools captured users’ browsing activity including the full URLs of pages visited, which on a banking website can reveal the specific financial products a user was researching. The California suit alleged violations of CIPA and the Federal Wiretap Act. The case was filed as part of a wave of April 2026 pixel tracking lawsuits that also named Hilton, Wells Fargo, and LinkedIn itself as defendants in separate actions.

What the Lawsuits Allege: How the Tracking Works

Both PNC cases center on the same fundamental complaint: the bank embedded code from third-party companies on its website that caused those companies to receive detailed information about every visitor’s behavior, without the visitor’s knowledge or consent.

LinkedIn’s Insight Tag. The Insight Tag is a JavaScript snippet that advertisers add to their websites to measure the effectiveness of LinkedIn ad campaigns and build remarketing audiences. When a visitor lands on a page where the Insight Tag is installed, LinkedIn’s servers receive a notification including the visitor’s IP address, device type, browser, and the URL of the page visited. If the visitor is logged into LinkedIn, the Insight Tag can link that behavioral data to the visitor’s LinkedIn profile, effectively identifying them by name, employer, job title, and professional history. Birdsall’s complaint alleges that this matching to LinkedIn profiles happened across PNC’s website without any disclosure to visitors and without any consent mechanism in place.

Pinterest and X (formerly Twitter) pixels. The Erakat complaint in California targets additional platforms. Pinterest’s pixel and X’s pixel operate on the same model: code embedded on the publisher’s website causes those platforms’ servers to receive real-time data about visitor behavior, which the platforms use to match against their own user profiles for ad targeting purposes. On a banking website, Erakat argues, these pixels captured not just general browsing but financial product research, which is information of heightened sensitivity under consumer financial privacy law.

Why “wiretapping” applies. The central legal theory in both cases is that the tracking did not merely collect data after the fact but intercepted communications in transit, in real time, as users were browsing. The Pennsylvania Wiretap Act and CIPA both cover the real-time interception of electronic communications. Courts handling similar cases in 2024 and 2025 expanded the definition of “communication” to include the transmission of data between a user’s browser and a web server, bringing pixel tracking within the statutes’ reach. The legal pivot from “advertising analytics” to “wiretapping” depends on whether a court finds that the third-party pixel’s data capture qualifies as real-time interception, a question that has produced conflicting rulings across different jurisdictions and factual contexts.

The Legal Framework: Pennsylvania Wiretap Act, CIPA, and Federal Law

The PNC lawsuits invoke three overlapping legal frameworks, each of which treats the unauthorized interception of communications differently.

Pennsylvania Wiretap Act. Pennsylvania’s wiretap statute is one of the most protective in the country. It is an all-party consent law, meaning all parties to a communication must consent to its interception. This is stricter than the federal standard, which requires only one-party consent in most contexts. The Pennsylvania law covers wire, oral, and electronic communications and prohibits intentional interception, disclosure, or use of such communications. Birdsall’s complaint argues that PNC’s deliberate installation of the LinkedIn Insight Tag constitutes intentional interception under the statute, with LinkedIn acting as the eavesdropping third party. Statutory damages under the Pennsylvania Wiretap Act can be significant: the law provides for damages of the greater of actual damages or statutory damages of $1,000, plus punitive damages and attorney’s fees, per violation.

California Invasion of Privacy Act. CIPA, enacted in 1967 and regularly expanded by California courts, prohibits the recording of confidential communications without the consent of all parties. The statute has two key sections relevant to pixel tracking cases. Section 631 targets wiretapping, defined as the intentional reading or learning of the contents of a communication without the consent of all parties. Section 638.51 covers pen register devices, which capture the addressing and routing information of communications rather than their content. Courts in 2025 ruled in different directions on whether pixel tracking constitutes a Section 631 violation, with some finding the real-time interception element is not met because the captured data becomes readable only after storage. Section 638.51 pen register claims have fared better in recent rulings because they require only that addressing information was captured without consent.

Federal Wiretap Act. The Electronic Communications Privacy Act, which includes the Federal Wiretap Act at 18 U.S.C. § 2511, prohibits the intentional interception of wire or electronic communications. Unlike CIPA and the Pennsylvania statute, it requires that the defendant intentionally intercept a communication, and courts have split on whether embedding third-party analytics code qualifies as intentional interception by the website operator. The Ninth Circuit dismissed a website pixel case in August 2025 on standing grounds, finding the plaintiff could not demonstrate a concrete, particularized injury, a ruling that may affect similar cases in federal courts.

What Makes the PNC Cases Different From Other Bank Tracking Suits

PNC is far from the only financial institution facing digital privacy litigation. Wells Fargo faced a nearly identical April 2026 pixel tracking lawsuit in the Eastern District of California filed by Erakat’s attorneys. Bank of America, JPMorgan Chase, and other major institutions have faced similar claims in various states. What distinguishes the PNC cases is their timing and the specific platforms named.

The LinkedIn Insight Tag is designed explicitly for B2B professional audience targeting. PNC’s use of it on a consumer banking website means the bank was collecting and transmitting data about consumers researching mortgage products, personal loans, or checking accounts to a platform whose primary purpose is professional networking and recruitment advertising. The profile data LinkedIn holds on its members, their employer, job title, industry, seniority, and professional history, is significantly more detailed and personally identifiable than the data held by general consumer advertising platforms. Linking a consumer’s visit to a bank’s personal finance pages to their professional identity raises distinct privacy concerns that a general-purpose analytics pixel does not.

The Pinterest and X pixels named in the California complaint add a further dimension. Those platforms’ audiences skew consumer rather than professional, but both operate advertising ecosystems that rely on cross-site tracking to build behavioral profiles. A visitor to PNC’s pages for auto loans, credit cards, or investment products generates signals that are commercially valuable to advertisers on those platforms, advertisers who may include PNC’s competitors in financial services.

Sazerac’s Defense and the Broader Litigation Landscape

PNC has not publicly addressed the specific allegations in the Birdsall or Erakat complaints. Defendants in website pixel cases typically advance several common defenses: that visitors consented to tracking through PNC’s privacy policy, accessible via links on the site; that the data captured does not constitute a “communication” under the relevant statutes; that the data capture was not “real-time interception” because data becomes readable only after transmission and storage; and that visitors lack standing because no concrete harm resulted from the tracking.

Courts have split significantly on all of these defenses. The standing defense gained support from the Ninth Circuit’s August 2025 ruling, which dismissed a CIPA case because the plaintiff failed to show concrete injury. The consent defense succeeded in a California case where the plaintiff had interacted with the website’s cookie banner. But the content-versus-routing distinction under Section 638.51 has produced multiple plaintiff victories, and Pennsylvania state courts have generally construed the Pennsylvania Wiretap Act broadly. California’s legislature was considering a bill, SB 690, that would create a safe harbor for pixel tracking compliant with the California Consumer Privacy Act, but the bill was not expected to take effect before 2027, leaving the litigation landscape active.

Who May Qualify and What Consumers Can Do Now

No settlement exists in either the Birdsall or the Erakat case as of mid-2026. That means there is no active claims portal and no form to submit. Consumers who believe they are affected cannot claim compensation at this time, but they can take steps to prepare for a potential settlement and to protect their privacy going forward.

Consumers who want to track the case’s progress can monitor court dockets through PACER for federal filings or Allegheny County court records for the original state filing. Class action monitoring services including ClassAction.org and TopClassActions.com publish updates when class certification motions are filed, settlement agreements are reached, or claims portals open. Once a settlement is approved by a court, a formal notice will be issued and a claims window will open for eligible class members to submit documentation.

On the privacy protection side, consumers can review the privacy policies of any bank or financial institution they use to determine whether those policies disclose the use of third-party tracking pixels, what data those pixels collect, and whether opt-out mechanisms are available. Browsers with ad blocker extensions or privacy-focused configurations can prevent many tracking pixels from loading, reducing exposure to this type of data collection regardless of the legal outcome.

What the PNC Cases Reveal About Banking and Digital Privacy

The PNC website communications lawsuits are part of a legal reckoning that the financial services industry was slower to anticipate than other sectors. Banks hold some of the most sensitive personal data that exists: income, debt, spending behavior, credit history, and account balances. The regulatory frameworks governing that data, the Gramm-Leach-Bliley Act and its implementing Privacy Rule, require clear disclosure of data sharing with third parties and give consumers limited opt-out rights. But those frameworks predate the pixel tracking era by two decades and do not address the real-time interception of behavioral data by advertising platforms during website sessions.

The gap between what financial privacy law governs and what modern digital advertising technology does has created the litigation environment in which cases like Birdsall and Erakat arise. When a visitor to PNC’s mortgage calculator page has their session intercepted by LinkedIn’s Insight Tag and matched to their professional profile, the resulting data set, a named individual with a known employer and title, researching a specific loan product at a specific bank, is far more detailed than anything the Gramm-Leach-Bliley Act was designed to regulate. State wiretapping laws, applied to digital communications, have become the plaintiff bar’s tool for addressing this gap.

The outcome of the Birdsall case in Pennsylvania will be particularly significant because Pennsylvania’s all-party consent statute is more protective than most, and a finding that LinkedIn’s Insight Tag installation violates it would have immediate implications for every bank and financial institution currently using the tool for advertising analytics in the state.

The pattern of companies using third-party tracking tools to build advertising profiles from sensitive consumer data without adequate disclosure is consistent across industries. The Life360 data monetization lawsuit raised similar questions about how a platform’s disclosed purpose, location sharing for family safety, diverged from its actual revenue model, which involved selling that location data to advertisers. In both cases, the gap between what users understood they had agreed to and what the company actually did with their data forms the core of the legal claim.

Cases where corporate data practices operate in the background, invisible to consumers until litigation makes them public, also parallel the Native shampoo PFAS lawsuit, where chemicals not disclosed to consumers were present in products they trusted with their personal information. In each case, the legal claim rests on the argument that what was happening was not what the consumer was led to believe.

Read These

• 72 Sold false advertising lawsuit
• Strava vs Garmin patent lawsuit
• Michael Jordan NASCAR antitrust lawsuit
• Panera Bread charged lemonade lawsuit
• Don Julio tequila lawsuit

What This Lawsuit Teaches Consumers

Most people who visit a bank’s website believe they are in a private interaction: reviewing their finances, researching a mortgage, or checking a loan rate. What the PNC Bank website communications lawsuits allege is that the interaction was not private at all. At the moment a page loaded, invisible code was transmitting behavioral data to LinkedIn and other advertising platforms, matching it to professional profiles, and feeding it into advertising systems that would follow the visitor across the internet.

This is not a theoretical privacy concern. The Insight Tag’s core function is identification: it is designed to match anonymous website visitors to named LinkedIn members. A bank embedding this code on its personal finance pages was, according to the plaintiffs, allowing a third party to identify who was looking at which financial products, building a dossier that neither the bank’s privacy policy fully disclosed nor the consumer expressly authorized.

The broader lesson is about the distance between a company’s published privacy policy and its actual data practices. Banks are obligated under the Gramm-Leach-Bliley Act to disclose their data sharing in an annual privacy notice. But tracking pixels embedded for advertising analytics may not appear prominently in those notices, and even when they are mentioned, the disclosure language often does not convey the extent to which behavioral data is linked to individual identity and used for marketing profiling. The PNC lawsuits are attempting to hold that gap to account under laws that predate the pixel era but whose plain language is broad enough to reach it.

Whether courts agree will determine not just PNC’s liability but whether the entire financial services industry’s standard practice of embedding advertising pixels on consumer-facing websites survives legal scrutiny. Given the volume of similar cases now pending against banks, insurers, and investment platforms across the country, the answer matters to every consumer who has ever visited a financial institution’s website and assumed the visit was between them and the bank.