Every tracker the scanner flagged appears in active class actions under state wiretap statutes and state consumer-health-privacy laws. $100M+ has settled to date, and the docket is accelerating into independent practices. The fix isn't deleting the tags — it's sanitizing what crosses the wire to Meta and Google. Your campaigns keep running. The patient data stops at your boundary.
State wiretap statutes (CIPA in California, the Illinois Eavesdropping Act, New York Penal Law §250, Massachusetts Wiretap Act, Florida Security of Communications Act) treat the forwarding of visitor browsing data to Meta and Google as an interception of consumer health communications. State consumer-health-privacy laws (Washington MHMDA, Nevada SB 370, Connecticut health-data provisions) treat it as an unauthorized sale of consumer health data.
The plaintiff firms aren't pursuing this on theoretical grounds. They've already settled against hospital systems, multi-location MSOs, telehealth platforms, digital-health companies, and specialty pharmaceutical manufacturers — across multiple states.
$100M+ aggregate · public docket active 2026. Accelerated post-Dobbs and post-AHA v. Becerra (which collapsed the federal HIPAA defense to state-law claims). Most settlements pay out quietly through E&O and cyber liability insurance — which is why most practice owners hear about it from their carrier's renewal, not the news.
The short answer: no. The pattern at issue isn't about disclosure or consent — it's about what data crosses the wire to non-business-associate vendors. Standard consent infrastructure doesn't change that flow. Apex Vault does.
The other workaround a marketing team will pitch. Same trap.
"Use Facebook Lead Ads. The form lives on Facebook, data never leaves their platform, no tracking pixel on your site. Problem solved."
Facebook collects healthcare-context data on your behalf. Facebook does not sign a BAA for Lead Ads — meaning the data still leaves your compliance chain. The architectural pattern under state consumer-health-privacy laws is the same as a pixel on your own site. Same exposure, different surface.
Tracking events enter raw, leave sanitized. No matchable identifier ever crosses the wire to Meta, Google, or any ad platform. Your campaigns keep optimizing against aggregate conversion signal.
Pick the tier that matches your operating profile.
1–4 location practices. Multi-tenant deployment, templated BAA, 7-day install. Public pricing.
$5K + $1K–$2.5K/mo →5–25 location operators. Single-tenant, negotiated BAA, dedicated pen test pre-go-live. 9-week cycle.
Request tier sheet →Hospital systems, specialty pharma, multi-brand. Bespoke single-tenant, Letter of Attestation at go-live.
Request tier sheet →We walk you through what's currently firing on your site, what the architecture replaces it with, and what your ad performance looks like after deployment. No legal advice, no pressure — just the operational answer.