Class Action Accuses Fannie Mae of Tracking Website Visitors Who Rejected Cookies

The Federal National Mortgage Association, better known as Fannie Mae, has been named in a new class‑action lawsuit filed in San Francisco federal court. The complaint alleges that, despite a clear “reject all” option on its website, the lender continued to fire Microsoft Clarity analytics and LinkedIn advertising cookies after a user opted out. Plaintiffs claim the tracking captured browsing history, device details, IP address and precise location, violating the California Invasion of Privacy Act and related statutes. The filing seeks statutory damages exceeding $5 million, underscoring the growing scrutiny of consent‑banner compliance.

For mortgage‑finance companies, the case strikes at the heart of digital marketing strategies that rely on granular user data to target prospective borrowers. By allegedly harvesting information from users who expressly declined non‑essential cookies, Fannie Mae is accused of turning privacy promises into a revenue‑generating tool. If the court upholds the claims, lenders could face costly penalties and be forced to redesign data‑collection pipelines, potentially limiting the effectiveness of program‑matic ads that drive loan applications. The lawsuit also puts Microsoft’s third‑party tools under the spotlight, raising questions about vendor responsibility.

The broader lesson for any consumer‑facing website is clear: consent mechanisms must be technically enforceable, not merely cosmetic. Companies should audit their tag managers, verify that opt‑out signals cascade to all analytics and advertising scripts, and document compliance procedures. As California courts continue to champion privacy rights, similar actions are likely to emerge in other jurisdictions, prompting a wave of stricter enforcement. Proactive measures—such as server‑side consent handling and regular third‑party code reviews—can mitigate legal exposure while preserving the ability to engage users responsibly.