Click "reject." Get tracked anyway. That's the claim Farmers is now facing in federal court.
A California man has sued Farmers Insurance Company, Inc., alleging its website promised visitors they could switch off tracking cookies - then let outside companies track them anyway. The proposed class action, filed June 19, 2026 in the US District Court for the Northern District of California, is the kind of privacy fight increasingly landing on insurers' desks.
According to the complaint, Stacy Penning went to farmers.com to look at auto insurance and start a quote. A cookie popup appeared. The filing quotes its promise: "This website uses cookies and other tracking technologies to enhance user experience. Farmers is committed to your privacy and security…You may accept or reject targeting cookies that sell and/or share your personal information."
Penning says he clicked "Reject." He alleges the tracking continued. The complaint claims that even after he opted out, Farmers caused cookies from two third parties - Adobe Inc. and Qualtrics, LLC - to be placed and sent along with his data.
The filing gets specific. It says data sent to Adobe showed the user was "seeking a quote for personal auto insurance, for zip code 90210." In one example, the complaint says a cookie named "hyundaimotorcompany!mboxPC" revealed the same user had recently been on Hyundai's site - in the filing's words, "showing Adobe the brand of car that the user is seeking to insure."
That's the part insurers should sit up for. A quote flow gathers exactly what privacy plaintiffs target - zip code, vehicle interest, browsing history - and the complaint treats the quote tool itself as the leak.
The legal theory rests on California's Invasion of Privacy Act. The complaint brings six counts: invasion of privacy, intrusion upon seclusion, wiretapping under California Penal Code § 631, use of a pen register under California Penal Code § 638.51, common law fraud, and unjust enrichment. It casts the third-party cookies and code as "machine[s], instrument[s], or contrivance[s]" under the wiretap law and as "pen registers" under § 638.50(b).
The stakes are real. The filing puts the amount in controversy above $5,000,000 and seeks statutory damages of $5,000, or three times actual damages, per violation. The proposed class covers everyone in the US who browsed the site after clicking "Reject" - which the plaintiff estimates at more than 100 people.
The complaint also targets the insurer's own setup. It alleges Farmers "operated, controlled, configured, approved, or maintained settings" that let the tracking continue, and that the company had dashboards showing data still moving despite opt-outs. It points to the California Consumer Privacy Rights Act's rules on honoring opt-out signals.
These are allegations in a complaint. None of this has been proven in court. Farmers has not yet filed a response, and no court has ruled on any of the claims.
