Key Takeaways
- Serial litigants are shifting from TCPA robocall claims to targeting website tracking pixels and analytics tools used by MCA brokers and funders.
- Inbound-only lead strategies no longer guarantee compliance safety; your website itself can become the attack surface.
- KYC compliance for alternative lenders now extends beyond identity verification to include how applicant data is collected, stored, and transmitted before underwriting begins.
- Asynchronous bank verification workflows reduce compliance exposure by minimizing the data touchpoints between initial contact and funding decision.
- Funders who audit their entire lead-to-verification pipeline, not just their outbound communications, will be best positioned to avoid litigation.
Website Trackers Are the New Litigation Target for MCA Brokers
For years, MCA brokers focused their compliance energy on outbound calls. The Telephone Consumer Protection Act made robodials and unsolicited texts a minefield, and the industry adapted. Many shops pivoted to inbound-only models, running paid ads on social media and letting merchants come to them. It felt safe. Until it wasn't.
A recent deBanked report details how serial litigants are now targeting the websites themselves. The complaint isn't about who called whom. It's about what happens the moment a merchant lands on a broker's site: tracking pixels fire, session replay tools record clicks and scrolls, and analytics cookies follow the visitor across the web. Plaintiffs' attorneys argue this amounts to unauthorized surveillance, and they're filing under state wiretapping statutes, the Video Privacy Protection Act, and emerging data privacy laws.
This matters for every funder and broker reading this because KYC compliance for alternative lenders can no longer stop at identity checks and phone consent. The compliance perimeter now starts at your homepage. If your website collects behavioral data before an applicant even submits an application, you have exposure. And if that same data flows into your underwriting or verification workflow without proper consent architecture, the exposure compounds.
How Tracker Lawsuits Threaten MCA Underwriting Workflows
From TCPA Claims to Wiretapping Statutes
The legal theory behind these cases is straightforward. When a merchant visits your website and a third-party tracker records their session, plaintiffs argue that constitutes an illegal wiretap under two-party consent states. California's Invasion of Privacy Act, Pennsylvania's Wiretapping and Electronic Surveillance Control Act, and Florida's Security of Communications Act all require both parties to consent to recording. A tracking pixel that captures keystrokes, form inputs, or session behavior can trigger these statutes even if the visitor never picks up the phone.
For MCA operations, the risk is particularly acute because of how tightly the lead intake process connects to underwriting. A merchant searches for working capital, clicks an ad, lands on a broker's site, and fills out a pre-qualification form. If session replay software captured that interaction and the broker didn't obtain explicit, informed consent before the tracker fired, the broker has a potential wiretapping claim on their hands. The fact that the merchant initiated the visit doesn't matter under two-party consent law.
The Data Collection Problem Before Verification Begins
Most MCA compliance conversations focus on what happens during and after underwriting. Bank statement review, identity verification, transaction authentication. But these tracker lawsuits expose a gap that sits upstream of all of that: the data you collect before the applicant even enters your verification pipeline.
Consider the typical flow. A merchant visits your site. Your analytics platform logs their IP address, device fingerprint, and browsing behavior. A session replay tool records their interaction with your application form. A retargeting pixel follows them to other sites. All of this happens before you've verified a single bank statement or confirmed a single identity. And all of it is now potential litigation fodder.
The lesson for funders in 2026 is clear: compliance isn't a stage in your pipeline. It's the pipeline. Every touchpoint from first click to funding decision needs a defensible consent framework. That includes how you handle the transition from lead capture to bank verification, a handoff that many operations treat as a formality but which serial litigants are scrutinizing with increasing sophistication.
Reducing Touchpoints Through Asynchronous Verification
One practical way to shrink your compliance attack surface is to reduce the number of data collection touchpoints between lead intake and funding decision. This is where asynchronous bank verification creates a structural advantage over traditional live calls.
In a live verification workflow, an underwriter schedules a call, walks the applicant through their banking portal, and often records the session using screen-sharing software. Each of those steps involves a separate data collection event: the scheduling system captures contact details, the video platform records the session, and the underwriter's notes create additional records. Every layer is a potential compliance liability.
Exact Balance collapses this into a single, consent-driven interaction. The applicant receives a secure link, records their own banking session in their browser, and submits the recording. There's no third-party screen sharing. No scheduling platform capturing metadata. No ambient tracking. The applicant initiates the recording with full awareness, and the resulting video is encrypted and stored in a way that creates a clean audit trail. For funders concerned about the expanding definition of "unauthorized surveillance," fewer touchpoints means fewer targets.
As we've explored in our analysis of how MCA litigation risk reshapes bank verification compliance for brokers, the legal landscape is pushing the industry toward workflows that are defensible by design, not retroactively patched.
Building a Compliant Lead-to-Verification Pipeline
Addressing tracker litigation risk requires MCA operations to think about compliance as a continuous architecture rather than a checklist applied at discrete stages. The brokers and funders who will avoid these lawsuits are the ones who audit their entire pipeline now, before a demand letter arrives.
Start with your website. Inventory every third-party script that fires on page load. Google Analytics, Meta Pixel, Hotjar, Clarity, retargeting tags. For each one, ask whether it captures personally identifiable information or behavioral data before the visitor has provided explicit consent. If it does, you need a consent management platform that blocks those scripts until the visitor opts in. "We have a privacy policy" is not a defense under two-party consent wiretapping statutes. Affirmative, pre-collection consent is the standard plaintiffs' attorneys are arguing for, and courts are increasingly agreeing.
Next, audit the handoff between lead capture and verification. When a merchant submits a pre-qualification form, what data travels downstream? Does your CRM automatically enrich the lead with third-party data before the applicant has consented to that enrichment? Does your verification workflow inherit tracking identifiers from the lead capture stage? These are the seams that serial litigants probe. The Federal Trade Commission's guidance on unfair data practices provides a useful framework for evaluating whether your data flows meet minimum standards, even if your state hasn't yet passed comprehensive privacy legislation.
Finally, standardize your verification process so that the consent architecture is baked into the workflow rather than bolted on. With Exact Balance, the applicant's consent is implicit in the act of recording: they receive a clear description of what they're being asked to show, they initiate the recording themselves, and the platform logs the full activity trail. There's no ambiguity about whether the merchant knew they were being recorded, because they pressed the button. This kind of consent-by-design approach is what compliance counsel increasingly recommends, and it's far easier to defend than a patchwork of cookie banners and terms-of-service links.
Funders who have already invested in tightening their verification compliance, as we discussed in our coverage of how MCA audit season exposes bank verification documentation gaps, will find this extension natural. The same discipline that produces clean audit trails for bank transaction verification applies to the lead capture and consent layers upstream.
Frequently Asked Questions
What are tracker lawsuits, and why are they targeting MCA brokers?
Tracker lawsuits allege that website tracking technologies like session replay tools, analytics pixels, and retargeting cookies constitute unauthorized wiretapping under state laws. MCA brokers are particularly vulnerable because their websites often collect behavioral data from merchants exploring financing options. Plaintiffs argue that recording a visitor's session without explicit prior consent violates two-party consent wiretapping statutes in states like California, Pennsylvania, and Florida. These claims can result in statutory damages per violation, making them attractive targets for serial litigants.
How does async bank verification reduce compliance risk for MCA lenders?
Asynchronous bank verification reduces compliance risk by consolidating the verification process into a single, applicant-initiated interaction. Instead of scheduling calls through third-party platforms, screen-sharing through separate software, and recording through yet another tool, async workflows like Exact Balance give the applicant a secure link where they record their own banking session. This eliminates multiple data collection touchpoints, each of which could be a compliance liability. The applicant's act of initiating and completing the recording serves as clear, demonstrable consent.
Do inbound-only lead strategies still protect against TCPA-related lawsuits?
Not entirely. While inbound-only strategies eliminate the risk of traditional TCPA robocall claims, they don't protect against the newer category of wiretapping and privacy claims tied to website tracking. If a merchant calls you after clicking on your ad but your website recorded their browsing session before they opted in, you still have potential exposure. The legal risk has migrated from the phone call itself to the digital infrastructure surrounding it.
What steps should MCA funders take to audit their website for compliance?
Start by cataloging every third-party script on your site, including analytics, session replay, heatmap tools, and advertising pixels. Determine whether each script fires before or after the visitor provides explicit consent. Implement a consent management platform that blocks data collection scripts until opt-in is confirmed. Then trace how data flows from your website into your CRM, underwriting tools, and verification systems. Any data that moves downstream without documented consent is a potential liability. Consider working with compliance counsel who specializes in state privacy and wiretapping laws, as the standards vary significantly by jurisdiction.
Conclusion
The compliance perimeter for MCA brokers and funders is expanding. It no longer stops at outbound call consent or bank statement authentication. Serial litigants have identified a new attack surface in the tracking technologies that power modern lead generation, and the legal theories they're deploying are gaining traction in courts across the country.
The funders who adapt fastest will be those who treat compliance as a continuous architecture spanning every data touchpoint from first click to funded deal. Asynchronous, consent-by-design verification workflows are a critical piece of that architecture.
Visit exactbalance.ca to see how async bank verification eliminates unnecessary data touchpoints and builds defensible audit trails into every verification request.