A visitor hit "reject all" on Fannie Mae's site - the suit says the tracking never stopped
Fannie Mae told website visitors they could reject tracking cookies. A new class action says the cookies fired anyway.
The Federal National Mortgage Association - the mortgage-finance giant known to everyone as Fannie Mae - was sued in federal court in San Francisco on June 5, 2026, by a California man who says the company's privacy promises were false.
The story, as told in the filing, is simple enough. Melvin Coleman, who lives in San Leandro, went to fanniemae.com to read up on home-buying and financing. A cookie banner popped up. It did not just ask him to accept tracking - it offered a way out. He could "Customize Settings" and switch off the cookies he did not want.
So he did. Coleman opened the preferences window, where the site told him, in words the lawsuit quotes directly, "Because we respect your right to privacy, you can choose not to allow some types of cookies." He toggled off the Analytics and Targeting categories and clicked "Confirm My Choices."
The opt-out did not work, the suit claims. According to the filing, the site kept letting two Microsoft tools - the Clarity analytics product and LinkedIn advertising cookies - load and ship his data out anyway. The complaint says that data covered his browsing history, the pages he opened, his device and browser, his IP address, and his location, down to whether he was sitting in California.
And some of it, the lawsuit alleges, happened before he ever saw the banner. The filing says tracking was placed on his device and sent to Microsoft "without Plaintiff's knowledge" from the moment he landed on the page.
Coleman's lawyers treat the harvested data as property taken without permission. The filing says Fannie Mae "unjustly enriches itself at the expense of consumer privacy and autonomy," and it draws a straight line from the tracking to the company's core business: spotting "California users who visit webpages related to particular mortgage-related services" and serving them ads.
The legal theories carry teeth. The suit raises six claims, two of them under the California Invasion of Privacy Act - wiretapping under Penal Code section 631 and unlawful use of a "pen register" under section 638.51. Add invasion of privacy, intrusion upon seclusion, common law fraud, and unjust enrichment. Each wiretap and pen-register violation carries at least $5,000 in statutory damages, and the case papers put the amount in controversy north of $5 million. It is brought on behalf of a proposed class of California users who rejected non-essential cookies on the site.
Here is why it lands on your desk. This case has nothing to do with a loan file, an underwriting call, or a borrower in default. It lives entirely in the space between what your website's consent banner says and what your tracking code actually does. Plaintiffs' firms have turned that gap into an assembly line of California wiretap suits, and a name as large as Fannie Mae is now caught up in it. If your consumer site offers a "reject all" button, the takeaway is blunt: test it, and make sure rejecting actually stops the tracking.
A reminder on where things stand. Everything above is an allegation. Fannie Mae has not filed a response, and no court has ruled on any claim or decided whether the suit can move forward as a class action. The company is entitled to the presumption that it did nothing wrong unless a court says otherwise. Microsoft is named in the filing as the company that received the data, but it is not a defendant in the case.
