Michael Lessner thought nothing of applying for a Camden National Bank credit card, but shortly after submitting the online forms, he started receiving targeted ads on Facebook for credit cards from other financial institutions. Lessner grew wary. He never agreed to anything, but worried that Facebook and possibly other websites now seemingly had access to his personal and financial information.

Last month, Lessner filed a federal class-action lawsuit accusing the bank of the “outrageous, illegal and widespread practice of disclosing — without consent — the nonpublic personal information and personally identifiable financial information” of consumers by “secretly” implementing code-based tracking technologies into its website and profiting off that information.

The case, filed in the U.S. District Court District of Maine, alleges 15 counts of wrongdoing, including negligence, invasion of privacy, breach of contract and unjust enrichment, among violations of other state and federal laws.

It names Google, Google Doubleclick Ads, Google Tag Manager and Meta Pixels as third parties.

In an emailed statement, a bank spokesperson said the company does not comment on legal matters, but that “customers’ privacy and security are our highest priorities, and we take our responsibility to protect their personal and financial information seriously.”

With its tracking technology, Camden National’s website captures credit card and bank account applications, as well as what websites the user visited, what buttons they clicked and what URLs they went to next, the suit alleges.

The bank uses that information to save costs on marketing campaigns, improve data analytics, attract new customers and generate sales, the suit says.

Furthermore, it accuses the bank of allowing third parties like Google and Meta, Facebook’s parent company, to access and subsequently profit from that information by disclosing it to fourth parties who also used it.

“Customers … simply do not anticipate that a trusted financial institution will send their personal and financial information to hidden third parties (who in turn share with fourth parties), all of whom profit off of it; likewise, when plaintiff and class members used defendant’s website, they thought they were communicating exclusively with a trusted financial institution,” the lawsuit states.

According to the suit, data harvesting “drives Facebook’s advertising sales, which are its profit center. In 2023, Facebook generated nearly $135 billion in revenue, roughly 98% of which was derived in advertising revenue alone.”

Customers never consented or permitted the bank to disclose their personal information for marketing or profit and were never given any written notice about the disclosure, nor were they able to opt out, the suit states. Lessner, for example, never would have applied for a credit card, had he known his information was vulnerable, according to court documents.

In its privacy notice, Camden National says “(f)ederal law gives consumers the right to limit … sharing” and that “(w)e don’t share” customers’ personal information “(f)or our affiliates’ everyday business purposes”; “(f)or our affiliates to market to you” or “(f)or nonaffiliates to market to you,” the lawsuit states.

The bank does not, however, disclose its use of customer personal and financial information for third- and fourth-party marketing, the suit alleges.

Among a lengthy list of damages, the suit cites Lessner’s loss of privacy, the decreased value of his personal and financial information, increased risk of future harm from the disclosure of his information, an ongoing assault of personal ads, as well as “embarrassment, humiliation, frustration and emotional distress.”

Lessner’s lawyer did not respond to an email Friday requesting to discuss the case.

The case closely mirrors a lawsuit filed against Capital One in California last year.

Shah v. Cap. One Fin. Corp. makes several of the same claims, accusing the bank of intercepting and illegally sharing personal information through third-party tracking technologies on its website. According to the suit, the trackers send personal details ranging from employment and bank account details to browsing activities to companies like Google, Microsoft, Adobe, Facebook and others.

Capital One has filed a motion to dismiss the complaint in its entirety.

Data privacy has recently been a hot-button issue in Maine.

Last year, lawmakers considered — but ultimately killed — two bills meant to protect the privacy of residents’ online data.

The stricter of the two bills, which faced fierce opposition from businesses, would have limited the ability to collect online data and target ads to potential customers.