ARTICLE
2 May 2025

The CIPA-CCPA Disconnect: Faulty-Cookie-Banner Claims

FK
Frankfurt Kurnit Klein & Selz

Contributor

Frankfurt Kurnit Klein & Selz logo
Frankfurt Kurnit provides high quality legal services to clients in many industries and disciplines worldwide. With leading practices in entertainment, advertising, IP, technology, litigation, corporate, estate planning, charitable organizations, professional responsibility and other areas — Frankfurt Kurnit helps clients face challenging legal issues and meet their goals with efficient solutions.
Explore Firm Details
Class action lawsuits targeting defective cookie banners have surged dramatically, with plaintiffs alleging that websites continue tracking users even after they opt out of non-essential cookies.
United States California Privacy
Matthew Pearson
Your Author LinkedIn Connections
Matthew Pearson’s articles from Frankfurt Kurnit Klein & Selz are most popular:
  • with Finance and Tax Executives and Inhouse Counsel
  • with readers working within the Healthcare and Media & Information industries

Within the last twelve months, the number of class actions asserting claims based on faulty cookie banners has skyrocketed. The allegations go as follows:

  1. The plaintiff visited a site with a cookie banner that informed the plaintiff that he or she could opt out of “non-essential cookies.”

  2. The plaintiff opted out of “non-essential cookies.”

  3. The plaintiff continued to browse the site.

  4. While the plaintiff was browsing the site, the website continued to track him or her.

Based on this, plaintiffs assert a host of claims. Some claims, like those for violations of the California Invasion of Privacy Act (“CIPA”), the Electronic Communications Privacy Act (“ECPA”), and the California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), have little, if anything, to do with the malfunctioning banner. They can be and have been asserted whether a site has a cookie banner or not.

Others, like misrepresentation and fraud, are based entirely on the defective cookie banner. The claims would not exist had the cookie banner functioned as intended.

And still others, like invasion of privacy and unjust enrichment, are bolstered by, but not necessarily dependent on, the cookie banner’s lack of functionality. These claims have been, and will continue to be, asserted in cases no matter how the cookie banner operated, but some of the elements necessary for them—i.e., a reasonable expectation of privacy—are easier to prove when the banner does not work.

That claims like these have increased is not surprising. As the number of CIPA, ECPA, and CDAFA suits and demand letters rises, companies are scrambling to do something—anything—to mitigate their risk. They turn to cookie banners in the hopes of staving off future litigation, but, in doing so, companies often invite more problems than they solve.

First, cookie banners, in and of themselves, do not prevent CIPA litigation. In most instances, the technologies that form the basis of CIPA claims fire the minute a user lands on the site, before the cookie banner has appeared and before the user has had a chance to read it. And since CIPA has been interpreted to require “prior consent,” plaintiffs argue that, even if the cookie banner could provide the requisite consent, it did not do so “prior” to the technologies firing.

Second, to work properly, cookie banners require planning, configuration, and monitoring. As these recent lawsuits show, if a company is going to provide users with the ability to opt out via a cookie banner, the opt-out mechanism must work, otherwise the cookie banner is doing more harm than good.

Finally, and perhaps most importantly, cookie banners and their opt-out functionality are ill-fitted “solutions” to CIPA exposure, for multiple reasons. The CCPA implements an opt-out regime, meaning, in most instances, companies are free to sell and/or share data until a user tells them not to. In contrast, CIPA requires prior consent. Further, the CCPA regulates the sales and/or shares of data, which necessarily requires distinguishing among third parties, service providers, and contractors. CIPA, instead, focuses on whether the entity to whom data is being sent has the capability of using it for its own purposes. In other words, using a CCPA-designed cookie banner to mitigate CIPA exposure can be, at times, like trying to jam a square peg into a round hole; it just doesn’t fit.

Although the CCPA and CIPA can, at times, regulate the same type of information, they do not do so in the same way. Therefore, while efficiencies can be gained by coupling CIPA and CCPA compliance, it is a mistake to believe that being compliant with one means being compliant with the other. The two statutes are different and must be treated as such. Lumping them together only leads to greater problems.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Matthew Pearson
Matthew Pearson
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More