Many businesses have opted to deploy website cookie banners in response to the barrage of litigation under the California Invasion of Privacy Act (“CIPA”). That same mitigation measure, however, is increasingly the target of a new wave of class action lawsuits asserting fraud and other claims based on some banners’ alleged failure to do what they say they will. Specifically, these claims center on website banners and cookie settings tools that promise to opt users out of certain cookies or pixels but allegedly fail to do so.
Fresh Batch of Claims
Plaintiff’s firms have filed dozens of these cases in California federal and state court. The complaints generally allege that the website presents users with the option to “Reject All” cookies or “Reject” certain cookies, but in practice fails to opt users out of such cookies or technologies. The allegations most often concern advertising technologies that continue to load after the rejection.
These cases have been tricky to defeat early on. The complaints generally assert a litany of claims, including CIPA § 631, CIPA § 638.51, common law fraud, deceit, and/or misrepresentation, invasion of privacy, and intrusion upon seclusion. On a motion to dismiss, most courts have allowed some subset of the claims to continue past the pleading stage. These matters are also often filed as putative class actions. As a result, these cases create significant litigation exposure for businesses. They also pose regulatory risk, because regulators also scrutinize banners and cookie tools for deceptiveness and other compliance requirements.
A Half-Baked Banner
These cases mean that businesses should not put up a cookie banner or settings tools in response to CIPA risk without careful vetting and testing by both technical and legal teams. Businesses should make sure cookie banners and settings tools are both properly drafted and correctly implemented. The language should be accurate, not overly broad, and tailored to litigation and regulatory requirements.
For example, the disclosures in some cookie settings tools were drafted solely to address narrow concepts such as “sale” and “sharing” under the California Consumer Privacy Act (“CCPA”) rather than broader CIPA risk (which targets interception of communications content and pen register-type tools). Companies that use those default disclosures to obtain consent for CCPA-regulated “sales” and “sharing” may find that the resulting consent does not cover all of the activities that some courts have held can be protected by CIPA.
The tool must also function correctly, meaning businesses should test the site to make sure third-party cookies, pixels, and other tools turn off when a user opts out of such technologies.