How did it come to this? Last year you got a new cookie consent management platform (CMP), and you worked with your web team to implement it. You even took a conservative approach and tried to get consent for all optional cookies in California, but now you’re staring down a class action lawsuit that alleges it didn’t work.
CMPs are sold as compliance solutions, but plaintiffs’ counsel and regulators increasingly treat them as evidence. When the CMP says one thing and the site does another, that isn’t just a configuration glitch: it’s a potential misrepresentation, and it sits at the heart of a growing wave of privacy claims under state laws like the California Invasion of Privacy Act (CIPA). The failures are rarely dramatic. They tend to fall into the same ten patterns:
- Not every cookie ran through the CMP. Cookies set by third-party widgets, embedded players, or scripts that bypass your tag manager may operate outside the CMP’s control entirely. The banner can’t gate what it never sees.
- The default categorization didn’t match reality. You relied on the CMP’s out-of-the-box classification of cookies, which reflects common patterns rather than how your site actually uses them. The labels looked right at a glance but quietly mischaracterized cookies that should have been consent-gated.
- Internal scope creep. Marketing or product teams changed how they use a particular vendor’s pixel after launch without looping in whoever maintains the CMP configuration. What began as an analytics cookie became an ad targeting cookie when the marketing team activated a new feature, and now your ad-targeting opt-out button doesn’t stop it.
- Vendor-side scope creep. Vendors quietly change their own cookie behavior. Your marketing team is innocent, but the vendor changed the default settings for the cookie in the name of product enhancement, and the burden of catching up is yours.
- A white-labeled section was never integrated. A sub-brand, partner-operated experience, or co-branded part of your website launched without CMP integration. Its cookies fire independently, and your CMP has no visibility into any of it.
- The default banner text wasn’t accurate to begin with. Off-the-shelf CMP language frequently misstates actual CMP and cookie behavior, typically by (i) overstating the scope of an opt-out or (ii) understanding the scope of what particular categories of cookies do.
- Preferences didn’t propagate downstream. The user clicked “reject,” but the signal never reached every vendor, or it reached them in a format they ignore. The banner worked, but the plumbing didn’t.
- Geotargeting wasn’t updated. The litigation risk in a geographic region shifted, but you didn’t update your CMP’s geofencing rules. Visitors in jurisdictions that now might warrant a tighter opt-in flow are still getting the looser experience.
- You’re using the wrong CMP. Have you done your diligence? There are now dozens of CMPs on the market, and not all are created equal. Many of them may not be the right fit for your company, depending on where and how you operate.
- No re-audit. If you’re like most companies, Plaintiffs’ firms already conduct regular automated scans of your CMP functionality. You should routinely test your CMP.
There’s more, but we don’t want to publish a roadmap to potential new claims in cookie litigation, and we are happy to discuss with clients. But what these have in common is straightforward. Each is a gap between what the CMP claims and what the site actually does. Closing them takes more than a well-configured dashboard. It takes testing the live site, periodically and after every meaningful change. Ask a blog author or your regular ZwillGen contact how we can help.