The Rise of the “Cookie Banner” Class Action

By Matthew D. Pearson, Partner, Womble Bond Dickinson (US) LLP

Note: This article is being re-shared by ComplyAuto with permission from author Matthew D. Pearson, Partner at Womble Bond Dickinson (US) LLP. 

Cookie banners—those things that most users almost immediately close when they visit a site—have become a ubiquitous part of internet browsing. In theory, cookie banners should benefit all parties involved—site users and site operators alike. For users, a cookie banner should provide immediate access to information about the types of information the site is collecting and an ability to, at least in part, control that collection. For site operators, cookie banners should help with compliance and—potentially—provide defenses in any subsequent litigation.

But what happens when a cookie banner is not operating correctly? As with most things privacy related, the answer is litigation.

Over the last few months, several putative class actions have been filed in California, alleging that, as a result of a faulty cookie banner, the website effectively misrepresents its data-collection practices. The fact pattern goes as follows:

• User visits site;
• Site provides user with cookie banner;
• User hits “decline” or opts-out of all non-essential cookies;
• Due to some technical glitch in the cookie banner’s coding, the cookie banner does not block all non-essential cookies;
• User continues to browse the site believing that he or she has opted out of all non-essential cookies; and
• Site continues to drop and capture information from non-essential cookies.

In the lawsuits filed to date, the plaintiffs are not targeting any specific type of defendant or industry. They have brought claims against retailers, telecommunication providers, hospitality companies, fast-food chains, media companies, beverage producers. Indeed, the only common thread among the defendants is that: (1) they had a public-facing website and (2) their cookie banner was not operating as intended.

More of these lawsuits are coming, too. Plaintiffs have strategically filed arbitrations on these claims, not to arbitrate the underlying dispute but, instead, to arbitrate the applicability of the defendant’s arbitration provision. And, in at least three, Plaintiffs have been successful, with the arbitrator finding that the arbitration provision—generally found in the defendant’s Terms of Use—is either not applicable to the claims asserted, was never agreed to by the plaintiff, or both. Those decisions clear the plaintiffs’ path to file more class actions in federal and state court.

The Claims

No U.S. law explicitly makes it illegal to have a faulty cookie banner. That isn’t to say that cookie banners and their functionality have been ignored. The Federal Trade Commission, California Privacy Protection Agency (CPPA), and other state authorities have been quite active in regulating cookie banners, particularly if allegedly deceptive or misleading, and there is no reason to believe that will be slowing down any time soon.

However, since there is no explicit law, as with most privacy litigation, plaintiffs look to other statutes or claims to bring suit. In the lawsuits filed thus far, those claims include:

• Invasion of privacy under the California Constitution;
• Intrusion upon seclusion;
• Wiretapping under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631;
• Use of a Pen Register under CIPA, § Cal. Penal Code § 638.51;
• Common law fraud, deceit, and/or misrepresentation;
• Unjust enrichment; and
• Trespass to chattels.

Plaintiffs apparently believe that the existence of a faulty cookie banner changes the analysis as it relates to claims like invasion of privacy and unjust enrichment. For example, in the past, plaintiffs have largely failed to establish that they have a reasonable expectation of privacy in the general browsing information that they voluntarily provide to websites or that the disclosure of that information is “highly offensive.” See Brown v. Google LLC, 685 F. Supp. 3d 909, 941 (N.D. Cal. 2023) (noting that “Ninth Circuit law indicates that users may not have a reasonable expectation of privacy over the IP addresses of the websites they visit or URLs that only reveal basic identification information”); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (“The information disclosed to third parties by LinkedIn, including a numeric code associated with a user and the URL of the profile page viewed, does not meet the [highly-offensive] standard set by California courts.”). In the cookie-banner complaints filed to date, the plaintiffs want to change that outcome by claiming that they “had a reasonable expectation of privacy under the circumstances, as Defendant affirmatively promised users they could ‘Click Here to Reject All non-essential cookies’ and tracking technologies before proceeding to browse the site.”  (emphasis added).

The Hurdles for ‘Cookie Banner’ Claims

 But, even with the additional cookie-banner allegations, the claims being asserted by plaintiffs are subject to the same defenses as other, online-privacy-related claims, including:

• Lack of injury-in-fact for Article III standing purposes (if filed in federal court);
• Lack of specific personal jurisdiction (if filed against an out-of-state defendant);
• Failure to allege cognizable damages; and
• Failure to allege “interception” of the “content” of communications for wiretapping claims.

Additionally, like most online-privacy claims, cookie-banner claims raise a class-identification problem. The inability to identify the class members will undoubtedly raise insurmountable problems with manageability. It is hard enough to identify a class in straight forward CIPA claims (wiretapping and/or pen register/trap and trace) where the only information available for most site visitors is a public IP address. Cookie-banner claims add another challenge; to be a class member, the website user must also have opted-out of non-essential cookies. Put another way, identifying the class requires determining who among an otherwise unidentifiable group of users opted-out of non-essential cookies (something most, if not all, companies do not have the ability to record) and then continued to browse the site.

The Takeaways

Some of you reading this may wonder how a cookie banner could malfunction. You hire reputable vendors to implement and run your consent management platform (“CMP”), and you test (and retest) before going live. But a lot can change after the cookie banner’s implementation. Website architecture is updated. Campaigns start and end. Things get added; others removed. Put simply, it happens, and it happens more than you might think.

The problem is exacerbated by the lack of detection. In most instances, website functionality issues are immediately apparent to the site operator.   Since a cookie banner does not necessarily impact the core functionality of the site, months, if not years, may pass before there is any indication that it is not operating as intended. And the longer the problem persists, the greater the number of users (i.e., putative class members) who may be impacted by it.

Cookie-banner cases are the newest iteration of online privacy claims. What distinguishes them from other cases is that they are not based solely on the technological underpinnings of website coding. They are, in their simplest form, misrepresentation claims.

Regardless, cookie-banner class actions cannot avoid the issues that have plagued online-privacy claims since their inception. The plaintiff still must suffer an injury-in-fact. She still must establish personal jurisdiction over the defendant. She still must allege cognizable damages. And, most importantly, she must be able to identify the people on whose behalf she is allegedly suing.

Many of the questions surrounding cookie-banner claims will be answered in the next 6 to 12 months as these cases play out in the courts. But one thing is for certain: do not let a lawsuit be the first indication that your cookie banner is not working the way it should be.

---

About the Author

Matt Pearson litigates a wide variety of class actions across the country on behalf of clients from nearly every industry, including automotive, healthcare, financial services, retail, and technology. Much of his practice focuses on the ever-growing and constantly evolving area of privacy. He frequently handles cases filed under California’s Unfair Competition Law, Consumer Legal Remedies Act, Consumer Privacy Act (CCPA), Confidentiality of Medical Information Act (CMIA), Invasion of Privacy Act (CIPA), and similar statutes from other states.