CIPA Plaintiffs Target Cookie Banners, Join State Regulators in Attack on Opt-Out Compliance

Recently, the cases target cookie banners, alleging illegal wiretapping activity when the banner offers an option to disable cookies but fails to do so. 

Regulators across the country are focusing their enforcement activities on opt-out compliance, so now is the time to scan your website (regulators already are) to ensure that every consumer’s opt-out request — whether manual or automatic, through the Global Privacy Control — is honored every time.

How Cookie Banners Became CIPA Targets

CIPA was enacted in 1967 to protect the private communications of Californians from being eavesdropped upon without their knowledge or consent. The legislature could not have anticipated online tracking mechanisms then, and in fact, many of the statutes within CIPA are specifically drafted to address telephone and telegraph communications. And while the US. Supreme Court often reminds us that the “meaning of a statute is fixed at the time of enactment,” that has not stopped lower courts from interpreting CIPA as a “living and breathing document.” The elastic interpretation of the statute, plus the prospect of $5,000 per violation in statutory damages, has proven attractive to plaintiffs who have now turned their attention to cookie banners in a new wave of ongoing CIPA litigation.

CIPA Sections 631 prohibits intentional wiretapping and the interception of communications in transit. This includes when a website allegedly enables third parties to capture user communications despite a banner’s promise to block tracking. While Section 631 protects communication from being monitored in transit, Section 632 protects confidential communications from being recorded without all parties’ consent. Claims involving Section 632 are gaining traction in data‑sharing suits involving more sensitive contexts. Finally, Section 638.51 prohibits use of a pen register or trap‑and‑trace device without a court order; some district courts in California have held at the pleadings stage that software‑based trackers can qualify as such devices.

Cookie Banner Litigation 

Plaintiffs target cookie banners when there is a divergence between the banner’s promise and the site’s technical behavior on the back end. The new CIPA complaint template alleges that a banner offered a meaningful choice (often a Reject All button or toggles to disable non‑essential cookies) yet the site still placed third‑party cookies or fired pixels and transmitted data to analytics, advertising, or social media partners after the user exercised that choice. Where a user’s rejection of non-essential cookies is not recognized on the back end and third-party cookies, tags, pixels, and other trackers continue to transmit information, the plaintiffs’ bar is now arguing these failures constitute CIPA violations. 

In D’Antonio et al. v. Smith & Wesson Inc., the manufacturer’s website presented a pop-up cookie banner giving users the option to Accept Cookies, Reject All, or Manage Privacy Preferences. The banner even stated that if Smith & Wesson detected an “opt-out preference” it would be honored. Plaintiffs alleged that Smith & Wesson’s website placed Smith & Wesson and third-party cookies on users’ devices and allowed third parties to track users’ online activity, even if users clicked Reject All. The court granted dismissal with leave to amend on both the CIPA Section 631(a) wiretapping and Section 638.51 pen register claims, not because the theories were legally deficient, but because the plaintiffs failed to allege that they actually communicated with the website, a prerequisite to showing that the “contents” of a communication were intercepted or that “dialing, routing, addressing, or signaling information” was tracked. The inadequacy of this complaint does not mean a business is not obligated to suppress third-party tags upon a user’s rejection of such tags. 

Similarly in De Ayora et al. v. Inspire Brands, Inc. et al., a class of California consumers sued Inspire Brands and several of its restaurant subsidiaries alleging that the restaurants’ websites deployed cookies and tracking technologies that allegedly collected browsing history, user input data, geolocation, and referring uniform resource locators (URLs) despite offering cookie consent banners that purported to give users the ability to decline tracking. Critically, however, because the deceptive cookie banners formed the backbone of all claims, the court applied Rule 9(b)’s heightened pleading standard for fraud and found that the plaintiffs failed to adequately plead the “when” and “where” of the alleged misconduct given that the cookie banners were implemented and updated on different websites at different times over a four-year class period. All claims were accordingly dismissed with leave to amend. 

In Camplisson et al. v. Adidas America, Inc., a class of California consumers sued the sportswear giant for deploying tracking pixels on its website without meaningful user consent. Unlike the other cases, Adidas did not present a consent banner. The only disclosures appeared via privacy policy and terms and conditions links buried in small font in the website footer. The complaint alleged that the pixels collected timestamps, Internet Protocol (IP) addresses, unique browser identifiers, device details, and browser information. On Adidas’ motion to dismiss, the Southern District of California denied the motion in its entirety on the CIPA Section 638.51 pen register claim. The court held that the plaintiffs had statutory standing to sue, rejecting Adidas’ arguments that CIPA applies only to telephones and that the collection of IP addresses and browsing data does not constitute a concrete injury. The court also rejected the consent defense, holding that footer-only disclosures with no affirmative assent mechanism, such as a cookie banner, fail the conspicuousness requirement necessary to establish valid user consent. For businesses that have not yet implemented a cookie banner at all, Camplisson is a clear warning. Relying solely on a privacy policy link in the website footer will not constitute valid consent under CIPA. The cookie banner is, therefore, a valid opt-out mechanism to obtain consent, but also a potential liability if that consent is not respected.

These cases are all in the pleading stages now, with no decisions on the merits yet. However, now is the time to check your cookie management platform and ensure that when users make a selection, whether manually or automatically through a uniform opt out mechanism such as the Global Privacy Control, those choices are honored on the back end. Regulators and plaintiffs’ counsel are actively looking to enforce opt-out choices, and they are checking themselves through the use of sophisticated website scanning tools.

If you have any questions, please reach out to your ArentFox Schiff contact or a member of the Privacy & Data Security team.

Additional research and writing from Perry Jackson, law clerk in ArentFox Schiff’s Washington, DC, office.