Within the last twelve months, the number of class actions asserting claims based on faulty cookie banners has skyrocketed.  The allegations go as follows:

1. The plaintiff visited a site with a cookie banner that informed the plaintiff that he or she could opt out of “non-essential cookies.”

2. The plaintiff opted out of “non-essential cookies.”

3. The plaintiff continued to browse the site.

4. While the plaintiff was browsing the site, the website continued to track him or her. 

Based on this, plaintiffs assert a host of claims.  Some claims, like those for violations of the California Invasion of Privacy Act (“CIPA”), the Electronic Communications Privacy Act (“ECPA”), and the California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), have little, if anything, to do with the malfunctioning banner.  They can be and have been asserted whether a site has a cookie banner or not. 

Others, like misrepresentation and fraud, are based entirely on the defective cookie banner.  The claims would not exist had the cookie banner functioned as intended.  

And still others, like invasion of privacy and unjust enrichment, are bolstered by, but not necessarily dependent on, the cookie banner’s lack of functionality.  These claims have been, and will continue to be, asserted in cases no matter how the cookie banner operated, but some of the elements necessary for them—i.e., a reasonable expectation of privacy—are easier to prove when the banner does not work. 

That claims like these have increased is not surprising.  As the number of CIPA, ECPA, and CDAFA suits and demand letters rises, companies are scrambling to do something—anything—to mitigate their risk.  They turn to cookie banners in the hopes of staving off future litigation, but, in doing so, companies often invite more problems than they solve. 

First, cookie banners, in and of themselves, do not prevent CIPA litigation.  In most instances, the technologies that form the basis of CIPA claims fire the minute a user lands on the site, before the cookie banner has appeared and before the user has had a chance to read it.  And since CIPA has been interpreted to require “prior consent,” plaintiffs argue that, even if the cookie banner could provide the requisite consent, it did not do so “prior” to the technologies firing. 

Second, to work properly, cookie banners require planning, configuration, and monitoring. As these recent lawsuits show, if a company is going to provide users with the ability to opt out via a cookie banner, the opt-out mechanism must work, otherwise the cookie banner is doing more harm than good. 

Finally, and perhaps most importantly, cookie banners and their opt-out functionality are ill-fitted “solutions” to CIPA exposure, for multiple reasons.  The CCPA implements an opt-out regime, meaning, in most instances, companies are free to sell and/or share data until a user tells them not to.  In contrast, CIPA requires prior consent.  Further, the CCPA regulates the sales and/or shares of data, which necessarily requires distinguishing among third parties, service providers, and contractors.  CIPA, instead, focuses on whether the entity to whom data is being sent has the capability of using it for its own purposes. In other words, using a CCPA-designed cookie banner to mitigate CIPA exposure can be, at times, like trying to jam a square peg into a round hole; it just doesn’t fit. 

Although the CCPA and CIPA can, at times, regulate the same type of information, they do not do so in the same way.  Therefore, while efficiencies can be gained by coupling CIPA and CCPA compliance, it is a mistake to believe that being compliant with one means being compliant with the other.  The two statutes are different and must be treated as such.  Lumping them together only leads to greater problems.