Your Cookie Banner Might Be Working Against You: Two Compliance Traps to Avoid

By Odia Kagan on April 14, 2026

The plaintiffs’ bar has been ramping up lawsuits for alleged violations of state and federal wiretapping laws (e.g., California CIPA, Florida SCA, Federal ECPA) for many months now. Historically, the main issue has been that the defendant did not get the necessary consent because they did not try to do so, meaning there was no cookie consent mechanism in place.

Recently, the claims have shifted, and plaintiffs are taking issue with whether and how your cookie banner actually performs.

When “Reject” Doesn’t Actually Mean Reject

A scenario plaintiffs’ counsel loves is the following: A user lands on a website. A cookie banner pops up. The user clicks “Necessary Cookies Only” or toggles off every non-essential category (performance, functional, targeting, the works). The banner disappears. The user browses assuming that the tracking has stopped, when, in actuality, analytics and advertising tags continue to fire.

This scenario has now been the subject of many complaints, often supported by packet-capture evidence showing third-party tracking requests continuing to fire. Plaintiffs are using this fact pattern to support not only a failure to acquire consent in violation of the wiretapping laws, but also causes of action for unfair and deceptive trade practices, common law fraud and misrepresentation, invasion of privacy, and unjust enrichment.

Say What You Do; Do What You Say

What your banner says is equally important as what it does. Plaintiffs have also been going after CMPs that facilitate a true opt-out but use language that makes it seem like an opt-in. For example, a banner might say “if you consent, we deploy cookies” while actually deploying them regardless. Another common issue is language like “by using our website, you consent to us sharing your information with third-party marketing and advertising partners,” displayed alongside buttons that let users accept or reject cookies, the first sentence implies that browsing equals consent, while the buttons say otherwise. Plaintiffs allege that this kind of contradictory messaging confuses users about the actual consent mechanism and serves as evidence that the entire framework was designed to mislead.

For companies looking to mitigate their risk, the takeaway is clear. To paraphrase the Federal Trade Commission: Your consent management platform must clearly say what it does and do what it says. That means that once a user opts out, the analytics and targeting trackers must stop sharing data with third-party tracker providers.

What are some things you can do:

Engage a specialist for your cookie management platform (CMP)
Engage legal counsel to assess your website compliance more generally.
Make sure your banner wording matches what happens and is compliant with privacy laws
Check your CMP performance before deployment
Check its performance regularly
Deploy a policy that requires marketing or other business units to check with legal before deploying new trackers, and make sure the trackers are included in the CMP.

menu

Privacy Compliance & Data Security

About Our Firm

Categories

Archives