Compliance teams may think adding consent-or-opt-out banners for user data sharing is enough, but Andrew Chase of Constangy encourages them to think again. Without proper testing, a common quirk with cookies can put organizations at risk of lawsuits under California’s privacy, business and consumer protection laws.
Recent developments in the litigation of California Invasion of Privacy Act (CIPA) wiretap and pen register sections warrant an evaluation of current practices by technical and compliance teams.
New claims asserted by plaintiffs move beyond the original CIPA litigation ecosystem and expand into larger risks and the potential for much larger damage awards due to assertions of unfair and deceptive business practices. The typical risk of damages for CIPA claims is largely statutory-based, with CIPA providing a $5,000 statutory damage or potentially three times actual damages, whichever is greater.
However, by combining a CIPA claim with a claim under the California Unfair Competition Law (UCL), plaintiffs can expand the scope of damages to include advertising technology revenues received by the defendant, moving the damage calculation from nominal to whatever profits can be attributed to the defendant’s revenues driven by the use of the plaintiff’s data within the AdTech ecosystem.
Business claims
These claims stem from the assertion of an unlawful, unfair or fraudulent business act that is typically tied to a broken consent banner, a website’s mechanism that provides an individual user with the ability to consent to the use of AdTech tracking or to opt-out. These banners often fail, typically due to an order of operations issue, largely tied to how an individual website page presents data to a user.
The general concept is that the page will display in a layered manner with the consent-opt-out banner being the last aspect of the page to display to the user. Functionally, this is what places the consent/opt-out banner on top of the page. However, some implementations are placing AdTech within the page, which will activate or fire before a user is even presented with the consent-opt-out banner due to the order of operations. With a banner-opt-out present, the website owner has promised to follow a user’s preferences. However, in the broken-banner scenario, the AdTech has already fully executed and transmitted, used or collected the user’s data, regardless of what the user chose after being presented with the consent-opt-out banner.
Broken-banner cases are loosely grouped under the concept of a failed consent management platform. Under these circumstances, plaintiffs allege that the nonfunctional opt-out mechanism is a separate claim of a deceptive act by the defendant.
A plaintiff UCL claim is pleaded by three prongs:
- Unlawful: The CIPA violation itself is the predicate unlawful act.
- Fraudulent: The banner promised opt-out capability that didn’t exist.
- Unfair: Data was collected and monetized in breach of the disclosed privacy policy.
Data Privacy Rules Built for Human Behavior Have an AI Agent Problem
Regulators are beginning to treat under-governed AI deployments as intentional conduct
Read moreDetailsConsumer claims
Where the website has a commercial component (say, e-commerce or subscriptions), plaintiffs are leveraging the Consumers Legal Remedies Act (CLRA) — California’s consumer-protection statute — arguing the defective consent mechanism was a deceptive representation in connection with a consumer transaction. The CLRA adds actual damages, punitive damages and attorney fees. The consent-opt-out banner failure is the misrepresentation that a user can control your data when in fact a user cannot.
Plaintiffs are also expanding into diverse common-law theories of fraud or deceit where the consent banner affirmatively represented opt-out functionality. This permits punitive damages under the state’s breach of obligation civil code, which requires clear and convincing evidence of malice, oppression or fraud. But if the defendant knew the banner was broken and continued operating it, the “knowing” element is in play. Internal communications about consent management platform deficiencies become critical discovery targets.
The main issue many defendants face is that, while a working consent-opt-out banner is present on their websites, due to the order of operations, the plaintiff’s choice cannot be honored because AdTech has already fully executed prior to any choice being made. This is the crux of the assertions in the case Pflaumer v. Ace Hardware.
The issue presented in this litigation is not unique; this is becoming part of the standard set of claims by plaintiffs. This is largely due to a misunderstanding of what compliance requires. Many website owners and operators have rushed to implement a consent-opt-out banner and, having done so, assume that compliance has been attained. However, pure implementation has, in many circumstances, created additional risk of liability and potential for larger damage awards because website owners and operators have failed to ensure that AdTech does not execute in circumstances where consent was not granted or where a user has opted out.
Fixing the issue
To address this, website owners and operators need to regularly review and test the operation of the consent-opt-out function, preferably as part of the normal change-management cycle. There are many third-party tools that can be implemented to simplify this. However, website owners and operators should test user consent-opt-out functionality by capturing traffic from a test user connecting to the website regardless of what tool is implemented.
A properly functioning consent-opt-out mechanism will show from the captured traffic that AdTech is either not present in the capture or will not collect data until after the user has affirmatively consented. Typically, this will show bidirectional communications between the user and the website without additional connections to AdTech vendor sites. Once consent is gained, the captured web traffic will show immediate execution of AdTech and the collection of user data. Conversely, the same capture should show that if a user’s choice is to opt-out, then AdTech will not be seen or present in the capture. To do this, technical teams should post implementation-capture communications from a tester connecting to the website. This traffic should then be analyzed with a specific eye toward whether AdTech is executing, and if so, if consent was gained before execution.
In the Ace Hardware litigation, plaintiffs are asserting that AdTech executed before the consent-opt-out banner was presented. As a result, the plaintiff’s data was shared without their knowledge and specifically against their opt-out preference choice because by the time they made the choice to opt out, the AdTech implemented by Ace Hardware had already sent their data to third-party advertising partners.
While the immediate reaction for many companies is to incorporate a consent banner and opt-out function, this reaction should be tempered and driven by proper analysis by compliance and technical teams before implementation on websites. Using simple analysis tools will allow organizations and businesses to effectively implement compliance management processes without creating new risks of greater liability. Once implemented, compliance and technical teams should incorporate ongoing testing to ensure future changes and modifications do not create unintended consequences.


Andrew Chase, a partner at law firm Constangy, Brooks, Smith & Prophete, defends organizations in complex class-action litigation arising from data security incidents and privacy-related claims. A Certified Information Systems Security Professional and Certified Information Security Manager, he brings more than two decades of combined legal, cybersecurity and technology leadership experience to his work. 








