No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • Artificial Intelligence (AI)
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Downloads
    • Download Whitepapers & Reports
    • Download eBooks
  • Research
  • Books
    • CCI Press
    • New: Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act by Severin Wirz
    • CCI Press & Compliance Bookshelf
    • The Seven Elements Book Club
  • Podcasts
  • Webinars
  • Videos
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

New CIPA Claims Expand Privacy Litigation Risk Over Website Consent Banners

A lawsuit against Ace Hardware demonstrates the claims that can be brought against organizations under new California laws

by Andrew Chase
July 17, 2026
in Data Privacy
website opt out banner

Compliance teams may think adding consent-or-opt-out banners for user data sharing is enough, but Andrew Chase of Constangy encourages them to think again. Without proper testing, a common quirk with cookies can put organizations at risk of lawsuits under California’s privacy, business and consumer protection laws.

Recent developments in the litigation of California Invasion of Privacy Act (CIPA) wiretap and pen register sections warrant an evaluation of current practices by technical and compliance teams. 

New claims asserted by plaintiffs move beyond the original CIPA litigation ecosystem and expand into larger risks and the potential for much larger damage awards due to assertions of unfair and deceptive business practices. The typical risk of damages for CIPA claims is largely statutory-based, with CIPA providing a $5,000 statutory damage or potentially three times actual damages, whichever is greater. 

However, by combining a CIPA claim with a claim under the California Unfair Competition Law (UCL), plaintiffs can expand the scope of damages to include advertising technology revenues received by the defendant, moving the damage calculation from nominal to whatever profits can be attributed to the defendant’s revenues driven by the use of the plaintiff’s data within the AdTech ecosystem.

Business claims

These claims stem from the assertion of an unlawful, unfair or fraudulent business act that is typically tied to a broken consent banner, a website’s mechanism that provides an individual user with the ability to consent to the use of AdTech tracking or to opt-out. These banners often fail, typically due to an order of operations issue, largely tied to how an individual website page presents data to a user. 

The general concept is that the page will display in a layered manner with the consent-opt-out banner being the last aspect of the page to display to the user. Functionally, this is what places the consent/opt-out banner on top of the page. However, some implementations are placing AdTech within the page, which will activate or fire before a user is even presented with the consent-opt-out banner due to the order of operations. With a banner-opt-out present, the website owner has promised to follow a user’s preferences. However, in the broken-banner scenario, the AdTech has already fully executed and transmitted, used or collected the user’s data, regardless of what the user chose after being presented with the consent-opt-out banner. 

Broken-banner cases are loosely grouped under the concept of a failed consent management platform. Under these circumstances, plaintiffs allege that the nonfunctional opt-out mechanism is a separate claim of a deceptive act by the defendant.

A plaintiff UCL claim is pleaded by three prongs:

  • Unlawful: The CIPA violation itself is the predicate unlawful act.
  • Fraudulent: The banner promised opt-out capability that didn’t exist.
  • Unfair: Data was collected and monetized in breach of the disclosed privacy policy.
data privacy concept human figure padlock
Data Privacy

Data Privacy Rules Built for Human Behavior Have an AI Agent Problem

by Srikanth Sallaka
June 8, 2026

Regulators are beginning to treat under-governed AI deployments as intentional conduct

Read moreDetails

Consumer claims

Where the website has a commercial component (say, e-commerce or subscriptions), plaintiffs are leveraging the Consumers Legal Remedies Act (CLRA) — California’s consumer-protection statute — arguing the defective consent mechanism was a deceptive representation in connection with a consumer transaction. The CLRA adds actual damages, punitive damages and attorney fees. The consent-opt-out banner failure is the misrepresentation that a user can control your data when in fact a user cannot.

Plaintiffs are also expanding into diverse common-law theories of fraud or deceit where the consent banner affirmatively represented opt-out functionality. This permits punitive damages under the state’s breach of obligation civil code, which requires clear and convincing evidence of malice, oppression or fraud. But if the defendant knew the banner was broken and continued operating it, the “knowing” element is in play. Internal communications about consent management platform deficiencies become critical discovery targets.

The main issue many defendants face is that, while a working consent-opt-out banner is present on their websites, due to the order of operations, the plaintiff’s choice cannot be honored because AdTech has already fully executed prior to any choice being made. This is the crux of the assertions in the case Pflaumer v. Ace Hardware.

The issue presented in this litigation is not unique; this is becoming part of the standard set of claims by plaintiffs. This is largely due to a misunderstanding of what compliance requires. Many website owners and operators have rushed to implement a consent-opt-out banner and, having done so, assume that compliance has been attained. However, pure implementation has, in many circumstances, created additional risk of liability and potential for larger damage awards because website owners and operators have failed to ensure that AdTech does not execute in circumstances where consent was not granted or where a user has opted out.

Fixing the issue

To address this, website owners and operators need to regularly review and test the operation of the consent-opt-out function, preferably as part of the normal change-management cycle. There are many third-party tools that can be implemented to simplify this. However, website owners and operators should test user consent-opt-out functionality by capturing traffic from a test user connecting to the website regardless of what tool is implemented. 

A properly functioning consent-opt-out mechanism will show from the captured traffic that AdTech is either not present in the capture or will not collect data until after the user has affirmatively consented. Typically, this will show bidirectional communications between the user and the website without additional connections to AdTech vendor sites. Once consent is gained, the captured web traffic will show immediate execution of AdTech and the collection of user data. Conversely, the same capture should show that if a user’s choice is to opt-out, then AdTech will not be seen or present in the capture. To do this, technical teams should post implementation-capture communications from a tester connecting to the website. This traffic should then be analyzed with a specific eye toward whether AdTech is executing, and if so, if consent was gained before execution. 

In the Ace Hardware litigation, plaintiffs are asserting that AdTech executed before the consent-opt-out banner was presented. As a result, the plaintiff’s data was shared without their knowledge and specifically against their opt-out preference choice because by the time they made the choice to opt out, the AdTech implemented by Ace Hardware had already sent their data to third-party advertising partners.

While the immediate reaction for many companies is to incorporate a consent banner and opt-out function, this reaction should be tempered and driven by proper analysis by compliance and technical teams before implementation on websites. Using simple analysis tools will allow organizations and businesses to effectively implement compliance management processes without creating new risks of greater liability. Once implemented, compliance and technical teams should incorporate ongoing testing to ensure future changes and modifications do not create unintended consequences.

Tags: AutomationCorporate CommunicationTechnology
Previous Post

What Antitrust’s Indirect-Purchaser Doctrine Can Teach Tariff Refund Litigants

Next Post

Making It Easier to Go Public Isn’t the Same as Making It Easier to Be Public

Andrew Chase

Andrew Chase

Andrew Chase, a partner at law firm Constangy, Brooks, Smith & Prophete, defends organizations in complex class-action litigation arising from data security incidents and privacy-related claims. A Certified Information Systems Security Professional and Certified Information Security Manager, he brings more than two decades of combined legal, cybersecurity and technology leadership experience to his work.

Related Posts

uk flag garland

The UK’s FCA Is Weighing Real-World Impact, Not Just Careful Wording

by Chloe-Jane Belton
July 14, 2026

With disclaimers carrying less weight and financial promotion risk moving to the fore, perimeter compliance is becoming a matter of...

light bulbs lying on table

Debunking Myths Every Copyright Defendant Has Told Themselves

by Di'Vennci K. Lucas and Michael D. Hobbs Jr.
April 14, 2026

Be wary of hiding behind shield of fair use

office space printer

Uh-Oh, You Built a Compliance Automation Tool & Everybody Hates It

by Sumit Sharma
March 23, 2026

When the parallel run has no exit criteria, it stops being a safety net and becomes the process

mechanic working on john deere tractor

Warranty Language Might Be Your Biggest Right-to-Repair Liability

by Robin S. Crauthers
March 13, 2026

Watch for inconsistency among warranty phrasing, support scripts and consumer communications

Next Post
sec building sign

Making It Easier to Go Public Isn’t the Same as Making It Easier to Be Public

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2026 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • Artificial Intelligence (AI)
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Downloads
    • Download Whitepapers & Reports
    • Download eBooks
  • Research
  • Books
    • CCI Press
    • New: Bribery Beyond Borders: The Story of the Foreign Corrupt Practices Act by Severin Wirz
    • CCI Press & Compliance Bookshelf
    • The Seven Elements Book Club
  • Podcasts
  • Webinars
  • Videos
  • Subscribe

© 2026 Corporate Compliance Insights