Between December 2024 and February 2025, class action lawsuits were filed in federal court in Northern California against six corporations, several of which are multinational.
The lawsuits allege that visitors to these companies’ websites continued to be tracked after explicitly opting out via a consent management platform (CMP).
All of the websites in question use a consent management platform (CMP) that displays a cookie banner, and allege that the websites failed to correctly honor users’ opt-out requests.
The lawsuits allege that these actions violated a number of laws, and the legal action is also interesting given the privacy model used in some of the relevant regulations the lawsuits say were violated. Additionally, these cases may prove to be high profile tests of enforcement of California’s privacy laws.
We look at what the specific alleged violations are, what laws may have been broken, and what this could mean for privacy regulatory enforcement in California.
What was the alleged violation and how did it happen?
The defendants in the lawsuits — Dollar Tree, Constellation Brands, Motorola, Franchise World Headquarters (Subway), Politico, and Hilton Hotels — cover a wide variety of industries, but the alleged violations all took place on the companies’ websites.
The lawsuits allege that the companies use cookies on their websites to collect and process user data, including for tracking purposes, which is common practice.
Per the requirements of the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), website visitors must have the right to opt out of collection and processing of their personal data. This includes sale, sharing, or use of the data for targeted advertising or profiling.
The plaintiffs argue that they did opt out of data processing via the websites’ cookie banners, but that the companies continued to track their activities on those websites despite their opt-out choice.
By law, website visitors must be able to opt out of use of all but “essential” cookies that enable websites to work correctly. This is commonly done via a cookie banner, where the user can click a button or link to accept or reject cookie use and access to their personal data.
Such functionality is especially common on websites for companies operating in the European Union and other countries where data privacy laws require obtaining opt-in consent from individuals before any data is collected or processed.
US state privacy laws generally use an opt-out model for online tracking, where in most cases data can be collected or used without explicit user consent, but individuals must have the ability to opt out of data collection and use at any time.
Once a user opts out, a company has to stop tracking them and block the relevant trackers from activating for those users. The website for Hilton, for example, explicitly states that users can opt out of cookie usage.
What laws and their requirements were alleged to have been violated?
The lawsuits allege the following laws and rights were violated by the websites’ tracking:
- California Invasion of Privacy Act: Unauthorized interception of electronic communications (unlawful wiretapping) and unlawful use of a pen register (unauthorized installation or use of a device that records dialing, routing, addressing, or signaling information of communications transmitted by telephone or internet services, i.e. the use of website cookies and other tracking technologies.)
- Common law privacy rights: Invasion of privacy and intrusion upon seclusion, i.e. personal data that users expressly did not want accessed was allegedly still collected and used.
- Common law fraud and misrepresentation: False or misleading statements or actions intended to deceive another party, causing them harm, damage, or loss, i.e. stating that users can opt out of cookie use then allegedly still tracking them.
- Common law unjust enrichment: A person (company) cannot unfairly benefit at the expense of another, i.e. the defendants allegedly made money from the plaintiffs’ personal data, but the plaintiffs did not receive any remuneration.
- Common law trespass to chattels: Interference with a person’s lawful possession or use of personal property, i.e. allegedly the users’ personal data.
- Breach of contract: Based on the theory that the privacy policy or comparable document constitutes a contract that the defendants allegedly violated by explicitly stating that users can opt out of cookie use, and then not actually allowing them to do so.
The plaintiffs are seeking certification of the class action, as well as damages, restitution, disgorgement of profits (requiring the defendant companies to surrender profits earned from the allegedly illegal actions of tracking users), injunctive relief (requiring the defendant companies to stop tracking users who have opted out), and a jury trial.
What kinds of tracking were alleged to have continued after users opted out?
The companies named in the lawsuits are alleged to use third-party cookies from companies like Adobe, Google, and Microsoft to track user behaviors on their websites. The data collected can be processed to gain insights about user demographics and interests.
It can also be shared with or sold to other third parties, like Google Analytics, DoubleClick, or TikTok, for targeted advertising purposes and other uses.
What consent management tools were in use?
All of the companies named in the lawsuits were said to be using a commercial consent management platform and displaying a cookie banner. They also had privacy notices on their websites. Screenshots allegedly show cookies being set after users have opted out of their use.
As noted, the lawsuits do not allege that the CMPs were inactive or not working correctly, but that the noncompliant activities were intentional.
CMPs can often be extensively customized, not only the cookie banner’s appearance, but also how cookies are categorized and how consent choices affect their function.
Why are these class action lawsuits notable?
There have been many cases addressing alleged noncompliance with the General Data Protection Regulation (GDPR) in the European Union. However, the GDPR uses an opt-in consent model, and companies must get users’ permission to collect and use personal data before or at the point of collection.
These lawsuits are notable as they target companies based on their alleged failure to honor opt-out requests through CMPs. They emphasize the need for websites to honor their representations, and the importance of effective cookie and tracker management on websites.
Also of note is that the named defendants are all large multinational corporations and brands, so the alleged violations could affect many more people than if they had been small businesses.
Privacy-Led Marketing and how Usercentrics helps
These lawsuits point to concerns many marketers have in the privacy-led era, particularly related to potential loss of data and ad revenue if they are unable to access or use as much personal data as they previously could.
Issues with third-party data and better options
While companies around the world have relied on third-party data — typically collected by third-party cookies and similar tracking technologies — it has never been the gold standard.
Third-party data often comes with issues of consent regarding how it was collected and how it gets used, as well as problems with accuracy and the frequent need to aggregate large amounts of it to gain insights of value.
While phasing out reliance on third-party data and support for third-party cookies is ongoing, as these lawsuits show, these are still tools many marketers rely on, at least in part.
However, as data privacy laws continue to be implemented, these lawsuits show that potential consent requirements regarding collecting and processing third-party data should be top of mind for marketers, even if they are using a CMP.
The trust and growth opportunities of Privacy-Led Marketing
But it’s also an exciting time for marketers, as there’ve never been better strategies and tools to embrace Privacy-Led Marketing. Preference management, focusing on zero- and first-party data, using proven UX strategies and user interaction insights on cookie banners to optimize opt-in rates — these are just some of the ways marketers can work with their audiences to grow businesses.
You can get the data your company needs, with valid consent and in compliance with privacy regulations. And the data brings greater accuracy because it comes from those users directly.
Instead of tracking them, often without their knowledge, you can initiate a conversation. Ask customers about their preferences in products, services, communications, and more.
We have more opportunities than ever to demonstrate our dedication to respecting privacy and protecting data, and to delivering precisely the information and experiences customers want, exactly how they’ve asked for them.
Marketers also have best-in-class solutions like Usercentrics Web CMP and Preference Manager to help them execute privacy-led strategies. Achieve compliance with laws like the CCPA/CPRA and many more while building trust and protecting revenue.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
