Cookie Banners a Key Aspect of Compliance, Lawyers Say

When thinking about the question ‘Who needs a cookie banner and why?’ “it’s a lot easier to answer if we could just drop the banner part,” said Mary Race, a lawyer specializing in privacy compliance and data security matters. “Who needs a cookie? Obviously, everyone.”

Many cases about the illegal disclosure of communications have been brought under the California Consumer Privacy Act (CCPA) and the California Invasion of Privacy Act (CIPA), the lawyers noted. But other states also have wiretapping and similar statutes, said Purvi Patel, a lawyer specializing in advertising, unfair competition, consumer fraud, and privacy matters.

Cookie banners are helpful in deterring wiretap claims, “because they will help establish consent in a way that will be obvious to the plaintiffs’ bar, meaning you may not get a demand letter in the first place if you have a robust cookie banner,” said Patel. If you get a demand letter, a cookie banner “will help you get rid of the case at a motion to dismiss stage.”

This can be an opt-in or an opt-out cookie banner, but the “consent defense is available only if the data is captured after visitors interact with the cookie banner,” she added. “A lot of times, this technology drops and starts running as soon as the visitor opens a web page … so the timing of when a cookie fires is going to be critically important.”

Race agreed and noted this is what happened in the Todd Snyder enforcement; the cookie banner didn't function properly, and users who wanted to opt out were unable to do so (see 2505060043).

Race also said that within cookie banners, it’s important to make sure there are no dark patterns, which happens when “a user interface has the effect of undermining or interfering with user autonomy, decision-making, or the ability to make a choice.” To avoid this, a banner must have symmetry and choice, meaning the user must pick between accept all and decline all, rather than between “accept all” and “cookie settings.”

The buttons also must be “literally symmetrical, meaning they need to be the same size, shape, color and font, and they need to be equally accessible,” she added. “Avoiding dark patterns also requires making sure that your process for a user to opt out does not require more steps or more effort than the process for them to opt in.”

The California Privacy Protection Agency’s (CPPA) enforcement action against Honda (see 2503120037) occurred because the car company required two steps for consumers to opt-out but only one step for them to opt-in, which is asymmetrical, Race said.

Transparency in cookie banners is also something regulators are focused on, she said, as highlighted by the settlement with Healthline. The California attorney general found that the company failed to disclose that it shared sensitive health information with advertising companies (see 2507030026).

Even though banners have issues, “in terms of an absent cookie banner, it all but guarantees that the plaintiffs’ lawyers will come knocking,” Patel said. Though they are “not strictly required,” so regulators may not come knocking, “it's almost a guarantee that the plaintiffs’ lawyers will see a website that doesn't have a cookie banner and put that on their priority list to target.”

But having a cookie banner is not enough, she said. It needs to function appropriately, and to do that, companies and marketing teams must "understand what technologies are running on the website, what information is being collected and where it's going.”

Any “sort of active alert to website visitors and a forced engagement” are becoming “the most deterrent effect[s] for litigation here,” Patel said.

Additionally, “taking a sense of what is a high-risk activity versus what is a lower-risk activity” is important to ensure you’re not collecting too much or unnecessary data, she added.