Cookie Banner Privacy Suit Surge Puts Website Operators on Edge

Website operators are finding themselves squeezed between marketing revenue and litigation risk as they confront a recent, sharp rise in lawsuits over allegedly faulty cookie banners.

The banners—pop-up windows that let you know a website will install cookies and asks whether you want to accept them—are a response to privacy litigation challenging the collection of consumer data for advertising purposes.

The idea is to give consumers more control over their data by allowing them to reject tracking cookies during their website visits.

But over the past year and a half an increasing number of lawsuits allege that many websites continue to collect users’ data and disclose it to third parties even after they click the “reject all” button commonly provided in cookie banners.

The lawsuits highlight the legal uncertainties around online data collection and the challenge of creating tools to address them without the tools themselves becoming the next litigation target.

“The cookie-consent solution is basically a way to address consent in a very unclear legal landscape, but you’ve got to make sure you say what you’re doing, and do what you say,” said Odia Kagan, chair of the data privacy compliance group at Fox Rothschild LLP.

“Because if the banner doesn’t do what it says it’s going to do, that’s a misrepresentation, and that can open you up to a lot of different causes of action,” she said.

From Solution to Target

Cookie banners that acted primarily as disclosures of website data-collection practices have been around for years.

But lawsuits targeting the failure to honor a consumer’s opt-out request really got started 18 months ago, said Alexis Buese, a partner at Bradley Arant Boult Cummings LLP who defends companies in data-privacy class actions.

A handful of the suits—four—were first filed in federal courts in late 2024. That figure jumped to 40 in 2025 and 49 so far in 2026, according to a Bloomberg Law docket analysis.

Most of these lawsuits include wiretapping allegations under the California Invasion of Privacy Act, a fertile source of privacy litigation claims.

Claims of common-law fraud—aimed at allegedly deceptive functioning of cookie banners—are also common in the recent suits, unlike in earlier litigation over online data collection generally.

The CIPA wiretapping claims are particularly irritating to website operators that thought they were in the clear because cookie banners were implemented to comply with another California statute, the California Consumer Privacy Act, said Kathleen McConnell, a partner with Seyfarth Shaw LLP who focuses on data privacy and cybersecurity.

“You have a well-developed regulatory structure coming from the CCPA side, where the legislature made clear decisions about what triggers potential exposure for companies,” she said.

“It provides very clear direction around what the banners should look like and how you have to interact with the banner, but then you have these overlapping considerations coming from CIPA, the penal code side, that was definitely not drafted with the internet in mind,” she said.

That tension has spurred companies to ask the California Legislature to clarify how CIPA should apply to online data-tracking, McConnell said.

‘Reject All’

A key feature of many cookie banners is the “Reject All” button, which appears to offer consumers a simple way to ensure that their data won’t be collected during a visit.

The button in part came about because of pressure from California regulators for website operators to eliminate “dark patterns” in their cookie banners—design choices that manipulate users into allowing more data collection than they want—said Robert E. Braun, a partner and co-chair of the cybersecurity and privacy group at Jeffer Mangels & Mitchell LLP.

The California Privacy Protection Agency’s enforcement advisory, issued shortly before the litigation surge, provides guidance on how website operators can avoid cookie-banner dark patterns that undermine consumers’ “autonomy, decision making, or choice.”

“It has to be as easy to opt out as to opt in, which means, to be compliant with California requirements, you’ll see ‘Accept’ and ‘Reject’ will be equally prominent,” Braun said.

But a button labeled “Reject All” doesn’t typically prevent the loading of all cookies on a site, Kagan said. “It really should say ‘Reject Non-Essential Cookies,’ because some cookies are necessary for a site to function,” she said.

The important distinction is between cookies that result in data sharing with third parties and those that don’t, she said.

“You’ve got to make sure that the thing that’s encompassed in the ‘Essential’ category is really essential, because if you put your targeted advertising cookies in there, it’s going to look like a misrepresentation, and it’s not going to work for you legally.”

Exposure Risk

Lawsuits targeting cookie banners are tempting for plaintiff-side firms for a variety of reasons, starting with the fact that CIPA claims can result in statutory damages of $5,000 per violation, Buese said.

“When you multiply that across a class, that’s a really significant exposure,” she said.

The suits also require less technological sophistication than other privacy lawsuits targeting how websites operate under the hood, McClellan said.

“As long as you have somebody that has the appropriate technical background, you can easily go to a website and examine whether or not the banner is up, what it says, whether or not it causes the user’s experience to be consistent with whatever choice the user elects of the banner,” she said.

Making sure that a cookie banner operates as advertised is essential to firms that need the data, Braun said.

“Because if you’re an e-commerce firm, and you’re aggressive about collecting data, you’re running a real risk that the regulators are going to be looking at you, and the plaintiff firms too.”