The Rise of Cookie Banner Class Actions: What Consumers Should Know About Online Tracking and Privacy Rights

Cookie banners have become so common that many people barely notice them anymore. You visit a website, a box pops up, and you are asked whether you want to accept cookies, manage preferences, or reject non-essential tracking. 

For many consumers, clicking “reject all” feels like a simple privacy choice: No, I do not want this website to track me beyond what is necessary for the site to work.

But what if that choice is not actually honored?

A new wave of privacy lawsuits is raising that exact question. According to recent reporting, several putative class actions filed in California allege that certain websites displayed cookie banners giving users the option to decline non-essential cookies, but then continued to place or use tracking cookies anyway. 

In other words, a website may have told users they could opt out of being tracked, accepted that choice, and then allegedly failed to respect it.

For consumers, a cookie banner is supposed to create transparency and control. It tells people what information may be collected and gives them a choice about whether certain kinds of tracking should happen. When that system fails, the banner may become more than an annoying pop-up. It may become a misleading lie.

What Are Cookies, and Why Do Websites Use Them?

Cookies are small pieces of data that websites place on a user’s browser or device. Some cookies are considered essential because they help a website function. They may keep a user logged in, remember what is in a shopping cart, or support basic security features.

Other cookies are not strictly necessary for the site to work. These may be used for analytics, targeted advertising, user profiling, cross-site tracking, or marketing measurement. They can help companies understand how visitors move through a website, what products they view, what ads they click, and what kinds of content may influence their behavior.

That kind of tracking can be valuable to businesses. It can also feel invasive to consumers, especially when it happens after someone has clearly chosen to opt out.

This is why cookie banners matter. A properly functioning banner should tell users what kinds of cookies are being used and give them a meaningful opportunity to control non-essential tracking. If a consumer clicks “reject all” or disables advertising cookies, the website should not continue to collect the very data the consumer declined to share.

What Are Cookie Banner Class Actions Alleging?

The lawsuits described in recent privacy litigation reporting generally follow a similar pattern. A consumer visits a website. The website presents a cookie banner. The consumer chooses to decline non-essential cookies or opt out of tracking. But because of an alleged technical issue, coding problem, or faulty configuration, the site continues to drop cookies or collect data anyway.

The legal theory is straightforward: the website allegedly represented that users had control over non-essential tracking, but the site’s technology did not honor that choice.

That makes these cases different from some earlier online tracking lawsuits. In many digital privacy cases, companies argue that users had little expectation of privacy when browsing a public website. But cookie banner cases may give plaintiffs a more direct argument: the company allegedly asked for a privacy preference, received a clear answer, and then failed to follow it.

In that sense, the cookie banner itself may become central to the case. If a website says, “Reject all non-essential cookies,” consumers may reasonably believe that clicking the button means non-essential cookies will be rejected. If that does not happen, the alleged problem is not just hidden tracking. It is the gap between what the website said and what the website did.

Why This Matters for Consumers

Most people do not have the technical ability to inspect a website’s code, review tracking scripts, or confirm whether advertising cookies are still being placed after they click “reject.” They rely on the website’s own privacy tools to work.

That trust is important. Consumers are increasingly asked to make privacy decisions online, often in a matter of seconds. They are asked to accept or reject cookies, manage settings, opt out of the sale or sharing of personal information, and navigate privacy preference centers that can be confusing even for sophisticated users.

When a consumer takes the time to say no to non-essential tracking, that choice should mean something.

Faulty cookie banners can undermine that choice. A person may continue browsing a website believing they have limited data collection, while tracking tools continue to collect information about their activity. Depending on the website and the technologies involved, that activity may include pages viewed, products searched, videos watched, forms visited, device identifiers, IP addresses, or other digital signals that can be used for advertising or analytics.

Not every cookie issue will create a legal claim. But when a company offers users a privacy choice and then allegedly fails to honor it, consumers may have reason to ask whether their rights were violated.

What Kinds of Claims May Be Involved?

Cookie banner lawsuits may involve several different legal theories, depending on the facts, the state, and the type of data involved. Some cases have raised claims under California privacy laws, including theories related to wiretapping or pen register statutes. Others may involve invasion of privacy, intrusion upon seclusion, misrepresentation, unjust enrichment, or consumer protection claims.

These claims can be complicated. Courts may have to decide whether the data collected was sensitive enough, whether the consumer suffered a legally recognized injury, whether the website’s disclosures were misleading, whether the company had consent, and whether a proposed class of affected users can actually be identified.

Those challenges are real. But they do not erase the core concern for consumers: websites should not say one thing about privacy while doing another.

The rise of these lawsuits reflects a larger shift in digital privacy litigation. For years, many companies treated website tracking as a routine part of doing business. Today, plaintiffs, regulators, and consumers are taking a closer look at whether those tracking practices are properly disclosed, whether consent is meaningful, and whether opt-out tools actually work.

Regulators Are Paying Attention, Too

The litigation trend is not happening in a vacuum. Privacy regulators have also scrutinized companies over opt-out mechanisms, privacy portals, cookie preference centers, and the way consumer choices are handled.

In 2025, the California Privacy Protection Agency ordered clothing retailer Todd Snyder, Inc. to pay a six-figure fine and change certain business practices after allegations involving California Consumer Privacy Act violations. The agency said the company’s mechanisms for submitting and managing opt-out preferences were not properly configured, among other alleged issues.

That enforcement action sends a broader message: companies cannot simply install privacy tools and assume their job is done. If a website uses a cookie banner, consent management platform, or privacy preference center, the company may need to make sure it actually works as promised.

For consumers, that matters because privacy rights are only meaningful if the systems built to protect them function in the real world.

How Could a Cookie Banner Fail?

A cookie banner can fail for many reasons. A website may update its design, add a new advertising partner, launch a campaign, install a new analytics tool, or change the way scripts load on the page. A third-party consent management platform may be misconfigured. A “reject all” button may not block every category it is supposed to block. A privacy preference center may appear to save a user’s choice while tracking continues in the background.

The problem is that these failures may not be obvious to the average user. If a checkout button breaks, the company will probably know quickly because customers cannot complete purchases. If a cookie banner fails, the website may still appear to work normally. Users may have no idea that their privacy choice was ignored.

That is one reason these cases are getting attention. A broken cookie banner may affect thousands or even millions of visitors before anyone notices.

What Should Consumers Watch For?

Consumers should pay attention to how websites present privacy choices. A cookie banner that makes it difficult to reject tracking, hides opt-out options, repeatedly pushes users toward “accept all,” or appears not to save preferences may raise concerns.

After choosing to reject cookies, users may also notice that some websites continue showing personalized ads, reload consent prompts repeatedly, or behave as though preferences were never selected. Those signs do not automatically prove unlawful conduct, but they may be worth documenting.

Consumers who are concerned about online tracking can also use browser privacy settings, clear cookies, limit cross-site tracking, and consider privacy-focused browser extensions. However, those tools do not replace a company’s obligation to honor the choices it presents to users.

If a website offers a clear opt-out, consumers should be able to trust it.

What Should You Do if You Believe a Website Ignored Your Cookie Choice?

If you believe a company continued tracking you after you rejected non-essential cookies, there are a few steps that may help preserve information.

Take screenshots of the cookie banner, including the options presented. Capture the date and time you selected “reject all” or changed your preferences. Save any privacy policy, cookie policy, or preference center language that explains what the company says it will do. If you later receive targeted marketing or see signs that your browsing activity was still being tracked, document that as well.

You do not need to be a technology expert to ask whether your privacy rights were respected. Many consumers have no way of knowing what happens behind the scenes after they click a button. That is precisely why truthful disclosures and functioning opt-out tools are so important.

Morgan & Morgan Is Investigating Digital Privacy Violations

Online privacy should not depend on whether a consumer can decode tracking technology or inspect a website’s hidden scripts. If a company gives users a choice to reject non-essential cookies, that choice should be honored.

Morgan & Morgan is investigating potential claims involving website tracking, faulty cookie banners, misleading privacy tools, and other digital privacy violations. If you believe a website ignored your opt-out choice or collected your information after you declined tracking, you may have legal rights.

Contact Morgan & Morgan today for a free case evaluation to learn more about your legal options.