On April 16, data privacy law regulators in seven states announced the creation of the Consortium of Privacy Regulators, a bipartisan group of state regulators seeking to “share expertise and resources, as well as coordinate efforts to investigate potential violations of applicable laws.” This coordination may already be bearing fruit in one area in particular—the use of “cookie banners” on digital properties.
Despite not being expressly required in the United States, the use of cookie banners has grown as a preventive measure to ward off “cookie” litigation or to create a “global” approach to leverage ePrivacy Regulation and GDPR compliance tools. Recent actions in the states show how those good-faith efforts may run headlong into state data privacy law compliance issues.
The consortium announced earlier this month includes regulators from California, Connecticut, Colorado, Delaware, Indiana, New Jersey, and Oregon. Both California and Connecticut made public comments about how they see cookie banners interacting with state omnibus data privacy laws, and potential “dark patterns” that may result from certain cookie banners. These two enforcers have signaled the start of a broader review of how companies implement cookie banners (even if those companies do not intend the cookie tool to function as a state privacy law opt-out tool).
Below we highlight the recent discussions of cookie banners in the California Privacy Protection Agency’s (CPPA) enforcement action and the Connecticut attorney general’s (AG) enforcement report.
An Asymmetric Choice in California
The California order discusses the use of cookie management software for a variety of cookies, including analytics and advertising uses, and builds on 2024 guidance on cookie banners and “dark patterns” from the CPPA. The CPPA took issue with the fact that businesses allowed consumers to “accept all” cookies through a single action, but to opt out of any cookies, including for uses that involved sale or sharing of personal data, a consumer would need to take at least two steps. To the CPPA, this implementation lacked the necessary “symmetry” required by California law for consumer rights choices.
Although the business subject to the CPPA’s order offered consumer rights choices through other means, the CPPA held that the cookie banner was a consumer rights request tool subject to all requirements of the CCPA and its regulations for how those tools must function. In addition, the CPPA described the cookie management tool as a method for obtaining consent for the user of personal information in other ways described in the tool. The CPPA then applied the symmetry requirement to this “cookie consent” process for performance and analytics cookies (activity not necessarily subject to opt-out requirements under the law if the analytics provider functions as a “service provider”).
Expanded Focus on Cookie Banner Compliance in Connecticut
The Connecticut AG’s enforcement report stated plainly that that its office will “expanded [its] focus to include not just privacy notices but also cookie banners,” and that it conducted a sweep of this activity in 2024. Part of this focus is on ensuring that cookie banners do not override, undermine, or otherwise confuse consumer choices made elsewhere. The AG stated that cookie banners that do not offer symmetrical choices likely fail to offer compliant choice and are also potentially “dark patterns.”
Like California, the AG stated that companies that offer banners with an “accept all” choice should also offer an equally prominent “reject all” choice for symmetry. Furthermore, the AG suggested that either the banner be displayed whenever the consumer accesses the property and/or the choice tool should be “prominently displayed” on the site so the consumer can make choices at any time. The AG noted that it plans to engage in an additional sweep of cookie banner use in 2025.
Companies Should Review Cookie Banner Implementation
If your company uses cookie banners for any reason (wiretap litigation prevention, EU requirements, etc.), you should review its implementation for “symmetry” and potential dark patterns under state law. Additionally, you could consider amending how the cookie tool is used to differentiate its purpose from your state law obligations.
If you would like help determining how to use these types of tools effectively, contact the authors or visit Venable’s Privacy and Data Security web page.