The “broken banner” has become the new frontier for high-stakes class action litigation. While 2024 was defined by the rise of CIPA wiretapping claims, 2025 and 2026 have shifted the focus toward a more deceptive phenomenon: the illusion of consent and 2027 will ramp up the fines from the lack of response to data broker removal requests.
The recent litigation against Dollar Tree Stores (specifically D’Antonio et al. v. Dollar Tree Stores, Inc., Case No. 5:25-cv-01601) serves as a masterclass in why technical accuracy is now the most critical component of a privacy program.
Anatomy of the Allegation: The Technical “Divergence”
The lawsuit, filed in the Northern District of California, doesn’t just claim that Dollar Tree tracked users. It alleges a specific, deceptive technical failure. According to the complaint, Dollar Tree’s website presented a standard cookie consent banner with a clear choice: “Reject Advertising Cookies.”
However, plaintiffs used technical forensic tools to demonstrate that even after a user clicked “Reject,” the website’s back-end code failed to trigger the necessary “kill signals.” Instead:
-
Third-Party Firing: Tracking pixels from Google and Meta (Facebook) continued to fire and transmit data packets.
-
Data Leakage: The transmitted data included “content of communications,” such as the specific products viewed, search queries, and navigation paths—all sent to third-party servers despite the express opt-out.
-
Deceptive UI: The lawsuit characterizes this as a “Dark Pattern“—a user interface designed to trick users into believing they have privacy protections that do not actually exist.
The Legal Triple Threat: CIPA, FACTA, and Common Law
What makes the Dollar Tree case particularly dangerous is the “stacking” of legal theories. Plaintiffs aren’t just relying on the CCPA (which has limited private right of action). They are utilizing:
1. CIPA Section 631 (Wiretapping)
Plaintiffs argue that by allowing third-party pixels to “listen in” on a user’s interaction with the site after they opted out, Dollar Tree facilitated an unauthorized interception of a communication. In late 2025, Northern District courts ruled that URLs and click-paths constitute “content,” making this theory a viable path to $5,000 per violation.
2. Intrusion Upon Seclusion
This is a “privacy tort” that has seen a massive resurgence. To win, a plaintiff must show a “highly offensive” intrusion into a private matter.
The Court’s Stance: In similar “broken banner” rulings from December 2025, judges have found that while browsing a public website isn’t normally “private,” it becomes private once a company promises to stop tracking. By breaking that promise, the intrusion becomes “deceptive” and thus “highly offensive.”
3. The FACTA Connection
Adding to Dollar Tree’s woes, separate litigation in early 2026 (Murphy v. Dollar Tree Inc.) alleged that the retailer was printing more than the last five digits of credit card numbers on receipts—a violation of the Fair and Accurate Credit Transactions Act (FACTA). This paints a broader picture for regulators of a company struggling with systemic data hygiene.
The “NVIDIA” and “Healthline” Precedents
Dollar Tree is not alone. The “Broken Banner” trend is hitting every sector:
-
NVIDIA (December 2025): Faced a near-identical suit alleging they “disregarded” visitor preferences.
-
Healthline Media ($1.55M Settlement): A landmark July 2025 case where the California AG proved that Healthline’s “triple opt-out” still left 118 third-party cookies active. This settlement included a permanent injunction, forcing the company to undergo rigorous technical audits.
The Data Privacy Enforcement Wave
The California Privacy Protection Agency (CPPA) and the Attorney General have moved from “education” to “execution.” In the first quarter of 2026 alone, we saw:
-
The Disney/ABC Settlement ($2.75M): The largest CCPA settlement to date, specifically citing “vendor and technological challenges” as no excuse for failing to honor opt-out signals.
-
The Rise of GPC: Regulators are now using automated “crawlers” to see if websites honor the Global Privacy Control. If your site ignores a browser-level “Do Not Track” signal, you are a sitting duck for an enforcement sweep.
Strategic Takeaways for GCs and CPOs
If the Dollar Tree case teaches us anything, it’s that privacy is now a DevOps problem.
-
Stop Trusting the Dashboard: Just because your Cookie Management Provider (CMP) says “Blocked” doesn’t mean the scripts have stopped. You must perform Request/Response header audits to see what data is actually leaving the browser.
-
Contractual Shielding: Ensure your vendor contracts (with Google, Meta, etc.) explicitly state they are “Service Providers” and not “Third Parties” under CCPA. Without this language, any data transfer is legally a “sale” or “share.”
-
The “Symmetry” Rule: If your “Accept” button is a bright green 3D button and your “Reject” button is a hidden grey link, you are using a Dark Pattern. In 2026, this is a prima facie violation of the CCPA’s “frictionless” opt-out requirement.
-
Minors as a Force Multiplier: As seen in the Paramount litigation, if your “broken banner” accidentally leaks the data of a child, your settlement costs will likely triple.
A malfunctioning “Reject” button is a litigation magnet. In the eyes of a California jury, a company that promises privacy and fails to deliver is viewed more harshly than one that never promised it at all. It’s important to figure this out before a Bursor & Fisher or Gutride Safier sends you a demand letter with a .har file showcasing how your website was not respecting users privacy choices.
