OneTrust Faces Privacy Lawsuit Over Its Own Cookie Banner: How a New California Case Could Reshape Consent Management

Table of Contents

For more than a decade, OneTrust has occupied a unique position in the privacy technology market. The company built one of the world’s largest privacy software platforms by helping organizations navigate increasingly complex compliance obligations surrounding cookies, consent management, data governance, artificial intelligence, and consumer privacy rights. Its software appears on hundreds of thousands of websites, and its customer roster includes Fortune 500 companies, global financial institutions, healthcare organizations, retailers, manufacturers, and government entities.

Now, the company finds itself on the other side of the privacy equation.

A newly filed lawsuit in the Superior Court of California, County of Los Angeles alleges that OneTrust’s own corporate website deployed advertising and tracking technologies before visitors had provided legally sufficient consent and, according to the complaint, continued doing so even after a user selected a “Reject All” option within its cookie consent banner. The plaintiff asserts claims under California’s Trap and Trace provisions of the California Invasion of Privacy Act (“CIPA”) as well as the common law tort of intrusion upon seclusion.

The allegations have not been proven, and at the time of writing they represent only the plaintiff’s claims. Whether the court ultimately accepts those legal theories—or whether the underlying factual allegations are substantiated through discovery—remains to be seen and creates a stir up in the data privacy community as this is exactly what OneTrust and every CMP protects against.

Yet regardless of the outcome, the lawsuit is noteworthy for reasons that extend well beyond the parties involved.

This is not merely another website privacy lawsuit against an online retailer or healthcare provider. It is a lawsuit directed at one of the industry’s most recognizable privacy software companies. It arrives at a time when regulators across Europe and the United States have repeatedly emphasized that obtaining valid consent is not simply a matter of displaying a cookie banner—it requires that the underlying technologies behave consistently with the choices users make.

For privacy professionals, chief privacy officers, compliance attorneys, software developers, and corporate boards, the litigation raises an uncomfortable but important question:

If a company whose core business is privacy compliance can face allegations concerning its own consent implementation, what does that say about the broader state of cookie compliance across the internet and the motivations of plaintiffs attorneys or do they have a bone to pick with OneTrust specifically?

Onetrust Data Privacy Violation Lawsuit Scott Ferell Pacific Trial Attorneys

Why This Lawsuit Matters Beyond OneTrust

Website privacy litigation has expanded dramatically over the past five years.

Initially, many cases focused on traditional wiretap theories involving chat widgets or session replay software. Plaintiffs alleged that third-party technology providers intercepted electronic communications without consent.

The next wave centered on tracking pixels and advertising technologies embedded within websites.

Today, privacy litigation is evolving again.

Rather than focusing exclusively on whether a tracking technology exists, plaintiffs increasingly scrutinize when it activates, what information it collects, how consent is obtained, and whether organizations actually honor the choices presented within their own consent interfaces.

That evolution makes this lawsuit particularly significant.

The complaint does not merely allege that tracking technologies existed on the website. Modern websites commonly incorporate dozens of third-party services for analytics, advertising, marketing automation, fraud prevention, and customer engagement.

Instead, the complaint focuses on the relationship between the consent mechanism and the underlying technologies. According to the plaintiff, visitors were presented with a cookie banner representing that they could choose whether non-essential tracking technologies would be activated. The plaintiff alleges that various tracking technologies nevertheless executed before legally sufficient consent and despite the user’s decision to reject tracking.

If those allegations were ultimately proven, the dispute would concern not merely the presence of cookies, but whether the consent experience accurately reflected what the website actually did.

That distinction has become increasingly important under modern privacy regulation.

Inside the Complaint

The lawsuit, Lucas Orellana v. OneTrust LLC, was filed on June 25, 2026, by Pacific Trial Attorneys, APC. The plaintiff is represented by attorneys Scott J. Ferrell and Victoria C. Knowles.

At the center of the complaint is what the plaintiff characterizes as a “bait and switch.”

According to the complaint, visitors arriving at OneTrust’s website encountered a consent banner that represented they could choose whether non-essential tracking technologies would be permitted. The complaint alleges that despite this representation, third-party technologies were deployed before legally valid consent and that tracking continued after the plaintiff selected “Reject All.” Those allegations have not yet been tested in court.

The complaint identifies numerous categories of information that it alleges were collected, including browsing behavior, referring URLs, session identifiers, device information, browser identifiers, geolocation data, user interaction data, demographic information, interests, and preferences. It further alleges that this information enabled cross-device identification and advertising activities commonly referred to as fingerprinting.

Importantly, the complaint also identifies several categories of third-party advertising and marketing technologies that the plaintiff alleges were present on the website, including technologies associated with Adobe Advertising, Adobe Marketo, Google Advertising, LinkedIn, Microsoft Advertising, Xandr, 6sense, and others. The complaint’s legal dispute concerns whether these technologies were activated before legally sufficient consent or despite an expressed rejection of tracking.

That distinction is significant because the presence of a technology on a website is not, by itself, unlawful. The legal questions typically concern how the technology operates, what data it collects, whether applicable law requires prior consent, and whether any required consent was validly obtained.

A New Chapter in California Privacy Litigation

The legal theory advanced in this case illustrates how rapidly website privacy litigation has evolved.

Only a few years ago, much of the litigation under California’s Invasion of Privacy Act focused on whether chat technologies, session replay tools, or pixels constituted unlawful interceptions of electronic communications.

Plaintiffs have since expanded those theories considerably.

Recent complaints increasingly examine browser metadata, HTTP headers, IP addresses, cookie identifiers, routing information, advertising identifiers, browser fingerprints, and other technical elements that traditionally received little public attention outside engineering circles.

The OneTrust complaint represents another step in that evolution by invoking California’s “Trap and Trace” provisions—statutory language originally developed in the context of telephone communications but now argued to apply to modern web technologies.

Whether courts ultimately agree with that interpretation remains an open legal question, but the lawsuit underscores a broader trend: plaintiffs’ firms continue to explore how decades-old privacy statutes may apply to contemporary digital tracking practices.

Scott Ferrell and the Expansion of Website Privacy Litigation

Few attorneys have been more closely associated with modern website privacy litigation than Scott J. Ferrell.

Over the past several years, Ferrell and Pacific Trial Attorneys have filed a substantial number of lawsuits involving website tracking technologies, online privacy practices, chat platforms, pixels, session replay technologies, and related issues under California law.

Regardless of whether defendants ultimately prevail or settle individual cases, the firm’s litigation has contributed to the development of legal theories that increasingly shape discussions among privacy lawyers, compliance officers, insurers, and technology vendors.

Many organizations that previously viewed website tracking as a purely technical or marketing issue now evaluate it through a litigation risk lens. Consent banners, cookie configurations, tag managers, and marketing pixels have become frequent subjects of legal review, not simply engineering implementation.

The OneTrust lawsuit therefore fits within a broader evolution of CIPA litigation rather than standing as an isolated dispute.

In many respects, the complaint reflects how website privacy cases have matured. Earlier litigation often focused on a single technology or communication channel. More recent cases examine the entire consent ecosystem—from what users are told, to what technologies load, to whether those technologies align with user choices and statutory requirements.

The Evolution of CIPA Litigation: From Telephone Wiretaps to Browser Fingerprints

To understand why Orellana v. OneTrust has attracted attention, it helps to understand how California privacy litigation has evolved over the past decade.

When the California Legislature enacted the California Invasion of Privacy Act (CIPA) in 1967, lawmakers were concerned primarily with telephone wiretapping. The statute was designed to prevent unauthorized interception of communications and the use of technologies that secretly monitored telephone calls and signaling information.

Nearly sixty years later, courts are being asked whether those same statutory provisions apply to websites, browser communications, cookies, pixels, JavaScript libraries, browser fingerprinting, and sophisticated advertising ecosystems that lawmakers in the 1960s could never have imagined.

This evolution has occurred in distinct phases.

Wave One: Session Replay Litigation

The first major wave of website privacy litigation focused on session replay software.

Session replay platforms record how visitors interact with websites by capturing mouse movements, clicks, scrolling behavior, keystrokes (sometimes with masking), page transitions, and user interactions. Organizations use these tools to troubleshoot usability issues, identify bugs, optimize checkout flows, and improve customer experience.

Plaintiffs argued that, in some circumstances, allowing a third-party vendor to receive these communications constituted an unlawful interception under CIPA.

The result was a surge of litigation involving technologies such as session replay, with defendants arguing that service providers acted merely as extensions of the website operator, while plaintiffs contended that the providers were independent third parties.

Federal and state courts produced a patchwork of decisions, leaving businesses with considerable uncertainty.

Wave Two: Chat Technologies

Attention then shifted toward live chat platforms.

Modern customer service chats often route communications through cloud-based vendors. Plaintiffs asserted that these vendors intercepted communications without the required consent.

Although courts reached differing conclusions depending on the technology and contractual relationships involved, businesses quickly recognized that even commonplace customer service tools could create privacy litigation exposure.

Wave Three: Pixels and Advertising Technologies

The next phase involved marketing pixels.

Pixels from advertising platforms became central to numerous lawsuits after regulators and plaintiffs increasingly scrutinized how organizations shared browsing behavior, health information, purchase history, and website interactions with advertising ecosystems.

Healthcare organizations, universities, financial institutions, retailers, and online businesses all became defendants in cases alleging improper deployment of tracking technologies.

Simultaneously, regulators worldwide began issuing increasingly specific guidance regarding online tracking.

The message was remarkably consistent:

Displaying a consent banner is not enough.

Organizations must ensure that the underlying technologies actually behave consistently with users’ choices.

Wave Four: Browser Metadata and Trap-and-Trace

The newest frontier moves beyond the contents of communications themselves.

Instead, plaintiffs increasingly focus on the metadata surrounding those communications.

Examples include:

  • IP addresses
  • Browser identifiers
  • Cookie identifiers
  • Device identifiers
  • HTTP headers
  • Referrer URLs
  • Routing information
  • Session identifiers
  • Browser fingerprint components

The legal question is no longer merely whether information was collected.

Rather, plaintiffs increasingly ask:

Did the website capture signaling information that identifies the origin of an electronic communication?

That question lies at the heart of the OneTrust complaint.

Understanding the “Trap and Trace” Theory

One of the most technically interesting aspects of this lawsuit is the plaintiff’s reliance on California’s Trap and Trace provisions.

Historically, a trap-and-trace device captured information about telephone calls—not the conversation itself, but the routing information associated with that communication.

The complaint argues that many modern web technologies perform an analogous function.

According to the complaint, browser requests automatically transmit various categories of routing and signaling information whenever a visitor loads a webpage.

Examples discussed in the complaint include:

  • originating IP address
  • browser identifiers
  • cookie IDs
  • session identifiers
  • referrer information
  • routing metadata
  • browser fingerprint characteristics

The plaintiff contends that these technologies capture signaling information that identifies the source of electronic communications and therefore qualify as modern trap-and-trace processes under California law.

Whether courts ultimately agree remains uncertain.

Several technology companies and defense firms have argued that extending telephone-era statutes to ordinary internet communications stretches the statute beyond what the Legislature intended.

Plaintiffs, by contrast, argue that technology has evolved while the underlying privacy interests protected by the statute have not.

Regardless of where courts eventually land, the legal theory itself represents one of the fastest-growing areas of California privacy litigation.

The Complaint’s Central Allegation

Although headlines may focus on cookies, the complaint actually alleges something more specific.

The plaintiff does not merely allege that OneTrust’s website used advertising technologies.

Most sophisticated corporate websites do.

Instead, the complaint alleges that the website represented users could reject non-essential tracking while simultaneously allowing tracking technologies to execute before legally valid consent and despite the user’s rejection choice. Those allegations remain unproven.

That distinction matters.

A privacy lawsuit challenging the mere existence of cookies would be relatively routine.

A lawsuit alleging that a consent mechanism failed to reflect the website’s actual technical behavior raises broader questions about implementation, governance, testing, and validation.

Those are issues every organization—not just OneTrust customers—must confront.

Why Consent Banners Continue to Fail

One of the most common misconceptions among executives is that purchasing a Consent Management Platform automatically creates compliance.

It does not.

Consent management software is only one component of a much larger technical ecosystem.

A compliant implementation typically requires coordination among:

  • marketing teams
  • developers
  • tag managers
  • analytics platforms
  • advertising vendors
  • CMS administrators
  • privacy counsel
  • IT operations

Any breakdown in that chain can undermine an otherwise well-designed consent program.

Among the most common implementation failures are:

  • marketing scripts hard-coded into templates rather than controlled through the CMP;
  • Google Tag Manager containers configured to fire tags before consent checks occur;
  • custom JavaScript that bypasses consent APIs;
  • asynchronous loading sequences creating race conditions;
  • third-party plugins introducing new trackers without governance;
  • legacy code remaining active after website redesigns; and
  • marketing teams deploying new pixels without privacy review.

In those situations, the issue may not be the consent software itself.

Rather, the software may have been implemented incorrectly, overridden by custom code, or never fully integrated into the organization’s broader technology stack.

That distinction is increasingly reflected in regulatory guidance around the world.

Regulators Have Been Delivering the Same Message

European regulators were among the first to emphasize that consent must be obtained before non-essential technologies are activated where consent is required.

Data protection authorities have repeatedly stressed that:

  • consent should be freely given;
  • users should be able to reject tracking as easily as they accept it;
  • “Reject All” options should function as represented;
  • organizations should not deploy non-essential cookies before obtaining valid consent where required by law; and
  • businesses remain responsible for the behavior of technologies operating on their websites.

Similarly, U.S. privacy regulators—including the California Privacy Protection Agency and multiple state attorneys general—have increasingly examined whether companies’ public privacy representations accurately reflect their technical implementations.

The common theme across jurisdictions is straightforward:

Compliance depends not on what the banner says, but on what the website actually does.

That broader regulatory backdrop helps explain why lawsuits challenging consent implementations continue to attract significant attention.

More Than a Vendor Question

The OneTrust litigation also illustrates an important principle that is sometimes misunderstood by organizations evaluating compliance software and technology vendors provide tools. Meanwhile this comes at a potentially tumultuous time for the company from the stand off lawsuit with the board members and co-founders a few years ago to the latest saga when the founder suddenly stepped down earlier this year, they have a newly driven focus to AI Governance as they shift away from focusing on data privacy, and a potential sale of OneTrust never seemed to have materialized at the end of last year.

Organizations remain responsible for how those tools are configured, integrated, maintained, monitored, and tested within their own environments.

Regulators have consistently emphasized that responsibility for legal compliance generally rests with the organization operating the website—not simply the software vendor supplying one component of the compliance program.

That principle is likely to remain central to website privacy enforcement regardless of how this particular lawsuit is resolved.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.