The California Invasion of Privacy Act (CIPA) has become one of the most litigated privacy statutes in the country. In 2025 alone, plaintiffs filed more than 1,000 CIPA lawsuits, most of them targeting third-party cookies, tracking pixels, and similar technologies as either wiretapping tools or trap and trace devices.
CIPA Lawsuits Now Targeting Cookie Banners — And Opt-Out Failures Are in the Crosshairs
Now a newer litigation trend is emerging: plaintiffs are going after cookie banners themselves — specifically, banners that promise users the ability to opt out of tracking but fail to follow through on the back end. State regulators are moving in the same direction, actively scanning websites for opt-out compliance failures. If your site presents a cookie banner, the time to audit whether those opt-outs actually work is now.
How Cookie Banners Became CIPA Litigation Targets for Swigart, Manning Law, and Vivek Shah
CIPA dates back to 1967, when California lawmakers were focused on protecting residents from telephone and telegraph eavesdropping — not browser cookies. Yet courts have repeatedly interpreted the statute broadly, treating it as a flexible framework that reaches modern tracking technologies. That interpretive elasticity, combined with statutory damages of $5,000 per violation, has made CIPA an attractive vehicle for plaintiffs’ attorneys. The latest wave of litigation zeroes in on cookie banners as the alleged point of deception.
Three provisions of CIPA are most frequently invoked in these cases. Section 631 bars intentional wiretapping and the interception of communications in transit — a hook plaintiffs use when a site continues enabling third-party data capture despite a banner’s promise to block it. Section 632 protects confidential communications from being recorded without all parties’ consent and is gaining traction in cases involving sensitive data-sharing contexts. Section 638.51 prohibits the use of pen registers or trap-and-trace devices without a court order, and several California district courts have ruled at the pleadings stage that software-based trackers can qualify as such devices.
Inside the Cookie Banner Lawsuit Trend
CMP’s that are engaging in dark patterns = lawsuit and FTC regulatory action. CMP’s that don’t work involved privacy lawsuits from 22+ plaintiffs firms and one pro-se plaintiff. The common thread across these cases is a gap between what the cookie banner promises and what actually happens on the back end. The typical complaint alleges that a website presented users with meaningful opt-out options — a “Reject All” button, individual cookie toggles — yet continued firing third-party cookies, pixels, and tags to analytics, advertising, and social media partners after the user made their selection. Plaintiffs’ counsel is now arguing that this gap between the banner’s promise and the site’s technical behavior constitutes illegal wiretapping under CIPA.
D’Antonio et al. v. Smith & Wesson Inc.
In this case, Smith & Wesson’s website presented visitors with a pop-up cookie banner offering three options: Accept Cookies, Reject All, or Manage Privacy Preferences. The banner even stated that any detected opt-out preference would be honored. Plaintiffs alleged that the site placed first- and third-party cookies and allowed external tracking regardless of whether a user clicked Reject All.
The court dismissed the CIPA Section 631(a) wiretapping and Section 638.51 pen register claims — but not because the underlying legal theories were flawed. The dismissal came because plaintiffs failed to allege that they actually communicated with the website, a threshold requirement for showing that the “contents” of a communication were intercepted or that “dialing, routing, addressing, or signaling information” was captured. The door remains open for an amended complaint, and the case is not an endorsement of failing to suppress third-party tags when a user rejects them.
De Ayora et al. v. Inspire Brands, Inc. et al.
A class of California consumers sued Inspire Brands and several of its restaurant subsidiaries, alleging that the companies’ websites deployed cookies and tracking technologies — collecting browsing history, user inputs, geolocation data, and referring URLs — despite offering consent banners that purported to give users control over tracking.
Because the deceptive cookie banner was central to all of the claims, the court applied Rule 9(b)’s heightened fraud pleading standard. Plaintiffs could not adequately plead the “when” and “where” of the alleged misconduct, particularly given that the banners had been implemented and updated across different websites at different times over a four-year class period. All claims were dismissed with leave to amend.
Camplisson et al. v. Adidas America, Inc.
This case stands apart from the others because Adidas did not offer a cookie banner at all. Instead, the company’s only disclosures appeared through privacy policy and terms-and-conditions links tucked away in small font at the bottom of the page. Plaintiffs alleged that tracking pixels on the site collected timestamps, IP addresses, unique browser identifiers, device details, and browser information.
On Adidas’ motion to dismiss, the Southern District of California denied the motion in full on the Section 638.51 pen register claim. The court upheld plaintiffs’ statutory standing, rejected the argument that CIPA is limited to telephone communications, and found that the collection of IP addresses and browsing data constitutes a concrete injury. Critically, the court also rejected Adidas’ consent defense outright — footer-only disclosures with no affirmative opt-in mechanism do not satisfy CIPA’s conspicuousness requirement for valid user consent.
For businesses that have not yet deployed a cookie banner, Camplisson is a direct warning: a privacy policy link buried in the footer is not consent. But the flip side is equally important — a cookie banner that doesn’t actually work may be worse than no banner at all, because it creates an express promise that plaintiffs can then allege was broken.
CIPA Cookie Consent Banner Lawsuits Sky Rocketing This Year
All three cases remain at the pleadings stage, with no merits decisions yet. But the litigation trajectory is clear, and regulators are already running sophisticated website scans to identify opt-out failures — whether from manual user selections or automated signals like the Global Privacy Control (GPC).
Businesses should treat this as an urgent compliance matter. Audit your cookie management platform to verify that every opt-out selection — however a user makes it — is actually honored on the back end. A banner that looks right and functions wrong is exactly the target plaintiffs and regulators are now hunting for.
