You Said No to Cookies—And a Law Firm Is Betting These Companies Ignored You – Lynch Carpenter’s Multi-Target CIPA Campaign Means
A new Instagram ad from Lynch Carpenter LLP opens with a pointed question: “Do you say NO to optional website cookies?”
The ad, running from the firm’s Instagram account @lynchcarpenterlawyers, goes on to explain: “If you selected NO to optional website cookies while browsing certain sites, you may have a claim that entitles you to monetary compensation.” Visitors are then asked to select every website they’ve visited from a multi-target list that includes: HP (hp.com), Visa (visa.com), Farmers Insurance (farmers.com), Clorox (clorox.com), and Smart & Final (smartandfinal.com).
This campaign is different from the others in our Privacy Litigation Watch series in one important way: instead of targeting a single company, Lynch Carpenter is running a dragnet. One ad. Five named defendants. One shared legal theory. And the theory is as simple as it is powerful—if you said no to cookies and those companies tracked you anyway, you may have been wiretapped under California law.
Who Is Lynch Carpenter LLP?
Lynch Carpenter LLP is a plaintiff-side class action firm with offices in Pittsburgh, New Castle, Los Angeles, San Diego, and Philadelphia. Don’t let the Pittsburgh headquarters fool you—this firm has been fighting California privacy cases for years and has built one of the most active data breach and digital privacy practices in the country.
Founded by Gary Lynch, whose legal career spans more than three decades, the firm has handled over 100 class actions and secured multi-million-dollar recoveries against some of the largest companies in the United States, including Home Depot, PNC Bank, Equifax, and Target. Lynch himself argued before the U.S. Supreme Court in Symczyk v. Genesis, a case that helped shape federal class action law.
The firm’s recent track record in privacy and data litigation is substantial:
- TikTok Biometric Privacy Settlement ($92 million) – Lynch Carpenter represented victims in claims that TikTok captured biometric data and personal device information without consent in violation of the Illinois Biometric Information Privacy Act. Final approval was granted in August 2022.
- Bonnier Publications Michigan Video Privacy Settlement ($2.15 million) – The firm served as co-lead counsel for more than 160,000 subscribers whose personal information was shared with third-party marketers without consent in violation of the Michigan Video Privacy Act.
- Philips CPAP MDL ($1.6+ billion combined) – Lynch Carpenter partner Kelly Iverson was appointed co-lead counsel in one of the largest MDLs in recent history, achieving a $500 million economic loss settlement and $1.1 billion personal injury resolution for consumers harmed by toxic materials in Philips sleep apnea machines.
- Penn State COVID Tuition Refund ($17 million) – The firm secured what was described as the largest university settlement to date related to COVID tuition refunds, receiving final approval in February 2025.
- ParkMobile Data Breach ($32 million) – Lynch Carpenter partner Nicholas Colella served on the Plaintiffs’ Steering Committee in this data breach class action affecting 21.8 million consumers, with final approval granted in May 2025.
On the digital tracking front specifically, Lynch Carpenter is known for a landmark Third Circuit victory in Popa v. Harriet Carter Gifts (2022), in which the court held that defendants bear the burden of proving a prior consent defense under the Wiretap Act—a ruling that has made consent-based defenses significantly harder for companies to win in CIPA and similar cases.
The Legal Theory: What “Saying No to Cookies” Has to Do With Wiretapping
To understand why this campaign is so strategically clever, you need to understand how plaintiff firms have reengineered a 1967 California statute to fit the modern web.
The California Invasion of Privacy Act, or CIPA, was enacted to combat telephone wiretapping and eavesdropping. It predates the internet by decades. But in the last several years, plaintiffs’ attorneys have argued—successfully in many courts—that CIPA applies to websites that use third-party tracking technologies without obtaining proper consent from all parties to the communication.
The key legal claims Lynch Carpenter is most likely pursuing fall into two buckets:
Wiretapping / Interception (CIPA § 631(a)): This provision prohibits intentionally reading or attempting to read the contents of a communication while it is in transit, without consent. Plaintiffs argue that when a website embeds code from a third-party analytics or advertising vendor—like Google Analytics, the Meta Pixel, or a session replay tool—that vendor effectively “intercepts” the communication between the user and the website in real time, making the website operator liable as an accomplice to wiretapping.
Pen Register / Trap-and-Trace (CIPA §§ 638.50–638.51): Originally designed to govern law enforcement surveillance of phone call metadata, this provision prohibits the use of “pen registers” and “trap and trace devices” without a court order. Plaintiffs argue that third-party tracking scripts that capture IP addresses, device identifiers, and routing information function as digital pen registers, intercepting signaling data without judicial authorization or user consent.
CIPA carries statutory damages of $5,000 per violation with no requirement to prove actual harm. In a class action covering tens of thousands of California users, that number scales quickly into the hundreds of millions of dollars. It is this statutory math—not the merits—that drives the economics of CIPA litigation.
“If you selected NO to optional website cookies while browsing certain sites, you may have a claim that entitles you to monetary compensation.” — Lynch Carpenter LLP Instagram ad, 2025–2026
What makes Lynch Carpenter’s recruitment angle especially sharp is the specific focus on users who rejected optional cookies. This is not a general “did you visit this website” intake. It is explicitly targeting people who exercised their privacy rights through a consent mechanism—and who Lynch Carpenter believes may have been tracked anyway. That framing maps directly onto the core legal theory: consent-based defenses fail if the opt-out mechanism didn’t actually stop the tracking.
The Five Targets for Plaintiff Privacy Lawsuits: Who They Are and Why They’re in the Ad
The companies named in Lynch Carpenter’s intake form share a critical common characteristic: all are large consumer-facing brands with significant California user bases, operating websites almost certainly equipped with third-party analytics and advertising tools. Here is a brief profile of each.
HP Inc. (hp.com)
HP Inc. is the Palo Alto-based technology company that emerged from the Hewlett-Packard split in 2015, focusing on personal computers and printing. HP has already faced CIPA litigation directly: in Heiting v. HP Inc. (24STCV29634), a California Superior Court dismissed a CIPA pen-register claim against HP in August 2025, ruling that the third-party software at issue did not qualify as a trap-and-trace device. That dismissal was granted without leave to amend. However, Lynch Carpenter’s campaign suggests either a fresh theory, a different tracking tool, or a separate line of claimants not bound by that ruling. Because CIPA decisions set no binding precedent at the trial court level, new filings with different factual allegations can always proceed.
Visa Inc. (visa.com)
Visa is the global payments technology company, based in San Francisco. While Visa is not primarily a consumer-facing retail website in the traditional sense, visa.com hosts card benefit information, cardholder services, account management tools, and marketing content for a vast consumer audience—including millions of California residents. Any analytics or advertising tracking on that site involving California users falls squarely within the CIPA framework.
Farmers Insurance (farmers.com)
Farmers Insurance is one of the largest insurance groups in the United States, with a major footprint in California. Insurance websites are particularly sensitive targets in CIPA litigation because users often enter health-related or financial information during quote processes—data that, if intercepted by a third-party analytics tool, carries heightened privacy implications under both CIPA and newer state health data laws.
The Clorox Company (clorox.com)
The Clorox Company is the Oakland-based consumer goods manufacturer known for cleaning products, Burt’s Bees, Hidden Valley Ranch, and other household brands. Clorox’s website serves as a brand marketing hub with product information, recipes, and lifestyle content. Like other consumer goods companies, Clorox is highly likely to run analytics, advertising attribution, and retargeting tools across its site—precisely the stack that CIPA plaintiffs target.
Smart & Final (smartandfinal.com)
Smart & Final is a California-based warehouse-style grocery chain operating primarily in the Western United States. Its heavy California concentration makes it an especially targeted fit for CIPA claims, which apply specifically to California residents. The chain’s website supports online ordering and loyalty programs, generating significant first-party data collection activity that may involve third-party integrations.
Lynch Carpenter’s Multi-Target CIPA Litigation
Lynch Carpenter’s multi-target campaign is arriving at one of the most volatile moments in the history of CIPA enforcement—with courts split, a landmark reform bill stalled, and plaintiff filings accelerating in advance of potential legislative limits.
According to Fisher Phillips’ Digital Wiretapping Litigation Map, there have been 2,341 digital wiretapping lawsuits filed nationwide since a landmark court ruling in 2022 opened the door, with approximately 79% of those filings—roughly 1,845 cases—filed in California alone.
California lawmakers have described these as “shakedown letters and lawsuits,” observing that trial lawyers have sued over 1,500 businesses using CIPA’s private right of action in the past 18 months, arguing that typical business activities constitute “wiretapping” or an illegal “pen register,” requiring opt-in consent before a business can, for example, save an online shopping cart or serve an ad.
The legislative response—Senate Bill 690—would have created a “commercial business purpose” exception to CIPA, effectively shielding routine analytics and advertising tracking from liability. The California Senate passed it unanimously, but the bill’s author announced on July 2, 2025 that it would be made a two-year bill, meaning it will not advance further that year and may be taken up again in 2026. SB 690 is likely to be reintroduced in 2026 but will likely not take effect until January 1, 2027—giving plaintiffs’ firms a clear window to file all claims they can before any reform takes effect.
Courts, meanwhile, remain deeply divided. Some have dismissed CIPA claims at the pleading stage, finding that routine web tracking doesn’t constitute “wiretapping.” Others have allowed cases to proceed past motions to dismiss and even survived summary judgment. Businesses have notched some wins, but most claims survive motions to dismiss in California state and federal courts—and for every case that reaches dismissal, many others settle long before that point because of the cost of continued litigation.
That last point is critical: the economics of CIPA litigation often have little to do with whether a plaintiff would ultimately win at trial. Claimants’ goal is often to extract a nuisance-value settlement, then move on to the next target—and CIPA is a particularly attractive statute because it provides for statutory damages of $5,000 per violation.
What Makes the “Cookie Opt-Out” Theory So Dangerous
Lynch Carpenter’s framing—targeting users who specifically said no to optional cookies—exposes a compliance vulnerability that most companies have not fully addressed.
Many businesses have deployed cookie consent banners and believe in good faith that users who click “reject” or “no thanks” have been properly handled. But consent management is only half of the compliance equation. The other half is technical: does clicking “reject” actually stop the third-party trackers from firing?
In many cases, the answer is no—or not entirely and thats why Captain Compliance’s Consent Management Platform has become so valuable because it’s a software that actually works and protects against these class action lawsuits. Cookie consent platforms can be misconfigured. Tag managers may fire scripts before the consent signal is received. Some analytics tools continue to collect anonymized or aggregated data even after a user opts out. Session replay tools may capture keystrokes and form entries without waiting for consent. And in cases where a tracker fires even partially before an opt-out is processed, plaintiff firms will argue that interception occurred.
This is the gap Lynch Carpenter is targeting: the space between what a consumer believes they consented to (nothing, because they clicked “no”) and what technically happened (tracking that occurred anyway, even briefly). In a world where statutory damages are $5,000 per violation and there is no requirement to prove actual harm, even a partial technical failure in a consent management system can be worth millions in potential liability.
Steps To Avoid Data Privacy Lawsuits
Whether or not Lynch Carpenter’s cases against these five companies succeed, the campaign signals an enforcement approach that will affect many businesses with California-facing websites. Here is what compliance teams need to be doing right now.
1. Test whether your opt-out actually works.
This is the single most important action item from this campaign. Use browser developer tools or a tag auditing platform to test what fires on your website when a user clicks “reject all” on your cookie banner. If any third-party scripts trigger before or after the opt-out signal is processed, you have potential CIPA exposure. Document the results and remediate immediately.
2. Audit the timing and sequencing of your consent management platform.
Many consent management platforms require careful configuration to ensure that tracking scripts are blocked before consent is obtained—not just after. If your CMP loads analytics or advertising tags first and then blocks them after a rejection, that sequence may be enough to support a claim of unauthorized interception. Review your CMP’s technical documentation and confirm the blocking behavior is working as intended.
3. Map your third-party integrations against your consent categories.
Every third-party script on your site should be tagged by consent category: strictly necessary, analytics, advertising, personalization. Users who reject “optional” cookies should have zero optional scripts firing on their sessions. Run a full audit of your tag manager to confirm this mapping is accurate and enforced.
4. Understand whether California law applies to your site—regardless of where you’re headquartered.
CIPA applies to California residents. If any portion of your user base is located in California—which is true of virtually every major consumer website—CIPA exposure is real. Visa is headquartered in San Francisco. HP is in Palo Alto. But even companies with no California presence can face CIPA claims if California residents access their websites. Know your user geography and plan accordingly.
5. Document your consent practices, configurations, and testing results.
If you are ever sued under CIPA, the consent defense is your primary tool. But that defense requires evidence: records showing that users were presented with a meaningful choice, that the opt-out was properly configured, and that tracking did not occur after rejection. Without documentation, you are litigating blind. Create a record—screenshots, configuration exports, testing logs—and maintain it on a rolling basis.
6. Watch the SB 690 timeline and file proactively if reform is imminent.
California’s SB 690 reform bill, if reintroduced and passed in 2026, will apply only prospectively and will not cover claims based on conduct before its effective date. If your site has had tracking issues in prior years and you’ve now remediated, that historical window of exposure doesn’t close when the law changes. Assess your historical exposure now, and engage litigation counsel about whether proactive steps—including potential tolling agreements or targeted remediation disclosures—make sense before the reform window closes.
Lynch Carpenter Privacy Lawsuits
Lynch Carpenter’s five-company CIPA intake campaign is a textbook example of how modern plaintiff-side privacy firms operate: identify a legal theory with high statutory damages and no actual-harm requirement, build a digital recruitment funnel, and let the math do the work.
The sophistication of the targeting—specifically recruiting users who opted out of cookies—is a signal that this firm has thought carefully about how to build a consent-failure narrative across five different defendants at once. Each of the five companies named in the ad brings something different to the table: a prior CIPA ruling (HP), a financial services privacy premium (Visa), a health-data sensitivity angle (Farmers), a household brand footprint (Clorox), and a California-concentrated retail presence (Smart & Final). Together, they represent a remarkably broad cross-section of the CIPA target universe.
For compliance professionals, the takeaway is urgent and simple: your cookie banner is not a compliance program. It is a user interface. The compliance program lives in the technical layer underneath—in the tag manager configurations, the CMP timing sequences, and the opt-out enforcement mechanisms that most legal teams never see.
If you haven’t tested whether your opt-out actually stops tracking, now is the time. Because plaintiff firms have—and they’re running ads about it.
