Introduction
Recently, there has been a significant uptick in demand letters claiming that the implementation and use of non-essential cookies (those that are not necessary for a website to function) amount to an illegal wiretap. Cookies are small text files that can be placed on a computer or mobile device to identify a visitor’s website activities. While such data collection has become a common practice of websites seeking to create more unique and personalized experiences for each visitor, it has recently emerged as a focal point for data privacy plaintiffs across the country.
Most of these claims have been brought under the California Invasion of Privacy Act (CIPA). However, such claims could arise under other state wiretap laws containing an “all-party consent” requirement. Below is a high-level overview of the legal landscape, as well as guidance for mitigating the risk that the use of non-essential cookies is unlawful.
Legal Landscape
Under CIPA and other “all-party consent” state wiretap laws, it is unlawful to record communications without the consent of all parties. As such, where cookies and similar technologies such as session replay, heat mapping, etc. record website browsing activities (routing, addressing, signaling, form completions, etc.), visitor consent to the use of cookies (other than strictly-necessary cookies without which the site could not function) should be obtained.
At a high level, website visitors must not simply be afforded the ability to opt-out of the use of non-essential cookies, but rather, must be presented with a choice of whether to opt-in. Simply put, website operators should not place non-essential cookies unless and until website visitors have affirmatively opted in to the use of such non-essential cookies. In particular, all cookie banners should contain a default setting in which non-essential cookies are toggled to “off.” Furthermore, if an individual consents to the use of non-essential cookies, it is important that they be able to withdraw their consent as easily as they gave it.
Mitigating Risk
To mitigate the risk of violating CIPA and similar laws, companies should revisit and reassess their current privacy compliance processes including website cookie banners, privacy policies, and consent processes.
Questions?
If you have any questions regarding your current approach to cookies, consent processes, or your website’s cookie banner, please reach out to Kevin S. Olson, Faith Kasparian, Ryan J. Perry, or Ann M. O’Rourke.
The authors would like to acknowledge the contributions to this article by, and give thanks to, Adam Sherf, Northeastern University School of Law (NUSL) 2026.
