Court Decision Implies No Cookie Banner is Better Than Incorrect One, CPO Says
A recent federal court decision shows that sometimes, saying nothing about privacy is better than misrepresenting what you are promising, a privacy pro said in a blog.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Julie Rubash, chief privacy officer for compliance vendor Sourcepoint, reached that conclusion in a post Tuesday.
Rubash cited the complaint in case 3:25-cv-03647, which accuses Burger King of continuing to place third-party cookies on website visitors’ devices and using them to transmit data, even after customers opted out of cookies and the sale and sharing of their personal information.
User browsing history, geolocation data and website interactions, among other things, were tracked, even after the consumers toggled to opt-out in cookie settings, when they appeared in a pop-up banner on the site, Rubash said.
Judge Jacqueline Scott Corley of the U.S. District Court for Northern California allowed the claims -- of “common law invasion of privacy, intrusion upon seclusion, fraud, and unjust enrichment” -- to proceed to trial on the grounds that the fast-food chain’s actions were, as the court put it, "highly offensive," since the plaintiff had a reasonable expectation of privacy because of the cookie banner providing options.
Since Burger King told customers their browsing activity and communications would remain private if they declined cookies, the fast food outlet "blatantly [lied] to consumers and lull[ed] them into a false sense of security," the court added, according to Rubash.
The court additionally separated this case from one in 2024 against Papa John’s, where intrusion claims were dismissed. In that case, there was no “reasonable expectation of privacy” because the pizza chain failed to notify customers about the session replay software on its website.
An “interesting aspect" of the Burger King case was that the court focused on “representations made to users, rather than the nature of the information shared,” Rubash said. Additionally, “at least for purposes of invasion of privacy and intrusion upon seclusion claims, it appears that doing nothing is preferable to implementing consent and preference mechanisms that fail to function as communicated to users.”