AG Enforcement Actions Align on Cookie Transparency & Consent Requirements
Ruth Wakefield, of NestlĂ©’s Toll House brand, is credited with inventing the chocolate chip cookie, by accident. While baking butterscotch nut cookies, she substituted chunks of semisweet chocolate, expecting them to melt. Instead, they held their shape and the chocolate chip cookie was born.
Similarly, the digital “cookie” was an unexpected innovation with lasting impact. Created in 1994 by Netscape engineer Lou Montulli, cookies began as a way to identify first-time and returning website visitors. Since then, they have become a ubiquitous tool for tracking users across the web.
With minimal regulation and obligations concerning the use of cookies to-date, companies create digital profiles about users that allow for advertisers to better understand a consumer’s interests and purchasing behaviors for a more personalized, targeted advertising experience -- without always letting consumers know what is happening behind the scenes. The Digital Advertising Alliance principles have been a guiding force for industry best practices on the use of digital cookies, but these principles are voluntary and are not always followed.
But all of this is changing. Following the passage of a slew of state consumer privacy laws, companies are now obligated to be transparent about the tracking behaviors and tracking tools they use, giving consumers more autonomy to make decisions about whether and how their personal information can be tracked and to what extent they will permit that tracking to occur.
This year has been ripe with enforcement action at the state level that demonstrates a revived interest in how cookie banners and disclosures should look, sending a clear message that companies must prioritize cookie disclosures, features, and aesthetics, with a focus on enhancing clarity, transparency, and symmetry for consumers so they can be better informed about their cookie preferences.
In line with DAA principles these choices should be separated. Michigan lacks a state consumer privacy law, so this case underscores how high of a priority this issue has become even for states without codified privacy laws.
California: The California Privacy Protection Agency (CPPA) settlement with Honda imposing a $632,500 fine over violation of the California Consumer Privacy Act (CCPA) highlights that companies cannot request unnecessary amounts of information from consumers in fulfilling their data subjects rights requests and opt-outs for sale or sharing of data. The case also demonstrates the need for companies to provide more transparency and clearer disclosures to alleviate confusion when consumers are being tracked, and to ensure they have contracts with advertisers and other third parties with whom they are sharing data, prior to data sharing. In the settlement, CPPA describes the importance of “symmetry” in cookie preference settings, meaning making it as easy for a consumer to reject cookie choices as to accept them. This symmetry can be provided through, for example, “Accept All” and “Decline All” buttons for cookie preferences – in contrast to one default “accept all” button and then a “more information” or “select preferences” button. Because the latter presentation involves a multistep process to change the cookie preferences and then confirm/save those preferences, it would not be symmetrical.
The CPPA has also illuminated further examples of how to effectively demonstrate cookie consent and ensure symmetry in a recent advisory. Put it simply, consumers should not face more hurdles to reject cookies than to accept them. DAAP also encourages companies to view symmetry as a “need to have” and not a “nice to have.”
Connecticut: The CT AG’s office published its enforcement report in April highlighting a range of issues regarding the Connecticut Data Privacy Act and the Connecticut Unfair Trade Practices Act, including violations involving cookie banner asymmetry and use of dark patterns. The AG’s office notes the appropriate parameters for cookie banner usage: ensuring cookie banners “provide consumers with the option to accept all cookies,” offering a symmetrical option to reject all cookies, and ensuring that “both options [are] displayed on the screen at the same time, and in the same color, font, and size.”
Similarities abound between California’s advisory and Connecticut’s enforcement report. With the BBB National Programs’ Digital Advertising Accountability Program (DAAP) Ticketmaster case as an example, consent management tools must provide transparency and appropriate disclosures to consumers so they can easily opt out of advertising cookies.
Texas: Through cases brought and settlements with General Motors, Allstate, and Google already this calendar year, the Texas AG’s Office has emphasized that the sharing or selling of sensitive data without informed consent is a prohibited practice with serious implications. The Texas AG’s office has noted that businesses are engaging in the sale or sharing of sensitive data – including location, voice, and biometrics – for advertising and other purposes without appropriate consumer consents.
Notably, the cases involved General Motors OnStar Smart Driver features, Allstate’s use of a software development kit (SDK), and Google’s Incognito mode, which separately but similar in intent were used to track, share, and sell users’ locations, movement patterns, and driving behaviors with third parties, including insurance companies, without user knowledge or meaningful consent. While the cases didn’t involve cookies directly, the cases provide lessons on the need to clearly disclose the use and provide appropriate notice when enabling any type of tracking technologies or features, and to ensure consumers are given the opportunity to opt in to their sensitive data collection and use, especially prior to its use or repurpose for adtech.
Under the DAA Principles, any and all tracking is prohibited when a consumer could be adversely affected by terms or ineligibility for employment, credit, insurance, or medical treatment.
A Consortium of Privacy Regulators including California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon: The Consortium of Privacy Regulators was developed by a bipartisan group of Attorneys General from seven states in partnership with the CPPA to investigate potential violations of applicable consumer protection and data privacy laws. Given the similarities in the stakeholders’ individual priorities and their heightened interest in supporting consumers from being harmed by misuse of their personal information, especially for secondary purposes like advertising, we can expect more joint guidance and enforcement action to come from these states, based on this new multi-stakeholder initiative.
The Federal Trade Commission (FTC) has also published guidance about internet cookies in the past, with a focus on the possibility of consumer protection violations stemming from a lack of clear and meaningful cookie consent and the use of dark patterns. Section 5 of the FTC Act prohibits any unfair or deceptive trade practices. Cookie consent notices that materially mislead consumers could be regulated as deceptive and, if they are found likely to cause unavoidable harms that outweigh the benefits, they could be found to be unfair.
An analysis by a University of Chicago researcher has examined how cookie practices might violate the FTC Act and shares an approach to best practices for cookie consent management, in line with FTC guidance.
To help understand what these enforcement actions mean for businesses trying to map out the road ahead, DAAP has put together a cookies “dos” and “don’ts” list.
Consumer privacy choices broadly are distinct from consumer choices about targeted advertising, but they are just as integral to a consumer’s privacy rights.
The next time you enjoy a fresh batch of warm chocolate chip cookies, remember the serendipitous fate that allowed the first chocolate chip cookies to build a legacy. Similarly, the adtech ecosystem must work to bake in and strengthen privacy and cookie preference “ingredients” required by regulators, if it seeks to leave a lasting and desirable impact on its consumers.
Similarly, the digital “cookie” was an unexpected innovation with lasting impact. Created in 1994 by Netscape engineer Lou Montulli, cookies began as a way to identify first-time and returning website visitors. Since then, they have become a ubiquitous tool for tracking users across the web.
With minimal regulation and obligations concerning the use of cookies to-date, companies create digital profiles about users that allow for advertisers to better understand a consumer’s interests and purchasing behaviors for a more personalized, targeted advertising experience -- without always letting consumers know what is happening behind the scenes. The Digital Advertising Alliance principles have been a guiding force for industry best practices on the use of digital cookies, but these principles are voluntary and are not always followed.
But all of this is changing. Following the passage of a slew of state consumer privacy laws, companies are now obligated to be transparent about the tracking behaviors and tracking tools they use, giving consumers more autonomy to make decisions about whether and how their personal information can be tracked and to what extent they will permit that tracking to occur.
This year has been ripe with enforcement action at the state level that demonstrates a revived interest in how cookie banners and disclosures should look, sending a clear message that companies must prioritize cookie disclosures, features, and aesthetics, with a focus on enhancing clarity, transparency, and symmetry for consumers so they can be better informed about their cookie preferences.
Breaking Down Recent State Enforcement Actions
Michigan: The Michigan AG’s office filed a lawsuit in April 2025 against Roku, claiming Roku violated consumer protection laws by hiding advertising opt-out options under the “Your privacy choices” section of their website without clearly explaining more general information about a consumer’s privacy rights, opt-outs, data subjects rights requests, and related choices. The company did not distinguish between information about targeted ads (including how to opt out of targeted ads) and more general information about privacy and data subjects rights reflecting broader consumer privacy choices (not specific to targeted ads).In line with DAA principles these choices should be separated. Michigan lacks a state consumer privacy law, so this case underscores how high of a priority this issue has become even for states without codified privacy laws.
California: The California Privacy Protection Agency (CPPA) settlement with Honda imposing a $632,500 fine over violation of the California Consumer Privacy Act (CCPA) highlights that companies cannot request unnecessary amounts of information from consumers in fulfilling their data subjects rights requests and opt-outs for sale or sharing of data. The case also demonstrates the need for companies to provide more transparency and clearer disclosures to alleviate confusion when consumers are being tracked, and to ensure they have contracts with advertisers and other third parties with whom they are sharing data, prior to data sharing. In the settlement, CPPA describes the importance of “symmetry” in cookie preference settings, meaning making it as easy for a consumer to reject cookie choices as to accept them. This symmetry can be provided through, for example, “Accept All” and “Decline All” buttons for cookie preferences – in contrast to one default “accept all” button and then a “more information” or “select preferences” button. Because the latter presentation involves a multistep process to change the cookie preferences and then confirm/save those preferences, it would not be symmetrical.
The CPPA has also illuminated further examples of how to effectively demonstrate cookie consent and ensure symmetry in a recent advisory. Put it simply, consumers should not face more hurdles to reject cookies than to accept them. DAAP also encourages companies to view symmetry as a “need to have” and not a “nice to have.”
Connecticut: The CT AG’s office published its enforcement report in April highlighting a range of issues regarding the Connecticut Data Privacy Act and the Connecticut Unfair Trade Practices Act, including violations involving cookie banner asymmetry and use of dark patterns. The AG’s office notes the appropriate parameters for cookie banner usage: ensuring cookie banners “provide consumers with the option to accept all cookies,” offering a symmetrical option to reject all cookies, and ensuring that “both options [are] displayed on the screen at the same time, and in the same color, font, and size.”
Similarities abound between California’s advisory and Connecticut’s enforcement report. With the BBB National Programs’ Digital Advertising Accountability Program (DAAP) Ticketmaster case as an example, consent management tools must provide transparency and appropriate disclosures to consumers so they can easily opt out of advertising cookies.
Texas: Through cases brought and settlements with General Motors, Allstate, and Google already this calendar year, the Texas AG’s Office has emphasized that the sharing or selling of sensitive data without informed consent is a prohibited practice with serious implications. The Texas AG’s office has noted that businesses are engaging in the sale or sharing of sensitive data – including location, voice, and biometrics – for advertising and other purposes without appropriate consumer consents.
Notably, the cases involved General Motors OnStar Smart Driver features, Allstate’s use of a software development kit (SDK), and Google’s Incognito mode, which separately but similar in intent were used to track, share, and sell users’ locations, movement patterns, and driving behaviors with third parties, including insurance companies, without user knowledge or meaningful consent. While the cases didn’t involve cookies directly, the cases provide lessons on the need to clearly disclose the use and provide appropriate notice when enabling any type of tracking technologies or features, and to ensure consumers are given the opportunity to opt in to their sensitive data collection and use, especially prior to its use or repurpose for adtech.
Under the DAA Principles, any and all tracking is prohibited when a consumer could be adversely affected by terms or ineligibility for employment, credit, insurance, or medical treatment.
A Consortium of Privacy Regulators including California, Colorado, Connecticut, Delaware, Indiana, New Jersey, Oregon: The Consortium of Privacy Regulators was developed by a bipartisan group of Attorneys General from seven states in partnership with the CPPA to investigate potential violations of applicable consumer protection and data privacy laws. Given the similarities in the stakeholders’ individual priorities and their heightened interest in supporting consumers from being harmed by misuse of their personal information, especially for secondary purposes like advertising, we can expect more joint guidance and enforcement action to come from these states, based on this new multi-stakeholder initiative.
The Federal Trade Commission (FTC) has also published guidance about internet cookies in the past, with a focus on the possibility of consumer protection violations stemming from a lack of clear and meaningful cookie consent and the use of dark patterns. Section 5 of the FTC Act prohibits any unfair or deceptive trade practices. Cookie consent notices that materially mislead consumers could be regulated as deceptive and, if they are found likely to cause unavoidable harms that outweigh the benefits, they could be found to be unfair.
An analysis by a University of Chicago researcher has examined how cookie practices might violate the FTC Act and shares an approach to best practices for cookie consent management, in line with FTC guidance.
To help understand what these enforcement actions mean for businesses trying to map out the road ahead, DAAP has put together a cookies “dos” and “don’ts” list.
Here is what you should do.
- Create a separate link, and coordinating page, called “Ad Choices” on your website, distinct from other privacy-related pages, to inform consumers about how their data is being processed (including how it may be shared and/or sold) for targeted advertising.
- If such a link is not possible on a mobile app, add a statement allowing users to easily “Learn more about their Ad Choices” at the top of the privacy policy that then takes a consumer, in one click, to the section where their ad choices are clearly explained.
- In your Ad Choices language, be sure to include:
- Disclosure of any interest-based advertising practices (what targeted advertising is and how it is occurring, including types of cookies, trackers, and other tools being used);
- A link to opt out of the current advertising preferences; for example: a link to the DAA third-party advertiser opt-out tool (or another compliant method allowing consumers to opt out of third-party IBA); and
- A statement of adherence to the DAA Principles to signify participation in the code of conduct that prevails across the industry.
Here is what you should avoid doing.
- Do not scatter information about targeted advertising and advertising choices across the privacy policy.
- Do not place ad choices in sections of the privacy policy where they will not be read, like “legal” or “terms of service.”
- Do not bury ad choices or scatter it somewhere without appropriate labeling in a “trust center.”
- Do not add a hurdle, like infinite scroll, to keep users from finding the ad choices link easily.
- If the ad choices link is in a hamburger menu, do not bury it under other pages.
- Do not permit transfers, share, or sale of sensitive data with third parties without providing consumers with informed consent.
- Do not permit tracking or use of third-party trackers if the use case is a prohibited practice that could cause a consumer adverse terms or ineligibility for employment, credit, insurance, or medical treatment.
Consumer privacy choices broadly are distinct from consumer choices about targeted advertising, but they are just as integral to a consumer’s privacy rights.
The next time you enjoy a fresh batch of warm chocolate chip cookies, remember the serendipitous fate that allowed the first chocolate chip cookies to build a legacy. Similarly, the adtech ecosystem must work to bake in and strengthen privacy and cookie preference “ingredients” required by regulators, if it seeks to leave a lasting and desirable impact on its consumers.