Burger King Cookie Opt-Out Lawsuit Survives Dismissal as CNIL Issues €750K Fine to Condé Nast

Want to receive these privacy recaps in your inbox each week? Subscribe here.

A California federal judge allowed privacy claims to proceed against Burger King over allegations the company continued placing tracking cookies after users opted out. Meanwhile, France’s CNIL issued a €750,000 fine against Condé Nast for similar consent banner failures on Vanityfair.fr, reinforcing regulatory scrutiny of cookie compliance across jurisdictions.

Keep reading for more details and for my takeaways on both cases.

United States

Lawsuit Over Burger King Opt-Out Failures Overcomes Motion to Dismiss

A Northern District of California judge allowed claims of common law invasion of privacy, intrusion upon seclusion, fraud, and unjust enrichment to proceed against Restaurant Brands International, the parent company of Burger King (Case No.  25-cv-03647-JSC). The allegations state that Burger King’s website continued to place third-party cookies on users’ devices and transmit user data to third parties, even after users opted out of cookies and the sale and sharing of personal information. 

Specifically, the website allegedly contained a pop-up consent banner stating, “This website uses cookies to enhance user experience and to analyze performance and traffic on our website.  We also share information about your use of our site with our social media, advertising, and analytics partners,” along with the options “Accept Cookies” and “Cookie Settings”. 

When a user clicked the “Cookie Settings” option, a preferences window appeared stating, “You may exercise your right to opt out of the sale of personal information by using this toggle switch.  If you opt out we will not be able to offer you personalized ads and will not hand over your personal information to any third parties.” 

The complaint, however, alleges that even after a user moved the toggle switch to opt out, the Burger King website continued to allow the placement of third-party cookies, including those that tracked the plaintiff’s browsing history, website interactions, geolocation data, user identifiers, and other personal information. 

TAKEAWAY

An interesting aspect of this case is the focus on representations made to users, rather than the nature of the information shared, when assessing two elements of the claims at issue: whether users had a reasonable expectation of privacy and whether Burger King’s alleged actions were highly offensive. 

The court accepted arguments that the plaintiff had a reasonable expectation of privacy in the information because Defendants “represented to him that his browsing activity and Private Communications would remain private if he elected to decline cookies” and that the intrusion was highly offensive because the Defendants “blatantly [lied] to consumers and lull[ed] them into a false sense of security“. 

The court also rejected a comparison to a 2024 dismissal of intrusion upon seclusion claims against Papa John’s (Case No. 22cv2012 DMS (MSB)). In that case, the court rejected arguments that visitors to the Papa John’s website had a “reasonable expectation of privacy” regarding the information collected via session replay software installed on the website and also rejected arguments that Papa John’s procurement of Session Replay Providers to “surreptitiously and instantaneously record every Website communication” was highly offensive. Furthermore, the court in that case found that Papa John’s failure to give notice, in and of itself, did not create a reasonable expectation of privacy. 

In contrast to Papa John’s, the plaintiff in Burger King alleged that Burger King’s misrepresentations in the cookie banner were the highly offensive activity, which the court found to be sufficient. 

In other words, at least for purposes of invasion of privacy and intrusion upon seclusion claims, it appears that doing nothing is preferable to implementing consent and preference mechanisms that fail to function as communicated to users.

Europe

CNIL Fines Conde Nast Over Cookie Consent Allegations

The French Data Protection Authority (CNIL) announced the issuance of a 750,000 euro fine against Les Publications Condé Nast based on allegations that the website vanityfair.fr failed to obtain user consent before placing cookies, lacked clarity in the information provided to users, and offered ineffective mechanisms for refusing and withdrawing consent. 

Specifically, the CNIL found that: 

1. Cookies requiring consent were placed on user devices as soon as they arrived on the website, before they interacted with the banner to express a choice; 
2. Some cookies were labeled as “strictly necessary” without providing users with any useful information about their purposes; and 
3. When users clicked the “refuse all” button in the banner or withdrew consent for tracker installation, new cookies requiring consent were still set, and other existing cookies continued to be read.

TAKEAWAY

The CNIL has issued multiple fines in recent years as part of an overall compliance strategy initiated more than 5 years ago regarding cookies, particularly targeting high-traffic websites and services. 

This includes a 50 million euro fine against telecommunications company Orange in 2024 (along with an injunction that closed in 2025 after satisfactory correction measures) and fines of 325 million euros and 150 million euros against Google and Shein, respectively, in September 2025. The CNIL’s announcement of the Google and Shein fines stated that, “While compliance with obligations regarding the use of cookies is improving, the CNIL remains vigilant, particularly with regard to non-compliant practices such as the placement of cookies without the internet user’s consent“.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• The role of AI technologies in privacy-first solutions: How we use AI in our products at Didomi
• EU Digital Omnibus: Here’s what you should know about the GDPR simplification project
• Privacy Next: A certain story of the future

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.