Cookie Banner Malfunctions and Children’s Data Drive California Privacy Litigation: Dollar Tree and Paramount Face Class Actions

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Dollar Tree faces a California class action alleging that its cookie banner’s “Reject Advertising Cookies” button failed to effectively block third-party cookies. At the same time, Paramount confronts similar privacy claims that prominently feature disclosures of children’s viewing data. 

Both cases highlight how malfunctioning consent tools and sensitive data amplify privacy litigation risks. Keep reading to learn more and get my takeaways.

United States

Dollar Tree Hit With Class Action Over Malfunctioning Cookie Banner

A lawsuit filed in the Northern District of California alleges that Dollar Tree Stores displayed a cookie consent banner on its websites, which purported to provide users the opportunity to “Reject Advertising Cookies.” However, when clicked, the banner failed to prevent the transmission of cookies to third parties, including Google and Facebook. 

The lawsuit includes claims under common law Invasion of Privacy and Intrusion Upon Seclusion, as well as wiretapping and pen register claims under the California Invasion of Privacy Act (CIPA).

TAKEAWAY

Although comprehensive privacy laws in the United States don’t require companies to obtain user consent for cookies in most circumstances, US companies sometimes add cookie consent banners to their websites to mitigate recent litigation trends under CIPA and other laws. 

This can be an effective strategy if done correctly. However, as highlighted by this action against Dollar Tree, a cookie consent banner that does not function as communicated to users can heighten risk rather than mitigate it. Therefore, it’s essential that companies implement measures to ensure that the mechanisms they establish are suitable for their intended use case, comprehensive of their actual data collection practices, function as intended, and don’t deceive or confuse consumers. 

Consent and opt-out failures have also been a common focus of regulatory enforcement over the past several months. For example, the CPPA issued a six-figure fine in May and a seven-figure fine in October for opt-out failures. Both fines were against retailers that purported to opt users out of the sale or sharing of personal information but failed to do so with respect to third-party advertising tracking technologies. The CPPA has stressed the importance of not only putting required mechanisms in place but also monitoring to ensure such mechanisms are functioning as intended.

Paramount Hit With VPPA / CIPA Claims Involving Children’s Data

A Central District of California class action alleges that Paramount’s use of tracking technologies violates the federal Video Privacy Protection Act (VPPA) and the California Invasion of Privacy Act (CIPA). 

Although neither law specifically addresses children’s data, the factual allegations strongly emphasize Paramount’s disclosure of children’s data to third parties. Specifically, the complaint alleges that pixels installed on Paramount’s platform transmitted children’s data (including titles of videos watched by children) to Google and Microsoft without obtaining consent. 

TAKEAWAY

Litigation and regulatory actions based on claims that do not require demonstrating the defendant’s use of sensitive or children’s data often still involve children’s or other sensitive data. Several reasons likely contribute to this, such as the ease of demonstrating harm and potentially seeking heightened damages when the data involved is particularly sensitive. Regardless of the reason, it is a pattern that companies involved (or potentially involved) in processing children’s or sensitive data should pay attention to. 

Specifically, when assessing risk under any privacy law (even laws not specific to the processing of children’s or sensitive data), the risk will likely be greater when children’s or sensitive data is involved.    

A LITTLE MORE PRIVACY, IF YOU PLEASE

• TCF v2.3: The latest version of the Transparency and Consent Framework
• Atlas browser by OpenAI: The end of free consent?
• Top 5 best enterprise Consent Management Platforms (CMP) for 2026
• New Zealand Publishes Guidance on Indirect Collection of Personal Data

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.