Meta CIPA Verdict Upheld as French Cookie Enforcement Distinguishes First vs. Third-Party Responsibilities

Want to receive these privacy recaps in your inbox each week? Subscribe here.

Privacy enforcement continues to reshape digital compliance as courts and regulators define more precise boundaries around data collection responsibilities. 

This week brought decisive rulings on both sides of the Atlantic. A California judge upheld Meta’s landmark CIPA violation for SDK data harvesting. At the same time, France’s CNIL established essential distinctions between the cookie deletion duties for website owners’ first-party cookies and the technical limitations with respect to third-party cookies.

Continue reading to learn more and discover my key takeaways of the week.

United States

Meta’s Request to Overturn a CIPA Class Action Jury Verdict is Denied.

A California judge denied all of Meta’s post-trial motions (including judgment as a matter of law) after a jury found that Meta had violated the California Invasion of Privacy Act (CIPA) by obtaining ovulation and menstrual period information communicated by women who used the Flo Period and Ovulation Tracker app. 

The information was captured through “custom event” fields in the app and then collected and sent to Meta by a software development kit (SDK). Meta asserted that it did not eavesdrop or record users’ communications with the app, because the communications at issue were separate communications between the app and Meta, distinct from communications between the users and the app. However, the judge found that substantial evidence was shown at trial that Meta acquired exactly the content the user communicated to the Flo app and that it was revealed firsthand and in real time (not secondhand). 

The judge also denied Meta’s assertion that the SDK was not an electronic recording device under the law, finding that a phone was essential to the operation of the Meta SDK and therefore that Meta used the phone as a recording device. The judge found that such use was intentional, based on evidence that Meta knew it was getting data it shouldn’t be getting and didn’t do anything to stop it. 

Finally, the judge found that user consent to Meta’s privacy policy was insufficient to constitute consent, since a reasonable user could find Meta’s privacy disclosures too ambiguous to “explicitly notify” users of the conduct at issue. 

TAKEAWAY

The jury verdict in this case was the first to find a Software Development Kit (SDK) in violation of CIPA. 

The judge’s denial of all of Meta’s post-trial motions, stating that “nothing in the evidence adduced at trial or the record as a whole justifies disturbing the California class or the jury’s unanimous verdict” may be the last nail in the coffin for Meta’s and all SDK CIPA defendants’ hopes of avoiding responsibility in relation to the rampant and increasingly successful flood of CIPA actions hitting a broadening scope of defendants. 

Flo, Google, and analytics provider Flurry were also defendants in the case, but Meta was the only defendant not to settle.

CNIL Closes Injunction Against Orange After Corrective Cookie Measures.

After issuing a 50 million euro fine against French telecommunications company Orange in November 2024 and an order requiring the company to cease reading cookies after a user’s withdrawal of consent on its website orange.fr, the French CNIL restricted committee decided in September 2025 to close the injunction, based on the company’s demonstration that, once the user’s consent was withdrawn, no further reading or writing operations by cookies took place on the website.

TAKEAWAY

As part of this decision, the CNIL made a notable distinction between the website owner’s responsibility for first-party vs. third-party cookies in a circumstance when a user withdraws consent. 

Specifically, the restricted committee was satisfied that Orange deleted only first-party, but not third-party, cookies in the event of withdrawal of consent, even though the user’s browsing could continue to be tracked on third-party websites after such withdrawal. 

The restricted committee found that, since Orange did not have technical control over third-party cookies (and therefore could not delete them), and the reading operations conducted by such cookies were carried out outside the website orange.fr, they exceeded Orange’s responsibility. 

Rather, it was the third parties’ responsibility to implement measures to enable Orange to inform them of the user’s withdrawal of consent, particularly since Orange had done its part by contacting its partners to implement such measures and stopping new requests to such third-party domains.       

A LITTLE MORE PRIVACY, IF YOU PLEASE

• U.S. children’s privacy compliance guide by Sourcepoint and Didomi
• Privacy is dead, long live privacy!, an opinion piece by Brian Eckert

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.