Why privacy compliance lawsuits are exploding and what you need to know about cookies, consent, and privacy laws

Sephora paid $1.2 million to settle privacy violations in 2022. The beauty retailer wasn’t hacked. They didn’t lose customer credit cards. They didn’t have a data breach. Their crime? Using Google Analytics and advertising cookies without properly disclosing it to customers and honoring opt-out requests. Hmm, I’ve done that–you say!

That’s right. Sephora paid seven figures because their cookie consent banner didn’t work correctly.

Welcome to the new world of website privacy compliance, where that innocent-looking cookie banner on your site isn’t just a nuisance for users—it’s a potential legal landmine. And if you think this only applies to major retailers like Sephora, you’re dangerously mistaken.

The Privacy Law Explosion

Website privacy compliance isn’t one law. It’s a rapidly expanding patchwork of federal regulations, state laws, international frameworks, and evolving enforcement interpretations. The major players:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – The toughest privacy law in the United States, requiring businesses to disclose what data they collect, allow consumers to opt out of data sales, and honor automated opt-out signals like Global Privacy Control.
• General Data Protection Regulation (GDPR) – The European Union’s privacy framework that requires explicit opt-in consent before placing most cookies, with fines up to €20 million or 4% of global annual revenue.
• State Privacy Laws – Nearly 20 U.S. states now have comprehensive privacy laws with varying requirements for cookie consent, data sales disclosures, and consumer rights.
• Wiretapping and Eavesdropping Laws – California Invasion of Privacy Act (CIPA) and federal wiretap laws are being used to sue companies over session replay tools and analytics that allegedly record user activity without consent.

And here’s the kicker: the requirements keep evolving. What was compliant last year might get you sued this year. California’s enforcement agency started imposing six-figure fines in 2025 for violations that many businesses didn’t even know existed.

What Went Wrong at Sephora

The California Attorney General’s case against Sephora revealed something that should terrify every business owner: standard marketing practices can violate privacy law.

Sephora used third-party cookies—Google Analytics, Facebook Pixel, and similar tracking technologies—to understand customer behavior and deliver targeted advertising. This is utterly routine. Millions of websites do this every day (don’t you?). But California law considers this a “sale” of personal information when you receive valuable services like analytics in exchange for giving third parties access to customer data.

Sephora failed to disclose that they were “selling” customer data through cookies. They didn’t provide a clear “Do Not Sell My Personal Information” link. They ignored Global Privacy Control signals from users’ browsers. And they lacked proper service provider contracts with their third-party analytics vendors.

The Attorney General gave Sephora 30 days to fix these issues. Sephora didn’t act fast enough. The result? A $1.2 million settlement plus requirements to implement proper consent mechanisms, update privacy policies, maintain service provider contracts, and file regular compliance reports.

Reality Check: Sephora’s violations weren’t exotic or unusual. They were using the same Google Analytics and Facebook tracking that millions of small businesses use every day. The difference? Sephora got caught, and it cost them seven figures.

The Enforcement Surge

Sephora was just the beginning. The fines keep coming:

💰 Honda – $632,500 (March 2025) for cookie banner lacking “symmetry of choice”

💰 Capital One – $350,000 (May 2025) for a cookie banner that malfunctioned for 40 days

💰 Amazon – €35 million from French regulators for placing advertising cookies without consent

💰 Google – €60 million from French authorities for making it too difficult to reject cookies

💰 Facebook – €90 million from French regulators for the same reason

💰 Jam City – $1.4 million for CCPA violations in their mobile games

California’s Privacy Protection Agency hired more staff in 2025 specifically to conduct automated monitoring and enforcement sweeps. The UK’s Information Commissioner’s Office announced plans to audit the top 1,000 UK websites. France’s data protection authority launched an investigation campaign into mobile apps. These aren’t isolated incidents. They’re the new normal.

Graphic 1

Why This Matters for Small Businesses

You might be thinking: “I’m not Sephora. I’m not Amazon. Why would regulators care about my small business website?”

The Laws Apply to You

CCPA applies to businesses that meet any of these thresholds:

• Annual gross revenues exceeding $25 million

• Buy, sell, or share personal information of 100,000+ California consumers annually

• Derive 50% or more of annual revenue from selling consumers’ personal information

That second threshold is lower than you think. If you get decent web traffic from California and use third-party analytics, you might be processing data from 100,000+ California residents per year without realizing it. GDPR applies if you have ANY visitors from the European Union, regardless of your size or location.

Automated Enforcement is Coming

Regulators are deploying automated tools to scan websites for violations. They don’t need consumer complaints. They’re actively hunting for non-compliant cookie banners, missing privacy disclosures, and tracking that continues after users opt out. The California Attorney General’s 2021 enforcement sweep tested websites by enabling Global Privacy Control and checking whether tracking stopped. If it didn’t—like at Sephora—they sent violation notices.

The Plaintiff Bar is Watching

Class action attorneys have discovered privacy violations as a lucrative practice area. CCPA violations carry statutory damages of $100 to $750 per consumer per incident. For a data breach or unauthorized disclosure affecting 10,000 California residents, that’s potentially $1 to $7.5 million in statutory damages alone, plus attorney fees.

Even if you don’t meet CCPA’s business thresholds, you can still face lawsuits under wiretapping laws. Recent cases have targeted companies using Hotjar, FullStory, and similar session replay tools, claiming they record user activity without proper consent.

⚠️ Critical: The 30-day cure period that gave businesses time to fix CCPA violations expired January 1, 2023. California regulators can now impose fines immediately—$2,500 per unintentional violation, $7,500 per intentional violation—without giving you a chance to fix the problem first.

Compliance Costs vs. Legal Risk

So here’s your unpalatable choice.

Pay for Proper Compliance

Legitimate privacy compliance carries real costs:

💵 Consent Management Platform: $1,000–$5,000+ annually

💵 Privacy policy updates and legal review: $2,000–$10,000

💵 Cookie audit and classification: $1,500–$5,000

💵 Implementation and testing: $3,000–$15,000

💵 Ongoing monitoring and updates: $1,000–$3,000 annually

The upside? You dramatically reduce legal risk, achieve regulatory compliance, potentially gain competitive advantage as privacy becomes a differentiator, and get peace of mind. The downside? Significant upfront investment, ongoing maintenance costs, reduced marketing effectiveness from fewer cookies, and complexity managing different rules for different jurisdictions.

Roll the Dice

Continue business as usual with minimal privacy measures. Hope that California regulators don’t scan your site, that class action attorneys don’t notice you, and that your cookie banner is “good enough.”

The upside? No immediate costs. You maintain current marketing capabilities and keep using all your analytics and advertising tools without restriction. The downside? Regulatory fines starting at $2,500 per violation that add up fast. Potential class action lawsuits with statutory damages of $100 to $750 per affected consumer. Reputational damage. Legal fees that dwarf compliance costs. And no warning before enforcement hits.

The Cookie Banner Trap

Many businesses think they’re covered because they have a cookie banner. They’re wrong.

What Your Cookie Banner Actually Needs to Do

A compliant cookie consent system requires:

✅ Technical blocking – Cookies must be prevented from loading until consent is given, not just displaying a banner while everything loads anyway

✅ Granular controls – Users can accept or reject different cookie categories (analytics, advertising, functional) separately

✅ Equal prominence – Accept and Reject buttons must be equally easy to click; dark patterns violate the law

✅ GPC signal respect – Automatic detection and honoring of Global Privacy Control from browsers

✅ Persistent preferences – User choices remembered across visits, not asked every time

✅ Accurate cookie inventory – Disclosures must reflect every cookie actually used; add a tool, update the list

✅ Documented consent – Proof of when users consented, what they consented to, and how they were informed

Most free or cheap cookie banner plugins don’t do this correctly. They show a banner but don’t actually prevent cookies from loading. That’s worse than useless—it creates the illusion of compliance while leaving you fully exposed.

Honda learned this lesson expensively. Their cookie banner had an Accept button but made users dig through settings to reject cookies. California fined them $632,500 for not providing “symmetry of choice.” Capital One’s cookie banner malfunctioned for 40 days, continuing to track users who thought they had opted out. That 40-day malfunction cost them $350,000.

A Pragmatic Approach for Small Businesses

For most small businesses, the path forward isn’t either extreme. Here’s a risk-based framework that balances protection with practicality.

Assess Your Actual Risk

Start with honest self-assessment:

🔍 Do you get traffic from California or the EU?

🔍 Do you use Google Analytics, Facebook Pixel, or similar third-party tracking?

🔍 Do you use session replay tools like Hotjar or FullStory?

🔍 Do you collect emails or personal information through forms?

🔍 Do you run targeted advertising campaigns?

If you answered yes to multiple questions, you have meaningful exposure.

Start with Quick Wins

Some improvements are relatively inexpensive. Update your privacy policy to accurately describe what data you collect and why. Add a “Do Not Sell My Personal Information” link if you’re subject to CCPA. Audit what cookies your site actually uses—you might be surprised. Remove unnecessary third-party scripts and tracking. Document your data collection and use practices. These steps won’t make you bulletproof, but they demonstrate good faith effort, which matters when regulators come calling.

Invest in a Real Consent Management Platform

If you’re serious about compliance, you need a legitimate consent management platform that actually blocks cookies until consent is given, detects and respects GPC signals, handles both GDPR opt-in and CCPA opt-out requirements, automatically scans and categorizes your cookies, maintains consent records, and updates as laws change.

Yes, good CMPs cost money. But they cost less than one settlement or fine. And unlike cheap cookie banner plugins that create false security, a proper CMP actually protects you.

Review Your Analytics Strategy

Consider whether you actually need all the tracking you currently use. Server-side analytics tools like Fathom or Plausible don’t use cookies and aren’t subject to consent requirements. Google Analytics 4 has privacy-preserving modes, though they’re less effective for targeting. First-party data collection through email lists and direct customer relationships is more valuable and less regulated than third-party tracking.

The third-party cookie is dying anyway. Google is phasing them out. Apple already blocks them. Building your strategy on them is building on sand.

Document Everything

If regulators or plaintiffs come knocking, documentation is your best defense. Keep records of privacy policy changes and when they were implemented, cookie audits and classification decisions, consent management platform configuration, service provider agreements with third-party vendors, and data processing records. Good faith effort matters. Courts and regulators are more lenient with businesses that demonstrate they’re trying to comply, even if they’re not perfect.

What NOT to Do

Some approaches to privacy compliance will backfire spectacularly.

❌ Don’t ignore it completely. The “what they don’t know won’t hurt them” strategy fails. Regulators are actively scanning. Plaintiffs’ attorneys are hunting. The odds of getting caught increase every year.

❌ Don’t use a fake cookie banner. A banner that doesn’t actually control cookies is worse than nothing. It shows you knew about consent requirements but chose a shortcut. That looks like intentional violation, which carries higher penalties.

❌ Don’t assume geofencing works. Some businesses try to show different privacy controls to California or EU visitors. This is technically complex, easily circumvented with VPNs, and doesn’t eliminate risk from users who travel.

❌ Don’t copy someone else’s privacy policy. Your privacy policy must accurately describe YOUR practices. Generic templates won’t match your actual data collection, which creates additional liability.

The Bigger Picture: Privacy as Competitive Advantage

Beyond avoiding legal trouble, privacy compliance can be a business advantage. Eighty-one percent of consumers say data privacy is a growing concern, so transparent privacy practices build trust. First-party data from customers who actively chose to engage with you is more valuable than third-party cookies tracking people who never consented. Third-party cookies are dying anyway, so privacy-first approaches align with where the industry is heading. And fewer third-party scripts mean fewer potential security vulnerabilities and data breach risks.

Privacy isn’t just a legal checkbox. Done right, it’s a business strategy that respects customers while building long-term value.

The Uncomfortable Truth

Here’s something most compliance vendors won’t tell you: the current privacy law landscape is broken.

We have a patchwork of inconsistent state laws. We have vague federal guidance. We have Europe imposing its rules on American businesses. We have technologies like cookies that predate these laws being retroactively regulated. We have enforcement priorities that change with political winds. The regulatory complexity serves lawyers and compliance vendors better than it serves consumers or businesses. Legitimate privacy protection shouldn’t require hiring specialists to decipher arcane regulations.

That said, the law is what it is. Complaining about unfairness doesn’t protect your business. You have to operate in the reality that exists, not the reality you wish existed.

Making Your Choice

So which path do you pick?

For most small and medium businesses, the answer is a pragmatic middle path. Understand your actual risk exposure. Implement basic privacy hygiene with accurate policies and necessary disclosures. Invest in legitimate consent management if you use third-party tracking. Reduce reliance on third-party cookies. Document your compliance efforts. Stay informed as laws evolve.

This won’t eliminate all risk. Nothing will. But it dramatically reduces your exposure while positioning your business for the privacy-first future that’s coming whether we like it or not.

Sephora learned this lesson after paying $1.2 million. Honda paid $632,500. Capital One paid $350,000. The question is whether you want to learn from their experience or repeat it.

The choice, as uncomfortable as it might be, is yours to make. Just remember: doing nothing is still a choice, and it comes with consequences you can’t predict or control.

Need Help with Privacy Compliance?

At Sitez Incorporated, we help small and medium businesses navigate website privacy compliance without breaking the bank. We provide honest assessments, practical solutions, and ongoing support to keep your site compliant and reduce your legal exposure.

We won’t sell you unnecessary tools or promise perfect compliance overnight. Instead, we’ll help you understand your specific risks, implement appropriate privacy measures, and develop a sustainable compliance strategy that fits your budget and business needs.

Let’s talk about your website. Contact us at sitezinc.com for a straightforward conversation about where you stand and what makes sense for your business.