Tracking After Opt-Out: An Emerging Privacy Litigation Theory

Executive Summary

A new frontier in privacy litigation is emerging around a straightforward factual pattern: consumers use a website's opt-out mechanism — a cookie banner, a privacy settings page, a Global Privacy Control signal — and the website continues tracking them anyway. This gap between opt-out promise and opt-out reality represents a growing source of plaintiff-side litigation under CIPA, the CCPA, state consumer protection statutes, and FTC enforcement actions.

Key insight for plaintiff attorneys: the evidence is often hiding in plain sight. Network traffic analysis frequently reveals that third-party scripts continue firing after a user clicks 'decline' or enables GPC. The technical disconnect between consent management platforms (CMPs) and the actual behavior of tracking scripts creates a systematic, provable pattern of non-compliance that is well-suited to class treatment.

Legal Background: The Opt-Out Gap

The legal obligation to honor opt-out signals arises from multiple sources. Under the CCPA (as amended by the CPRA), businesses must honor both explicit opt-out requests and Global Privacy Control (GPC) browser signals. Failure to do so constitutes a violation enforceable by the California Attorney General and, in some circumstances, through a private right of action.

Under CIPA § 631, continued tracking after opt-out strengthens the argument that interception occurred without consent — because the user's affirmative rejection of tracking eliminates any implied consent defense. Under state consumer protection statutes, post-opt-out tracking can constitute deceptive practices where the website's privacy representations create expectations that tracking will cease.

The FTC has increasingly treated post-opt-out tracking as an unfair or deceptive practice under Section 5, and several enforcement actions in 2024-2025 targeted companies whose opt-out mechanisms did not actually prevent data collection. While FTC actions do not create private rights of action, they establish precedent and generate compliance pressure that can benefit parallel private litigation.

Litigation Landscape and Claim Theories

Post-opt-out tracking claims are being brought under several legal theories. CIPA § 631 claims argue that tracking after opt-out constitutes interception without consent, since the consumer's affirmative opt-out negates any prior consent. CCPA/CPRA claims target failures to honor GPC signals or explicit 'Do Not Sell/Share' requests. State UDAP (Unfair and Deceptive Acts and Practices) claims frame continued tracking as a deceptive practice that contradicts the website's privacy representations.

The factual pattern common to these claims is a disconnect between the consent management platform (CMP) — the tool that presents the cookie banner and records user preferences — and the actual behavior of third-party scripts on the page. In many cases, clicking 'decline' or 'opt out' updates the CMP's internal record but fails to prevent third-party JavaScript from loading and transmitting data. This disconnect is technically demonstrable and creates a strong evidentiary foundation.

Class certification is favorable because the tracking behavior is uniform across all users who opt out on a given website. The question of whether opt-out mechanisms actually function as represented is a common factual question that predominates over individual issues.

Evidence Strategy: Proving the Gap

The evidentiary approach for post-opt-out tracking cases is highly technical but reproducible. The core evidence consists of comparative network traffic analysis: capture all HTTP requests before and after opt-out, then demonstrate that third-party tracking requests continue unchanged despite the user's opt-out action.

This involves recording network traffic in a controlled environment (before opt-out, after opt-out via cookie banner, and after opt-out via GPC signal), then comparing which third-party requests fire in each scenario. When the tracking requests are identical regardless of consent status, the evidence of non-compliance is dispositive.

CMP configuration analysis can reveal whether the consent management platform is properly integrated with all tracking scripts. In many cases, CMPs are deployed as a compliance overlay but are never connected to the actual tag management system — meaning the banner functions as a cosmetic element that collects consent data but does not actually gate tracking behavior.

Firms should collect evidence before notifying the defendant. As with CIPA claims generally, defendants frequently modify their configurations after receiving notice of a claim. Pre-filing preservation of network traffic evidence is critical.

Motion-to-Dismiss Risks

Standing arguments follow the pattern of other privacy claims: defendants argue that continued tracking without concrete downstream harm is insufficient for Article III standing. State court filings mitigate this risk. In California, state courts have been receptive to privacy claims based on the violation itself.

Consent defenses may assert that the initial page load constituted implied consent, or that the privacy policy's disclosure of third-party tracking eliminates any deception. The strongest plaintiff response is the specificity of the opt-out: where a user takes an affirmative action to reject tracking — and the website represents that this action will be effective — continued tracking despite that action is difficult to characterize as consensual.

Preemption arguments under the CCPA may arise where defendants argue that the CCPA's enforcement framework preempts common-law or UDAP claims. This varies by jurisdiction and claim theory.