Cal. Penal Code § 631 — consent-defect theory

Broken Cookie Banner / Consent-Defect Cases

The cleanest CIPA posture: the site presents a consent banner and then ignores it — trackers fire before any interaction, or keep firing after the user clicks Reject. The defect is observable in a single clean browser session, which makes the consent element essentially self-proving if the session was captured and sealed correctly.

Elements & controlling authority

Defendant operates an interactive consumer website collecting personal information from California users
Cal. Penal Code § 631(a); Javier v. Assurance IQ, 49 F.4th 1207, 1213 (9th Cir. 2022).
The consent mechanism is dispositively defective — observable in a single clean session
Smith v. LoanMe, Inc., 11 Cal.5th 183, 191 (2021); In re Meta Pixel, 647 F. Supp. 3d at 798 (consent must be informed and contemporaneous).
Third parties intercepted communications while consent was absent or affirmatively rejected
Cal. Penal Code § 631(a) (clauses 2–3); In re Meta Pixel, 647 F. Supp. 3d at 796.
The intercepted data included contents of communications
Brown v. Google LLC, 525 F. Supp. 3d 1049, 1066 (N.D. Cal. 2021); In re Facebook Internet Tracking, 956 F.3d 589, 605–08 (9th Cir. 2020).
Injury — statutory damages and Article III standing via intrusion-upon-seclusion analogy
Cal. Penal Code § 637.2(a); TransUnion v. Ramirez, 594 U.S. 413 (2021).

The evidence you need — and what we capture

Pre-consent capture: every tracker that fired before the banner was touched
Post-reject capture: non-essential trackers that kept firing after the user clicked Reject
Screenshot trail of the banner state at each capture point
Accept/Reject symmetry audit of the banner itself

Every capture is sealed at collection: SHA-256 hash-chained artifacts with RFC 3161 trusted timestamps, a methodology block, and a documented scope of audit. If the defendant changes the site tomorrow, the record of today survives.

Damages framework

Cal. Penal Code § 637.2(a): $5,000 per violation or treble actual damages, plus injunctive relief. The consent-defect posture also weakens the standard arbitration defense — assent obtained through the same defective UX is vulnerable on the same facts.

Frequently asked

Is a cookie banner enough for consent under CIPA?

Not if trackers fire before the user interacts with it, or keep firing after the user clicks Reject. Consent must be obtained, informed, and contemporaneous with the recording — a banner the site ignores is not consent.

How do you prove a broken consent banner?

A single clean browser session captures it: which trackers fired pre-interaction, and which non-essential trackers continued after a Reject click, each timestamped and sealed.

Pre-vetted defendants in this lane are live on the marketplace. Each listing clears arbitration-posture review, a prior-litigation screen against the federal docket, and a human editorial gate before it appears. First buyer takes the defendant exclusively.

Browse 21 live Broken Cookie Banner / Consent-Defect listings →