Data Privacy and Cybersecurity in 2025: Website Tracking

How has the recent trend in enforcement and litigation, particularly under laws like the California Invasion of Privacy Act, impacted companies’ approach to marketing and data analytics?

Now, more than ever, US and European regulators are targeting cookies and other online tracking technologies (cookies) through extensive investigations and large fines. US litigation, arbitration, and pre-dispute demand letters have increased exponentially. In short, the risk associated with cookies – commonly used for online marketing, analytics, and many other purposes – is greater now than at any other point.

Few companies are disabling marketing or analytics cookies entirely. Although a growing number of companies are switching to an EU-style “opt-in” cookie banner (at least in high-risk jurisdictions like California), implied consent remains the dominant “market” practice – i.e., providing notice but not seeking opt-in consent. However, most companies are taking at least some steps to reduce risk, such as conducting cookie audits, disabling legacy or unused cookies, improving transparency, and other measures described below.

What are some of the steps companies should take to audit their current website tracking practices and ensure they are compliant with the latest regulations?

Companies can take many steps now to reduce cookie risks, including:

1. Auditing current cookie practices and compliance status, including checking configuration settings and creating a categorized inventory of cookie, server-to-server, and other tracking technologies.
2. Making key risk and compliance decisions, such as whether and how to use a cookie banner, how to address consumer rights, whether to enable geofencing, and whether to implement heightened controls when processing sensitive information.
3. Implementing risk decisions by configuring consent tools and web/mobile integrations and updating privacy and cookie notices.
4. Implementing appropriate vendor management controls, including executing appropriate contracts and configuring cookie account settings to limit third-party data processing.
5. Testing implementation periodically and checking for common pitfalls.
6. Documenting key governance procedures, such as technical- and business-facing “standard operating procedures,” cookie change request processes, privacy impact assessments, and testing processes.

What are the common mistakes companies make when implementing cookie management practices?

The most common mistakes companies make involve misclassifying cookies and misconfiguring cookie consent tools. Common examples include:

1. Loading the cookie banner in the wrong order.
2. Failing to honor choice (such as promising “opt-in” consent even where cookies fire before there is an opportunity to consent) or failing to disable cookies when a user “opts out” (commonly the result of misclassifying cookies, i.e., labeling analytics cookies as “necessary” and therefore not subject to opt-out/reject buttons).
3. Not providing consumers with “equivalent” choice in their banner (i.e., only having an “accept” button).
4. Not accurately describing the cookies in use and what information they are collecting.
5. Not adding disclaimers when third-party tools (e.g., chat bots, search) are in use on the website.

What are some concerns that your clients have regarding website tracking technologies, and how do you address them?

Most clients are frustrated by threats of large statutory damages for what seem like “hypertechnical” violations of archaic laws and the lack of clear direction about what to do. Given the unsettled nature of the ongoing civil litigation on the critical question of whether state wiretapping laws require express or implied consent, the biggest concern from clients is how to accurately scope their risk.

We help our clients assess levels of risk that they may face by first understanding what types of technologies are in use on a particular website along with a client’s risk tolerances for litigation and regulatory risk given the business benefits of those technologies. With those two inputs, we then work with clients to design and implement risk mitigation strategies that are right for them.

Want to know more? Watch the recording of our webinar that covers how to leverage cookies to maximize value while minimizing risk.