The Year US Regulators Got Serious About Cookie Consent

This year has marked a decisive shift in how US regulators enforce consumer privacy rights online. Just a few years after most state omnibus privacy laws began to take effect, states like Connecticut, California, and Texas are showing their appetite for enforcing these measures, with one area of focus being ensuring that companies are obtaining meaningful consumer consent through clear and transparent cookie preferences and policies.

Dropping cookies — digital files that store a user’s choices about what types of information they are clicking on and viewing on a site — can be used to personalize and improve a user’s experience, through data demonstrating the user’s choices, performance, and considerations for advertising. It has become one of the most ubiquitous mechanisms for sharing and tracking consumer data. It is no wonder this is now in focus as the low hanging fruit for enforcers, as it has become the default for most industries as they approach the practice of website performance improvement, data analytics, advertising, and other tasks to gather data about their website visitors.

State regulators across the country — in states both with and without consumer privacy laws — are ringing the alarm bells that more action needs to be taken to place guardrails on cookie settings, especially if cookies are being set as the default. In rapid succession to the passage of new state privacy laws, attorneys general from multiple states and leading privacy agencies have aligned around a clear message: the era of vague cookie banners and deceptive consent practices is over. In states where consumer privacy laws are not on the books, like Michigan, regulators are turning to consumer protection language in their unfair or deceptive practices statutes to hold companies accountable.

Regulators are calling out companies for dark patterns, asymmetrical interfaces, and opaque explanations that make it harder to say “no” than “yes” to digital tracking. Companies are now obligated to be transparent about the tracking behaviors and tracking tools they use. Companies should give consumers more autonomy to make decisions about whether and how their personal information can be tracked and to what extent they will permit that tracking to occur. Earlier this year, state attorneys general and privacy agencies launched or resolved major actions against Roku, Honda, and others, signaling that digital advertising practices that once operated in the shadows are now firmly in the enforcement spotlight.

While cookies have been around since the mid-1990s, they have evolved into a powerful and commonly accepted engine of behavioral tracking. Up until recently, concrete guardrails for designing cookie banners and disclosures with the average consumer in mind were lacking. But, this is all changing.

State-Level Enforcement Sends a Unified Message

In California, the state’s privacy watchdog in March imposed a $632,500 fine on Honda for violating the California Consumer Privacy Act. The agency has emphasized in a recent advisory that cookie consent interfaces must be “symmetrical,” meaning that it must be just as easy to decline tracking as to accept it. No more requiring consumers to toggle to choose between the different non-essential cookie options, with a default set to “accept all.” No more hiding cookie choices behind extra clicks or misleading language. Consent must be clear, direct, and fair.

Connecticut regulators echoed that standard in an enforcement report last month, warning against “dark patterns” and reinforcing the need for cookie banners that present options to accept or reject tracking at the same exact time, with equal visibility, font size, and color. Their report also drew attention to the improper bundling of privacy notices, where consumers are misled or buried in legalese rather than given straightforward information about how their data is collected and shared.

In Michigan — where there is no comprehensive privacy law — the attorney general nonetheless filed suit against Roku in April for, among other violations specific to the collection and sharing of sensitive children’s data, allegedly hiding advertising opt-out mechanisms in the general privacy sections of its website, and not clearly defining the general privacy choices and rights information for the consumer. The Michigan action reinforces that consumer transparency is not just a compliance checkbox; it is a fundamental expectation, even in states without codified privacy statutes.

And in Texas, enforcement actions in the past year against General Motors, Allstate, and Google have emphasized the seriousness of sharing sensitive data — including location and biometric information — without clear, affirmative user consent. While these cases did not directly involve cookies, they are part of the same broader push for accountability in the use of any tracking technologies, particularly when used for advertising, making financial eligibility determinations, or behavioral profiling.

A National Pattern, and a Regulatory Coalition

These state-level actions are not isolated. A new bipartisan “Consortium of Privacy Regulators” — comprising California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon — has emerged with the goal of coordinating investigations and enforcement strategies. This signals a future of more harmonized, aggressive action in the absence of federal legislation.

Federal authorities are also weighing in. The Federal Trade Commission has long warned that deceptive or unfair tracking practices can violate Section 5 of the FTC Act. In 2022, the FTC’s case against Kochava forewarned an interest in regulating the data broker ecosystem, particularly the prohibited practice of processing, sharing, and sale of sensitive location data, without gathering appropriate consumer consent. In 2023, the FTC also published a joint letter with the Department of Health and Human Services (HHS) to convey the importance of companies understanding their website’s tracking tools and whether they are collecting consumers’ data without the consumer’s consent, regardless of whether the tracking tools were enabled intentionally or not. Consent interfaces that trick consumers into sharing data for other purposes without their informed consent — or bury key options in hard-to-navigate menus — could face further scrutiny at the federal level, especially where sensitive data is involved.

An analysis by a University of Chicago researcher recently explored how certain cookie practices may violate the FTC Act and California’s privacy law and offered useful best practices for consent design — many of which are now being echoed in state-level enforcement actions.

What Companies Should Do Now

The message is clear: companies must take meaningful steps to respect consumer choices and ensure their tracking technologies meet the standards emerging from this wave of enforcement.

Among the key principles:

• Symmetry in consent: It should be just as easy to decline cookies as to accept them.
• Transparency in language: Avoid using euphemisms, confusing terms, or vague or ambiguous language like “we use cookies to personalize your experience.” Say clearly what personal information is being processed and tracked, for what purposes, and where more information can be found.
• Centralized, accessible information: Information and choices specific to targeted advertising and data sharing should not be buried and scattered across a lengthy privacy policy or legal terms — or under obscure sections or ambiguous names like “Tech Privacy Center” or “Trust Center.”
• Distinguishing advertising choices from other consumer privacy rights: Importantly, consumer choices about targeted advertising are distinct from general privacy settings — and both deserve real attention. Disclosures should not lump them together or mask the specific impact of each. Clearly label the advertising choices hyperlink in the footer (separate from a privacy policy link) and link out to the section(s) where targeted advertising and cookie choices are explained in the privacy policy.
• No sensitive data sharing without informed opt-in: Sharing sensitive data related to location, health, biometrics, or voice requires explicit, informed consent.
• Do not track if it could adversely impact consumers: In addition, tracking should be prohibited if it could lead to a consumer being subject to adverse terms or ineligibility for employment, credit, insurance, or medical treatment.

The Road Ahead

Whether through enforcement or voluntary alignment with guiding principles like those of the Digital Advertising Alliance, the direction is clear: the public expects — and regulators now demand — honest, user-friendly digital privacy controls.

For companies relying on digital advertising to power their business models, now is the time to reassess consent mechanisms, audit data-sharing practices, and treat transparency not as a burden but as a competitive advantage. The companies that act now will not only avoid costly enforcement actions — they’ll also build trust with consumers increasingly skeptical of the online ecosystem.