How Cookie Use and Generic Privacy Policies Create Legal Risk

Heather Antoine
Partner, Technology & Intellectual Property

Abstract

Heather Antoine, Partner in the Technology & Intellectual Property Group at Stoel Rives, highlights the growing legal exposure companies face from using advertising cookies. She explains how plaintiffs’ attorneys are increasingly targeting businesses with invasion of privacy claims tied to cookie use on platforms like Meta, YouTube, and others. With the law still unsettled in this area, companies often find themselves forced to settle to avoid costly litigation.

Antoine also cautions against relying on one-size-fits-all privacy policies. She emphasizes the importance of tailoring these policies to account for varying legal obligations across jurisdictions, such as the CCPA and GDPR. Drawing on her extensive experience, she shares how a well-structured, customized approach can help companies manage compliance and reduce risk in a rapidly evolving privacy landscape.

Transcript

Hi, I am Heather Antoine. I am a partner at Stoel Rives in the Sacramento office. I am in the Technology and Intellectual Property Group, and I represent clients nationwide in consumer products, health and wellness, and technology.

Are website cookies a legal trap companies are underestimating?

On the privacy front, one thing that a lot of my clients have had to face lately is demands by plaintiffs' attorneys for invasion of privacy claims that are made. And those claims are essentially saying that if you use advertising cookies, Meta, Facebook, Instagram, YouTube, anything you can think of, any sort of advertising cookies, that that is an invasion of privacy. Many of our clients have faced those demands. The law is extremely unsettled on this topic so it makes it pretty frustrating for clients. They often feel it is something they just have to settle because the cost of proceeding is so much higher. That is something that a lot of our clients have been facing.

Is your privacy policy too generic to protect your business?

There is no such thing as a blanket privacy policy. Really what we try to do is customize it, and it depends on what jurisdictions that company is in and that they need to be protected for. What we try to do is find what is the commonality between everything that needs to be addressed, whether it is the CCPA, the GDPR or any other laws, account for those, and then figure out what the outliers are and also account for those. When you have been doing it for as long as I have, you tend to figure out what those are a little bit quicker than hopefully it would take otherwise.