Burger King Sued for Faulty Consent Banner

A class action lawsuit against Burger King for data privacy violations could be headed to trial. Burger King was sued for a faulty consent banner on its website, with plaintiffs alleging that the fast-food giant continued to track user activity and private communications even after their clear rejection of cookies and other tracking technologies. The lawsuit alleged that Burger King violated multiple consumer privacy laws, including the wiretapping and pen register provisions of the California Invasion of Privacy Act (CIPA). Now a federal court in California has issued a ruling that allows claims for fraud, unjust enrichment, and intrusion upon seclusion to proceed.

To learn more about the data privacy class action against Burger King, keep reading.

Burger King Accused of Collecting Website Visitor Data Without Permission

The Defendant in the class action lawsuit is Restaurant Brands International, Inc. Restaurant Brands International is the parent company of several major fast-food chains, including Burger King, Tim Hortons, Firehouse Subs, and Popeyes.

The named plaintiff in the class action lawsuit is a California resident who visited the Burger King website to browse information about restaurant products and locations. He checked the box on the website’s consent banner to opt out of the sale/sharing of his personal information, as well as all internet “cookies.” However, according to the complaint, Burger King ignored the plaintiff’s request and continued to collect his personal information without consent.

Lawsuit: Burger King Website Has Faulty Cookie Consent Banner

The Burger King website features a pop-up window that ostensibly gives users the ability to indicate their cookie consent preferences and to opt out of having their website activity tracked. According to the complaint, the website “immediately” presents site visitors with the cookie consent banner when they land on the homepage.

The Burger King consent banner reportedly states: “This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising, and analytics partners.”

Site visitors are offered the option to “Accept Cookies,” or they can click “Cookie Settings” to decline the placement of cookies and tracking technologies on their personal devices. When users click the “Cookie Settings” button, the website displays a “cookie consent preferences window” with a toggle switch that gives users the right to opt out of the sale of their personal information: users can move the toggle switch to opt out and then click a “Confirm my Choices” button.

Even after users elect to opt out of cookies, however, the Burger King website allegedly continues to cause cookies to be placed on users’ devices and to transmit user data to third parties. The named plaintiff in the class action suit believed that following the steps on the site would allow him to decline all cookies and other tracking technologies, so he continued browsing the site without realizing that Burger King was still collecting his personal information.

What Type of Customer Data Is Collected by Trackers on the Burger King Website?

The trackers allegedly used on the Burger King site include targeting cookies and performance cookies. These cookies can cause the disclosure of user data to third parties, including social media companies, data brokers, and analytics companies. In other words, third parties were allegedly able to track and collect site visitors’ private communications as they browsed the Burger King website.

The confidential user data allegedly collected by third parties via the Burger King website included:

• Browsing History: Information about which website pages the user visited. This data includes URLs, page titles, and amount of time spent on a page.
• Visit History: Information about the total number of visits to the website, as well as how often the user visited the site.
• Website Interactions: Information about which links or ads the user clicked on.
• User Input Data: Information that the user entered on the website, such as name, contact information, location, and payment information.
• Demographic Information: Data about the user’s age, gender, and location based on interactions with the website.
• Interests and Preferences: Information about the user’s interests based on the user’s interactions with the site, such as pages viewed and products searched.
• Shopping Behavior: Information about website products viewed or added to online shopping carts.
• Device Information: Details about the user’s device, including whether it is mobile, tablet, or desktop.
• Referring URL: Information about what website the user was on before they landed on the Burger King site.
• Session Information: Information about the user’s browsing session, including the date and time, session duration, and actions on the site.
• Geolocation Data: Information about the user’s location based on their IP address or GPS data.
• User Identifiers: This is a unique ID assigned to the user to track their activities across different websites.

In its pre-trial ruling denying Burger King’s motion to dismiss the class action, the federal court declared that all of these are categories of information in which California consumers have a protectable privacy interest.

Class Action Lawsuit Against Burger King in California Northern District Court

A class action lawsuit, Pemberton v. Restaurant Brands International, Inc., was filed against Burger King in the United States District Court for the Northern District of California. The plaintiffs alleged that Burger King stored third-party cookies on site visitors’ devices when they interacted with the Burger King website, and then that user data was transmitted to third-party companies without permission. This means that unauthorized third parties were allegedly able to surreptitiously track users in real time and collect their personal information, including browsing activities and private communications.

As a result of this alleged wrongdoing, the plaintiffs sued Burger King for violations of multiple data privacy laws:

• Invasion of privacy
• Intrusion upon seclusion
• Wiretapping violations of the California Invasion of Privacy Act (CIPA)
• Pen register violations of CIPA
• Fraud, deceit, and misrepresentation
• Unjust enrichment
• Trespass to chattels

Court Rejects Motion to Dismiss Burger King Data Privacy Lawsuit

The Defendant attempted to get the lawsuit thrown out before trial by filing a motion to dismiss. The U.S. District Court considered arguments from both sides before denying the motion to dismiss and allowing the data privacy lawsuit against Burger King to move forward.

Importantly, the federal court ruled that the allegations that Burger King deprived website users of control over their personal information did, in fact, constitute a sufficiently concrete injury for Article III standing purposes.

The court did not rule on the merits of the CIPA claims against Burger King because those claims came too late: they were time-barred by the statute of limitations. However, the court found that the plaintiff plausibly alleged claims for invasion of privacy, intrusion upon seclusion, fraud, and unjust enrichment due to the website’s faulty consent banner.

Federal Court: Plaintiff Has Article III Standing to Sue Burger King for Faulty Consent Banner

As set forth by Article III of the U.S. Constitution, a plaintiff must have a “personal stake” in any case that they bring in federal court. This is also known as the “case or controversy” requirement. Unless the case involves an actual, ongoing conflict that personally affects the plaintiff, then the plaintiff does not have standing to sue and the case will be dismissed.

A plaintiff can establish that they have Article III standing to sue by showing that:

1. They suffered an actual injury that is concrete and particularized.
2. The injury was caused by the defendant.
3. The injury can be redressed by the court.

In the data privacy lawsuit against Burger King, the district court cited legal precedent for right to privacy violations being legally actionable. The court specifically pointed to previous rulings that there was a concrete injury suffered when Google, Facebook, or any other third party tracked a person’s internet browser activity without authorization. The court also noted that consumer privacy statutes like the California Invasion of Privacy Act (CIPA) “codify a substantive right to privacy,” with violations of that right “giving rise to a concrete injury sufficient to confer standing.”

The named plaintiff in the class action against Burger King alleged that the fast-food company deprived him of control of his personal information by tracking his online activity without consent. This unauthorized tracking due to a faulty consent banner, said the court, constituted “a concrete injury to his right to privacy sufficient for Article III standing.”

Intrusion Upon Seclusion Claim: Burger King Covertly Collected Customer Data

Intrusion by seclusion is a type of invasion of privacy that involves someone intentionally encroaching on another person’s personal space. These types of claims are commonly brought in cases involving illegal wiretapping, eavesdropping, or other forms of surveillance.

When bringing an intrusion upon seclusion claim, a plaintiff must show two things:

1. There was a reasonable expectation of privacy.
2. The intrusion was “highly offensive.”

The U.S. District Court in the Burger King case evaluated the first element – whether a reasonable expectation of privacy existed – by considering “the customs, practices, and circumstances surrounding the data collection.” Here, the court concluded that the plaintiff may have had a reasonable expectation that their personal data would remain private because the Defendant allegedly gained unwanted access to the data by covert means: since the Burger King website’s cookie consent banner represented to visitors that their browsing activity and private communications would remain private, site users had every reason to expect that their data would not be collected and shared with others.

On the second element of the intrusion upon seclusion claim, the court determined whether the alleged privacy intrusion by Burger King was highly offensive by considering “the degree and setting of the intrusion.” Here, the court said that the Defendant’s intrusion may have been highly offensive because they allegedly lied to consumers with their cookie consent banner and “lulled them into a false sense of security.”

Burger King Accused of Committing Fraud, Deceit, and Misrepresentation

The California Northern District Court found that the plaintiff sufficiently alleged the elements of a fraud claim against Burger King. Specifically, the plaintiff alleged the “who, what, when, where, and how” of the misconduct:

• Who: Burger King.
• What: Defendant caused plaintiff to believe they could use the consent banner’s toggle switch to opt out of the sale of their personal information.
• When: Date when plaintiff visited the site.
• Where: Burger King website’s cookie window.
• How: Defendant caused user data to be transmitted to third parties without consent.

In the pretrial stage, the Defendant tried to argue that the plaintiff failed to show that Burger King “knowingly” concealed or lied about the website cookie window. But the court disagreed, finding that the plaintiff suitably alleged that the misrepresentations in the Burger King cookie consent banner constituted “outright lies.” Moreover, the court noted the plaintiff’s allegations that these misrepresentations about how the website functioned were “actively concealed” by the Defendant.

Unjust Enrichment Claim: Burger King Benefitted Financially from Unauthorized Collection of Consumer Data

The district court also rejected the Defendant’s efforts to dismiss the unjust enrichment claim against Burger King. The court said it’s plausible that Burger King unfairly retained a benefit at the plaintiff’s expense: namely, financial benefits and unjustly earned profits realized from Burger King’s unauthorized collection of consumers’ personal data on the company’s website. Here, the court noted that Burger King allegedly transmitted cookies to site visitors’ devices and then used those cookies to boost the company’s performance and revenue through advertising.

The court also emphasized the broad nature of the personal information allegedly collected by Burger King, as well as the possible fraud committed to acquire the information.

Consumers’ Personal Information Has Substantial Economic Value

The opinion in Pemberton v. Restaurant Brands International may have created new legal precedent by expanding on the economic aspects of data privacy violations. The U.S. District Court said that the personal information allegedly infringed by Burger King “has value as demonstrated by the use and sale of consumers’ browsing activity.” In other words, when a company like Burger King intercepts, collects, and then shares customer data without permission, they may be causing substantial economic injury to victims.

As support for the idea that consumers’ personal information can have significant financial value, the court noted that social media companies and data brokers can profit from the unauthorized use of this information.

California Consumer Privacy Act (CCPA) and Faulty Consent Banners

California is known for going to great lengths to protect consumers against data breaches and data privacy violations. In fact, California lawmakers actually passed the first state privacy law: the California Consumer Privacy Act (CCPA).

Since the CCPA does not create a private right of action to file a civil suit in most cases, the statute was not cited by the plaintiff in the Burger King case. However, the CCPA is relevant to faulty consent banner claims because the law explicitly gives consumers control over their sensitive personal information. Specifically, the law gives consumers the right to stop companies from selling their data to third parties by submitting an opt-out request. Moreover, a subsequent data privacy law known as the California Privacy Rights Act (CPRA) enhanced that CCPA right by allowing consumers to stop both the sale and the sharing of their data with advertisers.

Healthline’s CCPA Settlement

Companies that violate the CCPA are subject to significant penalties. For example, Healthline, the popular health and wellness website, agreed to pay $1.55 million for not providing functioning opt-outs. Like Burger King, Healthline was accused of failing to disable cookies after website visitors checked a box on a cookie consent banner to opt out of tracking. Additionally, the California Department of Justice investigated and found that Healthline did not honor user requests to stop targeted advertisements from third parties.

The $1.55 million fine was the largest penalty ever issued against a CCPA violator, which should give some indication of the willingness of California lawmakers, agencies, and courts to do what is necessary to protect consumers against egregious data privacy violations.

Contact the California Data Privacy Lawyers at Tauler Smith LLP

Both big and small companies often collect data from visitors to their websites. Sometimes, these companies violate the terms of their own cookie consent banners and collect data even after a user has opted out. If you are a California resident who visited a website with a faulty consent banner, your personal information may have been shared with others.

The California data privacy attorneys at Tauler Smith LLP represent plaintiffs in these cases. Call or email us now.