A class action complaint filed in the Northern District of California on October 17, 2025, alleges that entertainment and arcade franchise Dave & Buster’s Entertainment Inc., misled website visitors about users’ ability to reject cookies and tracking technologies. The lawsuit, brought by two California residents, claims that the Dave & Buster’s website continued to place third-party cookies and transmit user data to advertising partners even after users selected a “Reject All” option on the site’s cookie banner.
How The Alleged Tracking Works
The complaint explains the website’s alleged use of GET and POST requests, which are two common ways browsers communicate with web servers. A GET request is typically used to retrieve information from a website, such as loading a page, while a POST request is used to send information to the website, such as submitting a form. Here, the plaintiffs allege that, despite users opting out of cookies, the website continued to send data about their browsing activity to third parties, including Meta, Google, TikTok, Microsoft, and X (formerly Twitter), through GET and POST these requests, allowing them to receive information about users’ interactions, location, and other website communications.
Cookie Consent and Third-Party Data Sharing
A key complaint allegation is that Dave & Buster’s website presented users with a pop-up banner offering the ability to “Reject All” cookies used for analytics and advertising. However, the complaint asserts that third-party cookies, including those from major platforms, were still stored on users’ devices even after they rejected cookies. These cookies reportedly transmitted a range of information, including browsing history, site interactions, and location data, to external advertising and analytics partners.
Wiretapping and Pen Register Claims
In addition to multiple privacy and fraud claims, the complaint includes causes of action under California’s Invasion of Privacy Act (CIPA), where the plaintiffs claim that the ongoing transmission of user data constitutes a CIPA violation pursuant to both its wiretapping and pen register provisions. The CIPA wiretapping provision prohibits anyone from intentionally intercepting, tapping, or making an unauthorized connection to a telephone or telegraph wire, as well as willfully reading or attempting to read the contents of a communication in transit without the consent of all involved parties. Although this law originally addressed analog phone lines, plaintiffs are increasingly seeking to apply its protection to modern website tracking technologies. In the Dave & Buster’s lawsuit, the plaintiffs claim that information passed from users’ browsers to the website was captured and shared with third-party companies without proper consent, thus constituting wiretapping under CIPA.
The complaint further alleges that Dave & Buster’s violated CIPA’s pen register provisions. A pen register under CIPA is any device or process that records dialing, routing, addressing, or signaling information from electronic communications. CIPA generally prohibit such devices without a court order. Plaintiffs are increasingly asserting that the definition of “pen register” includes internet tracking technologies like software that logs user data and IP addresses. Here, the plaintiffs allege that Dave & Buster’s allowed third parties to use tracking technologies that recorded users’ interactions with the site, again, without proper consent and in contradiction to the “Reject All” consent management option.
Key Takeaways for Organizations
This latest CIPA complaint provides several considerations for companies concerning website compliance:
- Cookie consent must match practice. If your website allows users to reject cookies or tracking, their choice must be respected in actual practice. Banner options should work as described, not simply appear to offer the user control.
- Transparency is critical: Companies should clearly disclose what data is collected, how it is used, and with whom it is shared. Businesses should also regularly audit their website’s tracking technologies to confirm compliance.
- Understand technical flows: It is important for both technical and non-technical teams to have a basic grasp of how tracking technologies function. Internal stakeholders should understand how GET and POST requests, cookies, and third-party scripts work on their sites. Without this foundational knowledge, implementing tracking technologies can inadvertently create compliance issues, even when everyone is acting in good faith.
As plaintiffs and courts look more closely at consent and tracking, companies should be mindful that their website privacy controls aren’t just for show. CIPA litigation continues to evolve, and finding yourself in the middle of such litigation is no one’s idea of fun and games.
