In two recent rulings, judges in the U.S. Northern District of California have allowed proposed class actions under the California Consumer Privacy Act (CCPA) to proceed without an allegation of a data breach, departing from past precedent. The CCPA contains a limited private right of action that allows individuals to bring suit if personal data about them is exposed via “unauthorized access, exfiltration, theft, or disclosure” due to a business’s failure to implement “reasonable security measures.”
While this provision has been generally understood to apply only in the case of a data breach, the two California judges have allowed class actions to continue where websites have allowed third parties, such as Google and Meta, to place cookies and similar technologies to collect information about users.
This extension of the CCPA’s private right of action, if upheld, could result in a significant uptick in private CCPA litigation, exposing businesses to statutory damages for alleged privacy missteps.
Overview
The CCPA provides a private right of action for any “consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security practices.” Cal. Civ. Code §1798.150(a)(1). Suits brought under this provision has typically been related to data breach incidents. Yet the two recent district court decisions interpreted this provision more broadly to cover disclosure of personal information through third-party cookies and similar technologies embedded in a company’s website.
In Shah v. Capital One Financial Corp.,1 the court denied Capital One’s motion to dismiss plaintiffs’ CCPA claims. Plaintiffs alleged that Capital One violated the CCPA by allowing third parties such as Google, Facebook/Meta Pixel and Microsoft to embed trackers in Capital One’s website that transmitted personal information about the plaintiffs to these third parties. Capital One argued that the claim should be dismissed because the CCPA was intended to address traditional data breaches where the information is stolen by an unauthorized third party. The court rejected this argument, holding that plaintiffs need not allege a data breach, interpreting “unauthorized access and exfiltration, theft, or disclosure” of personal information broadly to mean disclosure of personal information to third parties without consent.
In support of this interpretation, the court cited another recent Northern District of California decision, M.G. v. Therapymatch.2 In M.G., plaintiff alleged that Therapymatch’s privacy policy did not disclose the fact that the embedded Google Analytics technology on its website allowed Google to intercept and collect personal information in violation of the CCPA. The court denied Therapymatch’s motion to dismiss, holding that a data breach is not required for the CCPA’s private right of action to apply, citing prior decisions allowing claims to continue where plaintiffs alleged unauthorized disclosure of personal information owing to the businesses’ failures to maintain reasonable security practices (in one case, resulting in financial losses).
Although not the first instances of this interpretation of the CCPA,3 these decisions conflict with others that have held that the private right of action only applies to cases of data security breaches.4 The Supreme Court of California has not addressed this issue, so the boundaries of the right of action remain uncertain.
Implications for Businesses
Since its enactment in 2020, the CCPA has led to ever increasing litigation involving data breaches. A key component of this rise in litigation is the CCPA’s statutory damages provision, which allows plaintiffs to receive monetary damages ranging from $100 to $750 per individual per violation. The effect of these statutory damages is twofold. First, businesses that hold personal information can quickly accumulate significant potential exposure under the CCPA when the statutory damage amount is multiplied by large groups of plaintiffs. Second, these statutory damages mean plaintiffs need not prove actual damages to receive significant monetary awards.
Expanding the CCPA’s private right of action beyond the traditional data breach context to the use of third-party technologies on the internet without user consent could expose many more businesses to CCPA liability without warning as the use of third-party technologies on websites for analytics and targeted advertising purposes is standard market practice. A consent requirement would constitute a notable departure from the current law, which has previously been understood, even by California’s own Attorney General and the California Privacy Protection Agency,5 to require only that companies offer and honor opt-outs of these practices.
How Businesses Can Respond
Businesses should take the following actions to both assess and respond to these risks:
Develop and publish compliant disclosures. Providing accurate descriptions about personal information practices in privacy notices and customer-facing apps, and web pages that reflect personal information use and sharing practices, together with mechanisms for customers to make informed choices about the use of their personal information, help maintain consumer trust and avoid scrutiny. Companies should review these disclosures regularly to ensure they accurately describe data practices.
Monitor the use of third-party technologies. Many companies use third-party pixels, cookies and similar technologies to track user activity, improve analytics or generate targeted advertising. Inventorying and mapping personal information can help identify what data is shared with third parties via website technologies and whether the company is engaging in activities that would require more data rights, such as the right to opt out of a “sale” or “sharing” of personal information. Data mapping can also help to identify whether the company is engaging in a “sale” (defined under many state privacy laws, including the CCPA, as a disclosure of personal information in exchange for any valuable consideration) or a “sharing” (defined as the disclosure of personal information to provide cross-context behavioral advertising).
Companies should evaluate what personal information is being shared with these third parties and for what purposes to ensure that the company can accurately process opt-out requests when required. Third-party data-sharing practices have come under heightened regulatory scrutiny when they involve potentially sensitive personal data, including health and geolocation information, and may become a focus for private litigants. Going forward, companies should ensure that disclosure of their use of these technologies is clear to consumers in privacy notices.
Implement consent-management tools. When properly managed, consent-management tools can help companies obtain opt-in consent or allow opt-out rights, in line with federal and state laws for use of third-party cookies or other technologies that transmit data for targeted advertising, profiling or other potentially unanticipated purposes.
Conduct regular training and awareness programs. Employees play a critical role in governing and maintaining cybersecurity and data privacy measures. Regular training and awareness programs should be documented and can help ensure that staff are knowledgeable about best practices and the latest threats.
Stay informed on legal and regulatory changes. The legal and regulatory landscape of the CCPA and privacy law generally is constantly evolving. Companies should stay informed to ensure ongoing compliance and minimize legal risk.
_______________
1 No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025).
2 M.G. v. Therapymatch, Inc., No. 23-CV-04422-AMO, 2024 WL 4219992 (N.D. Cal. Sept. 16, 2024).
3 See, e.g., Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898 (S.D. Cal. 2020).
4 See, e.g., McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816 (N.D. Cal. Feb. 2, 2021); In re TikTok, Inc., Consumer Priv. Litig., 617 F. Supp. 3d 904 (N.D. Ill. 2022).
5 See Office of California Attorney General, California Consumer Privacy Act Frequently Asked Questions (FAQs): B. Right to Opt-Out of Sale or Sharing 1. What is the right to opt-out? (last updated Mar. 13, 2024); California Privacy Protection Agency, Frequently Asked Questions (FAQs): General Information about the CCPA: For California Residents: 7. What rights do I have under the CCPA? (last visited Apr. 15, 2024).
[View source.]
