Beyond data breaches: Court ruling signals broader CCPA liability for tracking technologies

A March ruling from the U.S. District Court for the Northern District of California could significantly reshape the scope of consumer privacy litigation under the California Consumer Privacy Act.

In Shah v. Capital One Financial Corporation, the court ruled claims can proceed based not on a data breach, but on the unauthorized disclosure of personal information via embedded tracking tools. This signals a growing judicial openness to interpreting the CCPA's private right of action more broadly to reach beyond security incidents.

As plaintiffs' lawyers continue to push the boundaries of privacy enforcement, the ruling may mark a shift that expands litigation risk for companies that rely on analytics and adtech tools. The case also raises questions about how businesses approach consent, transparency and third-party data flows.

Case overview

In Shah v. Capital One Financial Corporation, plaintiffs alleged the company's website employed third-party tracking tools, such as Meta Pixel and Google Analytics, that collected and transmitted users' personal and financial information to advertisers without proper consent.

The court denied Capital One's motion to dismiss several key claims, notably under the CCPA, California Invasion of Privacy Act, and the Electronic Communications Privacy Act. The California Invasion of Privacy Act, a California wiretapping statute, prohibits the unauthorized interception or recording of communications, and has increasingly been used in privacy litigation targeting website session replay and tracking technologies. The Electronic Communications Privacy Act, a federal law originally designed to protect against government surveillance, has similarly become a tool for plaintiffs challenging interception of electronic communications by private entities through embedded website tracking tools.