Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
A March ruling from the U.S. District Court for the Northern District of California could significantly reshape the scope of consumer privacy litigation under the California Consumer Privacy Act.
In Shah v. Capital One Financial Corporation, the court ruled claims can proceed based not on a data breach, but on the unauthorized disclosure of personal information via embedded tracking tools. This signals a growing judicial openness to interpreting the CCPA's private right of action more broadly to reach beyond security incidents.
As plaintiffs' lawyers continue to push the boundaries of privacy enforcement, the ruling may mark a shift that expands litigation risk for companies that rely on analytics and adtech tools. The case also raises questions about how businesses approach consent, transparency and third-party data flows.
Case overview
In Shah v. Capital One Financial Corporation, plaintiffs alleged the company's website employed third-party tracking tools, such as Meta Pixel and Google Analytics, that collected and transmitted users' personal and financial information to advertisers without proper consent.
The court denied Capital One's motion to dismiss several key claims, notably under the CCPA, California Invasion of Privacy Act, and the Electronic Communications Privacy Act. The California Invasion of Privacy Act, a California wiretapping statute, prohibits the unauthorized interception or recording of communications, and has increasingly been used in privacy litigation targeting website session replay and tracking technologies. The Electronic Communications Privacy Act, a federal law originally designed to protect against government surveillance, has similarly become a tool for plaintiffs challenging interception of electronic communications by private entities through embedded website tracking tools.
Together, these statutes reflect a growing trend of litigation using older communications laws to address modern digital privacy harms.
Key legal findings
The court's decision clarified that the unauthorized disclosure of personal information through embedded tracking technologies can violate the CCPA, even absent a traditional data breach. Specifically, the court found that because the plaintiffs allege Capital One "allowed third parties to embed trackers, such as Google and Microsoft, on its website and that these trackers transmitted Plaintiffs' personal information," their claims were sufficient under the CCPA.
Additionally, the court upheld claims under the California Invasion of Privacy Act determining that intercepting and recording electronic communications through tracking tools without explicit consent could breach state wiretapping laws. Lastly, the court allowed claims under the Electronic Communications Privacy Act to proceed, finding that even a party to a communication may be liable if it intercepts electronic communications via tracking technologies without proper consent.
Implications for businesses
The ruling underscores the necessity for businesses to reassess their data collection and sharing practices, particularly concerning third-party tracking technologies. For companies relying on adtech or other embedded third-party tools, the Shah ruling offers a reminder that compliance with privacy laws requires more than data breach response protocols.
Businesses should take proactive steps to assess and address the legal risks associated with routine tracking technologies including:
- A comprehensive audit of tracking technologies. Businesses should inventory all third-party tracking tools on their websites, understanding the nature of data collected and shared.
- Enhanced transparency in privacy policies. Privacy disclosures must accurately reflect data collection practices, specifying the types of data collected, purposes of collection
,and third parties involved. - Robust consent mechanisms. Implement clear and accessible consent mechanisms that ensure users are informed and can effectively opt out of data sharing practices.
- Review and update vendor agreements. Ensure contracts with third-party service providers include provisions that align with CCPA requirements, particularly concerning data use limitations and security obligations.
- Monitor legal developments. Stay informed about evolving interpretations of the CCPA and related privacy laws to ensure ongoing compliance and mitigate potential litigation risks.
While this case does not establish a final ruling on the merits, it reflects a judicial willingness to entertain broader interpretations of what constitutes a data breach or unauthorized disclosure under state and federal privacy laws. The decision could encourage plaintiffs to frame privacy violations through the lens of passive data collection technologies, rather than requiring evidence of malicious hacking or theft.
This shift comes amid increased regulatory scrutiny of data-sharing practices tied to behavioral advertising, analytics and cross-site tracking. Regulatory bodies, such as the U.S. Federal Trade Commission and state attorneys general, have signaled that lack of transparency around these practices may constitute unfair or deceptive conduct under consumer protection laws. Thus, litigation risk is only one side of the equation,; regulatory enforcement may also follow.
As a result, businesses need to think beyond compliance checklists and adopt a more dynamic approach to data governance. This includes routine assessments of tracking tools, updates to cookie banners and consent flows and clear internal policies about data flows across platforms and partners. Legal, compliance and marketing teams should be aligned in reviewing how technology stacks impact user privacy rights under state and federal law.
Jennifer Dickey, AIGP, CIPP/E, CIPP/US, CIPM, CIPT, FIP, is an attorney at Dykema.
