On March 3, 2025, the U.S. District Court for the Northern District of California issued a significant ruling that has the potential to broaden the risk of liability under the California Consumer Privacy Act (CCPA). In Shah v. Capital One Financial Corp., Judge Trina L. Thompson allowed claims involving the unauthorized disclosure of personal information via tracking pixels to proceed, despite the absence of a traditional data breach. This decision has substantial implications for businesses using third-party analytics and advertising technologies on their websites. The ruling raises new strategic considerations for businesses, including around carefully drafted vendor agreements that mitigate legal and regulatory risks.

Court Decision Expands CCPA Exposure

The court held that Capital One’s deliberate disclosure of customer personal information to third-party vendors through analytics pixels plausibly constitutes an "unauthorized disclosure" under Section 1798.150 of the CCPA. While plaintiffs have made similar claims under the California Invasion of Privacy Act (CIPA) with mixed results, courts had generally limited private actions under Section 1798.150 of the CCPA to data breach scenarios involving inadequate security measures (see Gardiner v. Walmart Inc. and Flores-Mendez v. Zoosk Inc. from the Northern District of California). 

The Capital One ruling builds upon a couple more recent decisions such as M.G. v. Therapymatch Inc., also from the Northern District of California, and has the potential to breathe new life into pixel-tracking litigation, expand potential litigation exposure, and provide statutory damage risks of between $100 and $750 per consumer per incident.  

The March 3 ruling in California has several implications for businesses, including:

• Broadened Liability: Businesses face increased exposure to statutory damages from routine online tracking practices, even absent a traditional breach.
   
• Heightened Scrutiny on Privacy Notices: The ruling underscored inconsistencies between Capital One’s privacy disclosures and the actual data shared. Companies must ensure privacy policies accurately describe specific categories of information disclosed to third parties.
   
• Forum Uncertainty: While the trend is shifting towards a more expansive reading of Section 1798.150, the split amongst California courts creates unpredictability for businesses operating statewide or nationally, as identical practices may yield different legal outcomes.

Cookie Banners and Policies 

Unlike the European Union’s 2002  ePrivacy Directive, otherwise known as the Cookie Law, which requires consent for non-essential data stored on the user’s device, the CCPA requires businesses to allow users to opt-out of the sharing/selling of their personal information. The Capital One decision creates a strong incentive for businesses to proactively provide a cookie banner and an associated cookie policy to demonstrate the user consented to the sharing of their personal data via cookies and pixels with the service providers and third parties listed in the cookie policy. 

While it is still too early to predict whether the plaintiff will be successful on the merits of the CCPA claim that the sharing of their personal information was an unauthorized disclosure, a cookie banner and accompanying cookie policy may have preempted the plaintiff’s ability to make this claim altogether or allowed the judge to grant the motion to dismiss. Therefore, businesses should evaluate how a cookie banner and cookie policy can help mitigate their legal risk. 

Recommended Actions for Businesses 

• Cookie Banner Review:
  • Review cookie banner language to ensure disclosures do not misrepresent data sharing with cookie providers. 
     
  • Deploy consent management platforms requiring affirmative user consent for non-essential data sharing.
     
  • Maintain clear documentation of consent to mitigate litigation risks.
     
• Conduct Comprehensive Tracking Tool Audits:
  • Identify all third-party tracking tools (pixels, tags, APIs) and document all categories of personal information shared.
     
  • Ensure alignment between actual data sharing practices and disclosures provided in privacy notices and cookie banners.
     
• Enhance Transparency in Privacy Disclosures:
  • Clearly articulate the nature of personal information disclosed to third-party vendors, specifying the explicit purposes and categories.
     
  • Avoid overly broad or generic privacy statements.
     
• Reevaluate Vendor Agreements:
  • Confirm that vendor contracts impose explicit limitations consistent with "service provider" designations under the CCPA.
     
  • Implement routine audits to ensure ongoing compliance by third-party vendors.
     
• Consider Class Action Waiver and Arbitration Provisions:
  • Review and strengthen online terms and arbitration clauses to ensure enforceability in light of potential CCPA class wide litigation attempts.

Strategic Considerations

The Shah decision indicates a potential shift in judicial interpretation favoring plaintiffs in pixel-tracking litigation, signaling that courts may increasingly recognize routine disclosures as actionable unauthorized disclosures under the CCPA. Last month’s court ruling aligns closely with California regulators' increasing focus on privacy practices surrounding digital advertising technologies.

Companies can anticipate an uptick litigation activity around online tracking and should proactively adjust compliance strategies. Robust transparency, precise disclosures, carefully drafted vendor agreements, and effective consent mechanisms will be critical components in mitigating legal and regulatory risks.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.