At a recent privacy event for Chief Privacy Officers in Los Angeles California, it wasn’t the relatively non existent CCPA (California Consumer Privacy Act) enforcement that stirred concern. Instead, discussions heated up around private right of action letters, especially under CIPA (California Invasion of Privacy Act) and VPPA (Video Privacy Protection Act). Adding to the unease was an emerging risk: plaintiffs’ attorneys are beginning to target the private right of action rights under CCPA, initially meant for data breaches, towards cases of excessive data collection by digital tracking technologies (DTTs).   

No case better represents this emerging risk than Shah v Capital One Financial Corporation.  In March 2025, a federal court in the Northern District of California sent a jolt through the privacy world when the claim was permitted to move forward without a traditional “data breach,” based on allegations that DTTs (think Meta Pixel, Google Analytics, and similar tags) disclosed users’ personal information to third parties. The court denied Capital One’s motion to dismiss on the CCPA private right of action, signaling a potentially broader path for consumers—and a bigger risk surface for businesses.  

According to CCPA, 

“Any consumer whose nonencrypted or nonredacted personal information. . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. . . “ 

Many courts read this as breach-only (see McCoy v Alphabet N.D Cal. 2021). Shah suggests a different lens: unauthorized disclosure via embedded tracking technologies can plausibly fall within “failure to implement reasonable security procedures” even when there’s no outside hacker. While this wasn’t the first time courts hinted at breach rights to include unauthorized disclosure (see Stasi v. Inmediata S.D. Cal. 2020), Shah introduces a case with data leakage but without a clear security incident.  At the pleading stage, that was enough to keep the CCPA claim alive.  

• Did: Let the CCPA PRA claim proceed past the motion-to-dismiss stage based on alleged disclosures through pixels/cookies. It also let some related California Invasion of Privacy Act (CIPA) theories proceed, framing certain tracking as potential “pen register/trap-and-trace”-like activity. 
• Didn’t: Decide the merits. This is an early procedural ruling—not a final liability finding. Evidence, class certification, and potential appeals all lie ahead.  

Here’s how Shah could reshape the privacy landscape: 

1. Beyond classic breaches. If a site’s trackers route user information (e.g., URLs visited, form inputs, account or financial data) to ad/analytics vendors without adequate notice, consent, or safeguards, that may support a CCPA PRA theory. 
2. More leverage in litigation. Because courts sometimes treat pixel-based sharing as “unauthorized disclosure,” plaintiffs can potentially seek statutory damages ($100–$750 per consumer per incident) or actual damages, alongside injunctive relief. (Damages availability still depends on proof and how courts continue to read the statute.) 
3. CIPA hooks. Separate from the CCPA, some tracking setups might be framed as intercepting communications “in transit,” adding another cause of action with its own remedies and penalties. 

Important caveat: Shah is one district court decision at the pleading stage. Other courts may disagree or cabin its reach, and the case could evolve on appeal or summary judgment. There is a history of cases similarly wrestling with the scope of CCPA’s private right of action:

Together, these cases illustrate the tug-of-war: some courts are expanding the PRA beyond breaches, while others reaffirm its narrow scope.  One should view the Shah decision as momentum towards broadening the risk of private right of action with a lot of work ahead before further clarification will be reached. 

That having been said, this case set a precedent that materially increased risk for “ordinary” pixels and SDKs. Even if an organization has never suffered a breach, Shah highlights five pressure points:

1. Pixels can equal “disclosure.” If the tags send identifiers, page paths, or sensitive inputs (e.g., search queries, account details, health/finance hints) to third parties, plaintiffs may argue a failure to use “reasonable security” to prevent exfiltration—without a malicious actor.  
2. Policies vs. practice. Mismatches between privacy notices and actual data flows become litigation magnets. Plaintiffs in Shah pointed to policy language they say didn’t authorize the sharing at issue.
3. Vendor sprawl. The more digital tracking technologies used, the more potential “disclosures”—and the harder it is to prove minimization, necessity, and contractual controls.
4. CIPA exposure alongside CCPA. Plaintiffs may stack wiretap-style claims on top of CCPA counts when trackers capture session content, keystrokes, or headers in transit.
5. Class action gravity. Shah is already being cited by plaintiff and defense firms alike as a roadmap case for pixel lawsuits, particularly in California. Expect more filings, bigger classes, and earlier settlement pressure.  

• Appeals and sister cases. Expect other courts to either follow or distinguish Shah. A split could invite California appellate attention or legislative clarification. 
• Agency posture. The California Privacy Protection Agency (CPPA) has prioritized dark patterns, sensitive data, and adtech signals; Shah’s framing aligns with that emphasis even though this case is private litigation, not enforcement. Track rulemakings and enforcement summaries. (Inference based on agency priorities reported in practitioner analyses.) 
• Contracting patterns. Look for vendors rolling out “service-provider mode,” proxying, and field-level hashing/redaction by default as a selling point to reduce CCPA/CIPA exposure.  

For businesses, the message is clear: treat pixel governance as security, not merely “marketing ops.” Lock down trackers in sensitive contexts, align notices with reality, upgrade vendor contracts, and be ready to prove your “reasonable security” story.

Links archived on September 23, 2025

FindLaw, “Shah v. Capital One Financial Corp., Case No. 24cv05985TLT” (March 3, 2025).

CourtListener, “Shah v. Capital One Financial Corporation (3:24-cv-05985, N.D. Cal.)” (August 29, 2025).

Debevoise Data Blog, “Stasi v. Inmediata Health Group Corp., Complaint, No. 3:19-cv-02353-JM-LL (S.D. Cal., filed May 19, 2020)” (June 2, 2021).

Skadden, “District Court Rulings Could Signal Expansion of California Consumer Privacy Right of Action” (April 16. 2025).

Baker Donelson, “Recent CCPA Decision Portends Potential Expansion of Class Action Liability Exposure for Cookies, Pixels, and Tracking Technologies” (May 02, 2025).

Parker Poe, “Court Expands Scope of Private Actions Under CCPA to Include Pixel Tracking Practices” (April 19, 2025).

JD Supra, “CCPA Class Actions Without a Data Breach; Courts Signal a New Litigation Frontier” (May 1, 2025). 

Association of Corporate Counsel, “Recent California Invasion of Privacy Act Cases on Pen Registers and Trap-and-Trace Devices” (March 31, 2025). 

Office of the Attorney General, “Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act” (August 24, 2022). 

Office of the Attorney General, “Attorney General Bonta Announces Settlement with DoorDash, Investigation Finds Company Violated Multiple Consumer Privacy Laws” (February 21, 2024).