The Next Battlefront: the CCPA and evolution of website pixel litigation

As plaintiffs continue to test novel theories in privacy litigation, this line of cases threatens to expand the CCPA’s limited private right of action far beyond its widely understood scope: data breach litigation.

The web tracking litigation landscape

In recent years, organizations across industries have faced a wave of putative class actions challenging their use of third-party cookies, pixels, web beacons, and similar online tools to support everyday business functions — such as analyzing web traffic, monitoring site performance, and personalizing advertisements. Plaintiffs’ claims vary based on the defendant’s industry sector, the specific technologies used, and the types of data those technologies are configured to collect and share. But broadly speaking, these claims often rest on a common theory of liability: that website operators use these technologies to send information about users’ online interactions (e.g., IP addresses, pages viewed, form submissions) to third parties without consent, and that those third parties purportedly exploit this information for profiling, targeted advertising, or other commercial purposes.

These lawsuits typically assert a range of claims, from conventional common law causes of action — such as negligence or invasion of privacy — to statutory claims, including those that carry significant per-violation statutory damages. For instance, Plaintiffs frequently invoke decades-old state and federal wiretapping laws — such as the federal Wiretap Act, 18 U.S.C. § 2520(c) (up to US $10,000 per violation), and the California Invasion of Privacy Act, Cal. Penal Code § 637.2(a) (up to US $5,000 per violation) — and have also invoked more obscure statutes, such as Arizona’s Telephone, Utility and Communication Service Records Act, A.R.S. § 44-1376.04 (up to US $1,000 per violation).

Some of these claims, however, have begun to falter as cases proceed through discovery and class certification. See Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17 2025). At the same time, California lawmakers are considering Senate Bill 690, which would amend CIPA to expressly exempt the processing of personal information for a “commercial business purpose” consistent with the CCPA. If enacted, S.B. 690 would significantly limit plaintiffs ability to prevail on CIPA claims targeting routine website practices. Against this backdrop, it is unsurprising that the plaintiffs’ bar has set its eyes on other claims, such as the CCPA, that could offer another path forward.

The CCPA’s limited private right of action

The CCPA is a comprehensive state privacy law that grants California residents broad privacy rights and imposes related obligations on covered businesses. When first proposed as a ballot measure in 2018, the CCPA would have created a broad private right of action, permitting California consumers to bring civil actions for any violation of the Act. The ballot measure also specified that any violation of the CCPA would “constitute an injury in fact.” To avoid the uncertainty of a ballot vote, California’s legislature introduced AB-375, which narrowed certain aspects of the proposal in exchange for withdrawal of the ballot initiative. AB-375 intentionally removed the “injury in fact” language and limited the private right of action to a single section: “Personal Information Security Breaches.” Cal. Civ. Code § 1798.150(a).

As enacted, the CCPA’s private right of action is limited to “consumer[s] whose nonencrypted and nonredacted personal information [as defined under Cal. Civ. Code § 1798.81.5(A)(1)(d)] … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices[.]” Cal. Civ. Code § 1798.150(a) (emphasis added).¹

While the CCPA broadly defines “personal information” to include any information that is linked or reasonably linkable to a consumer or household, the private right of action relies on a much narrower definition under the California Consumer Records Act, Cal. Civ. Code § 1798.81.5(A)(1)(d). For purposes of the private right of action, “personal information” is limited to:

1. A first name or initial and last name, in combination with a Social Security Number; driver’s license or other government-issued identification number; financial account number with an access code; medical history, treatment, or diagnosis by a healthcare professional; biometric data used to authenticate a specific individual; genetic data; or
2. A username or email address, in combination with a password or security question and answer that would permit access to an online account.

See Cal. Civ. Code § 1798.81.5(A)(1)(d).

The legislature elected to vest the California Attorney General, and later the California Consumer Privacy Protection Agency (“CPPA”)², with exclusive authority to enforce all other provisions of the CCPA.

In August 22, 2018, shortly after the enactment of AB-375, then California Attorney General "Xaiver" Becerra wrote a letter to the legislature, asking it to expand the private right of action to cover a broader array of CCPA’s obligations, noting that as currently enacted, “the Act includes a provision that gives consumers a limited right to sue if they become a victim of a data breach.”³ Yet, the legislature declined to do so. This legislative history supports what was, until recently, the common understanding that the CCPA’s private right of action was circumscribed to alleged data breaches.

Expanding the scope of the CCPA

At least three courts have accepted the plaintiffs’ bar different formulation of the CCPA private right of action, pushing it beyond its widely understood scope. For instance, in M.G. v. Therapymatch, Inc., the plaintiff asserted, a CCPA claim against the defendant for its alleged use of an analytics tool on its online platform, which purportedly caused plaintiff’s web browser to transmit plaintiff’s browsing information to the third-party technology provider. 2024 WL 4219992, at *1. Although the defendant argued that “courts only recognize private rights of action under the CCPA in the data breach context,” the district court disagreed solely because courts “have let CCPA claims survive a motion to dismiss where a plaintiff alleges that defendants disclosed plaintiff’s personal information without his consent due to the business’s failure to maintain reasonable security practices.” Id. at *7.⁴

Other courts have treated the issue with similarly short shrift. The court permitted a CCPA claim to proceed in In re BetterHelp, Inc. after finding that plaintiff’s information was disclosed “because BetterHelp affirmatively allowed the tracking software on its websites—which can reasonably be argued was not an appropriate security procedure or practice, given the nature of the information.” 2024 WL 3416511, at *5 . The Shaw court reached the same outcome “[b]ecause Plaintiffs plead that Defendant disclosed their personal information without their consent.” 2025 WL 714252, at *8.

Even so, there are at least four reasons to think other courts may disagree with this interpretation.

• First, M.G., In re BetterHelp, and Shah each ignored that it is not enough that that a plaintiff’s “personal information” was allegedly “disclosed” to state a claim under the CCPA. The statute’s plain text requires allegations showing this information is subject to “unauthorized access and exfiltration, theft or disclosure.” Cal. Civ. Code § 1798.150(a)(1) (emphasis added). In other words, the disclosure of a plaintiff’s information is not itself actionable under the CCPA unless it is accompanied by allegations showing that the information was accessed by an unauthorized actor.
• Second, these courts did not consider whether the information at issue in these suits would qualify as “personal information” under the CCPA’s limited private right of action, which narrowly includes information such as an individual’s first and last name combined with their social security number or driver’s license number. See Cal. Civ. Code 1798.81.5(d). Information about a user’s online interactions on a public website, in contrast, does not readily fall into any of those discrete categories.
• Third, broadening the term “reasonable security measure” to encompass an organization’s use of website technologies would contravene the careful structure established by the California legislature. The CCPA includes complex regulations that govern the methods through which organizations can sell, share, and use consumer information, see Cal. Civ. Code § 1798.135, violations of which are enforceable only by the California Attorney General and the CPPA, see Cal. Civ. Code § 1798.199.90, not private actors. Permitting CCPA claims to nonetheless proceed would elide the legislature’s careful delineation between public and private enforcement set forth in the statute.
• Fourth, this interpretation ignores that fact that the CCPA contemplates and permits businesses to use web tracking technologies as long as the business complies with the CCPA’s requirements — generally based on an opt-out, rather than opt-in regime.

Next steps

While there are strong arguments against plaintiffs’ expansive interpretation of the CCPA’s private right of action, businesses are well-advised to proactively mitigate the risk of website privacy claims more generally. Key actions include:

• Maintain a complete inventory of website technologies. Review technologies deployed across online properties that can collect or transmit user data. Analyze the specific types of data collected, which third parties receive that data, and the business purposes for which the technology is used.
• Review technology configurations. Confirm that each technology collects only the types of data reasonably necessary to achieve intended business purposes. Disable data collection configurations that are not in use and review business needs.
• Enhance privacy notice disclosures. Review and update privacy notices to include clear descriptions of the website technologies in use, the specific types of data that may be collected, the categories of third parties that may collect or receive that data, and the purposes for which the business and its vendors may collect and use that data. Confirm that privacy notices comply with CCPA notice requirements.
• Implement “just-in-time” disclosures. Consider deploying a consent banner that at least informs users that the site uses certain technologies in accordance with the privacy notice. To further strengthen consent arguments, obtain user acknowledgement of the privacy notice in account creation and sign-in flows.
• Comply with CCPA opt-out requirements. Assess whether any technologies in use trigger CCPA “sales” or “sharing” opt-out rights, or the CCPA’s sensitive data limitation rights. Confirm that all required opt-out mechanisms are available to consumers and that clear procedures are in place to process consumer requests.
• Review and update vendor contractual terms. Confirm that required contractual terms are in place with website technology vendors. Check that contracts include required provisions, including data use limitations, security obligations, and requirements for honoring consumer rights requests.

Authored by Adam Cooke, Vassi Iliadis, Jay Ettinger, Aidan Coleman, and Alaa Salaheldin.