Two recent decisions from the Northern District of California—Shah v. Capital One Financial Corp., No. 24-cv-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025), and M.G. v. Therapymatch, Inc., No. 23-cv-04422-AMO, 2024 WL 4219992 (N.D. Cal. Sept. 16, 2024)—signal a potentially significant expansion of the private right of action under the California Consumer Privacy Act (CCPA).

Traditionally, CCPA private claims have been tied to a “breach of security,” which the statute defines as unauthorized access and exfiltration, theft, or disclosure of personal information resulting from the business’s failure to implement reasonable security measures. But these two cases suggest that unauthorized disclosures via tracking technologies—without a hack or cyber incident—may also give rise to liability.

Shah v. Capital One Financial Corp.

In Shah, the plaintiffs alleged that Capital One shared their personal information with third-party analytics and advertising companies (e.g., Meta and Google) via tracking pixels and other embedded technologies without proper consumer notice or consent. The court denied Capital One’s motion to dismiss as to Plaintiff's CCPA claim, holding that a plausible CCPA violation had been alleged despite the absence of a traditional data breach.

The court found that disclosure of personal information through embedded third-party tools could potentially satisfy the CCPA’s private right of action if such sharing occurred without authorization and proper safeguards.

M.G. v. Therapymatch, Inc.

Similarly, in M.G., plaintiffs claimed that the defendant—a mental health matching platform—disclosed sensitive personal and health-related data to third-party advertising platforms through cookies, pixels, and other tracking technologies.

The defendant moved to dismiss, arguing there was no breach of security within the meaning of the statute. However, the court allowed the CCPA claim to proceed, holding that the unauthorized disclosure of sensitive data via third-party tracking tools could fall within the CCPA’s scope, especially where the data handling practices were not clearly disclosed.

Implications: A Broader Path to CCPA Liability:

These rulings depart from earlier interpretations that limited CCPA litigation to claims involving hacks, leaks, or cybersecurity failures. Instead, they endorse the theory that businesses may be held liable under the CCPA’s private right of action for routine sharing of personal information with third parties, provided that such sharing lacks proper notice, consent, consumer control, or safeguards.

This interpretation could expose businesses to statutory damages of $100–$750 per consumer, per incident, even where no malicious actor was involved.

Risk Mitigation Strategies:

To reduce litigation risk in light of these rulings, businesses should:

• Audit website and mobile tracking technologies to assess what personal data is collected and shared.
• Update privacy notices to clearly identify all categories of third parties receiving personal information.
• Implement consent management tools that allow users to opt in or out of data collection and sharing.
• Train marketing, IT, and legal teams on the evolving privacy risk landscape.
• Monitor pending CCPA litigation to assess trends in judicial interpretation of “unauthorized disclosure.”

While no appellate decision has yet resolved whether a breach of security is strictly necessary under the CCPA’s private right of action, Shah and M.G. suggest that courts are increasingly willing to treat undisclosed adtech practices as potential violations. 

Businesses relying on third-party cookies, tracking pixels, or analytics platforms—particularly those operating in sensitive sectors like health, finance, or education—should take note.