Eanet, PC Eanet, PC

CCPA Class Actions: The Invisible ‘Cookies & Pixels’ Trend Continues

Data Breach

The CCPA (the California Consumer Privacy Act) provides a limited civil cause of action for any "consumer whose nonencrypted and nonredacted personal information...is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security practices."

Under the Act, "[a] third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out."

In Shah v. Capital One Financial Corp., a California federal court took an expansive view of the Act's limited private right of action. United States District Judge Trina L. Thompson allowed a CCPA claim to move forward beyond the motion to dismiss stage based upon the plaintiffs’ assertions that a business intentionally disclosed personal information to third parties with its web tracking tools, even though there was no evidence of a traditional data breach.

Background

Capital One is a financial institution that provides financial services across the U.S. and internationally. To provide its services, the company used a website that let customers access their account, financial services, and apply for financial products like credit cards. The plaintiffs alleged that the website contained "invisible third party online tracking technologies" that "instantaneously and surreptitiously duplicated communications with that webpage and sent them to a third party." These communications included the following information about the plaintiffs and the class members:

  1. Employment information;
  2. Bank account information;
  3. Citizenship and dual citizenship status;
  4. Credit card preapproval and eligibility;
  5. Credit card approval and eligibility;
  6. Existing user, or customer, status;
  7. Browsing activities, including viewed pages and content;
  8. Credit card application status; and
  9. Other information collected through an internet "cookie."

Capital One used this information for third and fourth parties' marketing and sales. These trackers on Capital One 's website came from Google, Microsoft, DoubleClick, and other third parties. Facebook, for instance, tracked users and the type of actions they took on Capital One's website and used this information to "find new customers, drive sales, and understand ad impact." When a customer used Capital One's website, Facebook would get an event informing it about the user's activity. Capital One's website transmitted to Facebook the specific page viewed by the customer, the customer's IP address, cookies, and personal and financial information. Similarly, Google trackers allowed Capital One to do the following:

  • Track and share with Google who used Capital One's website;
  • What was performed on the website;
  • When users visited the website;
  • Where on the website users performed these actions; and
  • How users navigated through the website to perform these actions.

The plaintiffs alleged that that they used Capital One’s website and then received targeted marketing ads from third-party websites. For instance, Mr. Shah claimed that he had a checking account with Capital One and then applied for and was approved for a credit card. After this, he started to get advertisements for NerdWallet and Credit Karma advertising other credit cards on his social media feeds.

Capital One’s Denies Motion to Dismiss CCPA Claim

U.S. District Judge Trina L. Thompson explained that while the CCPA "calls for enforcement by the California Attorney General," it allows a private right of action in the event of a security breach. Courts, however, have also allowed CCPA claims to survive a motion to dismiss in cases where the plaintiff doesn’t allege a data breach, but instead where the "defendants disclosed plaintiff's personal information without his consent due to the business's failure to maintain reasonable security practices."

In this case, the plaintiffs alleged that Capital One knowingly collected, used, and sold their personal information to third and fourth parties without their consent. Because they alleged that Capital One allowed third parties to embed trackers, such as Google and Microsoft, on its website and that these trackers transmitted the plaintiffs' personal information, the Court held that they need not allege a data breach. Because the plaintiffs pleaded that Capital One disclosed their personal information without their consent, the plaintiffs sufficiently stated a CCPA claim. As such, Judge Thompson denied Capital One’s motion to dismiss as to the CCPA claim. Shah v. Capital One Financial Corp. (N.D. Cal. 3/3/25).

What Should Businesses Do?

CCPA class actions by Plaintiffs attorneys are not going away.  Businesses that collect data from California residents need to take robust steps to protect themselves from such cases, including the following; 

  1. Bolstering security. Employ cybersecurity measures to protect personal data at your business possesses. These measures include encryption, access controls, identification of sensitive data, anonymization, multi-factor authentication, regular security, and performing vulnerability tests.
  2. Training staff. It’s important to educate your employee on sound privacy practices. In addition, you should foster a positive work environment so employees are encouraged to report suspicious activity. Moreover, train staff on breach response plans.
  3. Creating privacy governance. Name a privacy officer or a data protection officer for your business and set out their role and responsibilities. Doing so allows you to monitor your data handling practices and create privacy-compliant policies to reduce risks like data breaches. In addition, you should update your company’s privacy policies so that they disclose all third-party tracking.
  4. Conducting risk assessments and data privacy audits. Regular events such as these will help you identify potential vulnerabilities. This includes auditing your website for cookies, pixels, or analytics tools that share personal data. Cookies that track users’ browsing behavior from site to site (like third-party advertising cookies) or cookies that store sensitive information can be a liability. The California Consumer Privacy Act requires that businesses just notify users that the website will be dropping cookies onto their browser and provide users the opportunity to opt out of cookies that track personal information. Tracking pixels which typically come from third parties—like cookies—can collect users’ personal information without their knowledge or consent. The CPRA allows consumers to stop businesses from selling or sharing their personal information with third parties.
  5. Adding more vendor and contract monitoring. A significant vendor risk is entrusting sensitive data to third parties. Employing enhanced software security can dramatically reduce this risk.

Takeaway

CCPA class actions are not going away.  Businesses need to make sure they have adopted robust compliance standards.  Reach out if we can help.

Related Posts
  • Briskin v. Shopify: CIPA and Personal Jurisdiction Over Out-of-State Entities Read More
  • CIPA Narrowed: Summary Judgment in Session-Replay Cases Read More
  • How Does California's Government Use Artificial Intelligence? Read More
/