LawSnap

Privacy

District Court’s Ruling Could Signal New Wave of CCPA Litigation

Published April 10, 2026

Source JD Supra open_in_new

Score

9

Why it matters

A U.S. District Court issued rulings in Shah v. Capital One Financial Corp. and a Therapymatch case, denying motions to dismiss CCPA claims and broadly interpreting the private right of action under Cal. Civ. Code §1798.150 to cover unauthorized disclosure of personal information via website tracking tools (e.g., cookies, pixels) to third parties like Google, Facebook/Meta, and Microsoft, without requiring a traditional data breach.[1][11][12]

Involved parties include plaintiffs alleging nonconsensual data collection/sharing, defendants Capital One Financial Corp. and Therapymatch (seeking class actions), and referenced prior cases like M.G. and John Doe (expanding to opt-out violations); the CCPA (enacted 2018, effective 2020) and its CPRA amendment (2023, adding email/password breaches) provide the statutory basis.[1][2][11]

Initially, CCPA's private right of action (tied to §1798.81.5 security duties) was limited to data breaches involving nonencrypted/nonredacted personal info, with courts like Judge Carter (2022) and others dismissing non-breach claims (e.g., notice violations).[3][6][10] Recent rulings diverge, citing CCPA's broad "personal information" definition (§1798.140(v)) and consumer autonomy purpose, allowing claims for tracking-based "unauthorized access/exfiltration/disclosure."[1][11][12] Timeline: CCPA lawsuits surged post-2020; splits emerged 2021-2022; these 2026 decisions (published April 10) signal expansion.[1][10]

Newsworthy now as these rulings could unleash widespread litigation against tracking practices, diverging from breach-only precedent and raising business risks amid 2026 enforcement uptick (e.g., Ford fine), per Ballard Spahr analysis.[1][6][11]

Sources

[1] https://captaincompliance.com/education/district-court-rulings-reshape-privacy-law-in-california-and-beyond/

[2] https://www.iubenda.com/en/blog/ccpa-private-right-of-action/

[3] https://perkinscoie.com/sites/default/files/2024-11/California%20Consumer%20Privacy%20Act%20Litigation%202022%20Year%20in%20Review.pdf

[4] https://www.termsfeed.com/blog/ccpa-private-right-action/

[5] https://cdn.ca9.uscourts.gov/datastore/opinions/2025/10/10/25-2808.pdf

[6] https://www.truevault.com/learn/does-the-ccpa-have-a-private-right-of-action

[7] https://frblaw.com/ninth-circuit-partially-blocks-california-child-privacy-law/

[8] https://www.cookieyes.com/blog/ccpa-private-right-of-action/

[9] https://cppa.ca.gov/announcements/2024/20240209.html

[10] https://www.troutman.com/insights/the-murky-waters-of-the-ccpas-private-right-of-action-real-and-perceived-ambiguities-complicating-litigation/

[11] https://www.skadden.com/insights/publications/2025/04/district-court-rulings-could-signal-expansion

[12] https://www.passwordprotectedlaw.com/2025/05/broad-interpretation-of-ccpas-private-right-of-action-increases-business-risk-to-tracking-technologies-lawsuits/

[13] https://pep.gmu.edu/wp-content/uploads/sites/28/2022/02/CCPA-Report-2022.pdf

[14] https://www.clarip.com/data-privacy/ccpa-data-breach-lawsuit/

[15] https://ktslaw.com/en/insights/alert/2026/2/plaintiffs%20are%20quietly%20creating%20a%20private%20right%20of%20action%20under%20the%20ccpa

mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.

Also on LawSnap

Court Rules

Legal Intelligence

Specialized Trackers

Analysis