Consumer Privacy Class Action

State of play.

• Pixel-based and tracking-tool privacy litigation is fragmenting across circuits and statutes. The Second Circuit has reinforced its "ordinary person" test to dismiss VPPA pixel claims against NBCUniversal, district courts in California are expanding CCPA's private right of action to cover tracking disclosures without a traditional breach, and the Third Circuit is redirecting state wiretap claims back to state courts for lack of Article III standing .
• DPPA standing doctrine is tightening in federal court. The Southern District of Florida dismissed Cicale v. Professional Parking Management Corporation with prejudice—finding that receiving a collections notice and paying a legitimate debt does not constitute concrete injury—while parallel DPPA cases involving Carfax's crash-report data in Maryland continue surviving dismissal, confirming that standing, not the merits, is now the dispositive battleground .
• Biometric and wearable health data exposure is accelerating across the fashion, beauty, and wearable tech sectors, with virtual try-on tools, wearable health monitors, and cookie-based tracking practices now drawing simultaneous CIPA class action filings and state AG scrutiny under a reshaped 2026 multi-state privacy regime (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• Virginia is poised to end its 175-year ban on state-court class actions, with legislation effective January 1, 2027 eliminating the consumer reliance requirement under the VCPA and opening a new state-court forum for statutory damages claims against consumer-facing businesses .
• For counsel advising companies with consumer-facing digital products, subscription services, data collection operations, or edtech vendor relationships, the practical baseline is simultaneous exposure across five vectors—state privacy enforcement, federal ROSCA/FTC Act claims, a circuit-dependent tracking-claim pleading landscape, a newly activated Virginia state-court forum opening in 2027, and a rapidly escalating breach-litigation environment where vendor access controls and API security are now pleading targets.

Where things stand.

• VPPA pixel litigation has a firm circuit split. The Second Circuit applies an "ordinary person" test that has dismissed multiple pixel-based VPPA claims including the NBCUniversal action; the First Circuit has taken different approaches, making venue selection material for both plaintiffs and defendants .
• CCPA's private right of action is expanding beyond breach. District court rulings in Shah v. Capital One and a Therapymatch case have allowed CCPA claims to proceed based on unauthorized disclosure through tracking tools to third parties—no traditional breach required—departing sharply from earlier precedent .
• Article III standing doctrine is actively sorting tracking claims by data sensitivity. Courts allow pixel-tracking claims to survive when sensitive health data is exposed, while dismissing claims based on routine behavioral data without sensitive information attached; the DPPA standing dismissal in Cicale reinforces that tangible injury beyond data misuse is required across privacy statutes .
• Cookie banner compliance has become an independent litigation vector. CIPA claims targeting non-functional "Reject All" buttons and dark-pattern consent interfaces are proliferating; Honda and HelloFresh have already resolved enforcement actions, and over 1,000 CIPA suits were filed in 2025 alone .
• ROSCA enforcement against subscription dark patterns is active and expanding. The FTC's Uber case survived dismissal on the core theory that pre-stored payment credentials cannot substitute for fresh affirmative consent before subscription enrollment; 21 state AGs are co-plaintiffs .
• Junk fee class actions and mass arbitrations are accelerating. The FTC's Rule on Unfair or Deceptive Fees is in force for live-event tickets and short-term lodging; California's SB 478 adds per-violation penalties; plaintiffs' firms are bypassing class-action waivers through coordinated mass arbitrations .
• California CPPA is enforcing opt-out fragmentation. The agency's 2026 enforcement actions target businesses that honor opt-outs in some contexts but not others—fragmented compliance is itself the violation .
• State AG enforcement is active across consumer protection vectors. Coordinated multi-state actions target deceptive pricing in retail, rental housing junk fees, and financial services; state AGs are co-plaintiffs in the Uber ROSCA action; the Louisiana AG secured a $45 million settlement with CVS Health over deceptive practices .
• The Ninth Circuit's reasonable consumer standard is being refined in both directions. The court dismissed the Brita filter action—price point and qualified language ("reduces") defeated the claim—while reviving the Target thread count action on the theory that literal falsity on an objective specification cannot be defeated by an ambiguity defense the defendant hasn't established .
• State privacy law proliferation continues without federal resolution. Alabama enacted the 21st comprehensive state privacy statute; the SECURE Data Act has been introduced in the House with full state-law preemption but no Democratic support; Indiana, Kentucky, and Rhode Island privacy laws took effect January 1, 2026 .

Latest developments.

• Cicale v. Professional Parking Management Corporation dismissed with prejudice in the Southern District of Florida—court found no concrete injury where plaintiff parked without paying, owed the charge, and ultimately paid; the DPPA merits question (whether license plate reader cross-referencing of DMV data for parking enforcement violates the statute) left unresolved; the Carfax crash-report DPPA case in Maryland continues to survive, confirming a data-commercialization-model distinction .

Active questions and open splits.

• CCPA private right of action scope: breach-only or tracking-disclosure? The Shah and Therapymatch rulings extend CCPA liability to third-party tracking disclosures without a breach—a significant departure from prior precedent that has not yet been tested at the appellate level. Whether the Ninth Circuit endorses this expansion will determine class action exposure for the entire California-facing digital economy .
• VPPA "ordinary person" test: circuit divergence is now actionable. The Second Circuit's NBCUniversal ruling hardens the defendant-favorable standard while other circuits remain more plaintiff-permissive. Defendants in the Second Circuit have strong grounds for dismissal; plaintiffs are likely to forum-shop toward the First Circuit and others .
• DPPA standing: does the data-commercialization model determine survival? Cicale dismissed a parking enforcement DPPA claim for lack of injury while the Carfax crash-report case in Maryland survived—suggesting courts are distinguishing between incidental DMV data use and systematic commercial exploitation. The line between those models is not yet defined by any circuit court .
• Biometric and wearable health data: which regulatory regime governs? Consumer health data from wearables tracking stress, sleep, and menstrual cycles falls outside HIPAA but within state health data statutes in Connecticut and Washington—and potentially within biometric data frameworks in Illinois and other states. The classification question determines consent obligations, breach exposure, and which private right of action applies (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).
• Article III standing for tracking claims: sensitive vs. non-sensitive data. Courts are drawing a line between health-related data disclosures—which can constitute injury-in-fact without financial harm—and routine behavioral data, which cannot. The pleading distinction is now central to survival at the motion to dismiss stage, and the Cicale DPPA dismissal reinforces that paying a legitimate underlying obligation forecloses financial harm theories entirely .
• Federal preemption: will the SECURE Data Act displace state privacy regimes? The bill's preemption language would eliminate the CCPA, Virginia CDPA, and 19 other state frameworks if enacted—but it lacks Democratic support and faces a long history of failed federal privacy efforts. The preemption question is the central advisory issue for multistate compliance programs .
• Canvas breach: what vendor-oversight duties do institutional clients bear? The recompromise of Instructure's systems after initial containment—exploited through Free-for-Teacher API access—raises unresolved questions about whether schools and universities face independent exposure under state privacy laws or their contractual obligations to Canvas users, and what due diligence standard applies to edtech vendor selection and monitoring .

What to watch.

• Whether any circuit court takes up the CCPA tracking-disclosure expansion on appeal, and whether California's CPPA files its own enforcement action on the same theory .
• Whether a circuit court addresses the DPPA data-commercialization split—distinguishing parking enforcement from Carfax-style crash-report sales—and whether that line becomes the organizing principle for future DPPA standing analysis .
• Whether Governor Spanberger signs Virginia's class action legislation and whether early litigation tests the venue restrictions and the broadened VCPA standard before the January 2027 effective date .
• Whether class action filings in the Canvas breach consolidate into MDL proceedings and whether courts treat Instructure's API access controls and Free-for-Teacher account architecture as independent negligence and state privacy law pleading targets .
• SECURE Data Act committee markup and whether preemption language survives or is narrowed in response to Democratic opposition and state AG pushback .
• State AG enforcement actions targeting cookie and pixel-tracking practices in the fashion, beauty, and wearable tech sectors—the first enforcement wave under the 2026 multi-state privacy regime will set the compliance baseline for biometric and health data handling (→ Fashion, Beauty, Wearable Brands Face Stricter 2026 Privacy Rules).