Key point: Two courts in 2026 have allowed CCPA claims to proceed based on adtech use without addressing whether adtech discloses “personal information” under the CCPA
According to plaintiffs’ interpretation of a May 2026 decision from the Northern District of California, if your company uses Google Analytics, Meta Pixel, or other third-party tracking technology on its website, you may be exposed to not only wiretapping or trap-and-trace claims under the California Invasion of Privacy Act (CIPA) or federal law, but also claims under the California Consumer Privacy Act (CCPA) even if you never experience a data breach.
A May 14 decision from the U.S. District Court for the Northern District of California denied a motion to dismiss a CCPA claim against a mortgage lender and servicer who provides global services via its website that allows users to explore mortgage-related services, apply for loans, and request callbacks from the defendant. The plaintiff alleged the defendant installed “code-based tracking devices” from several third-parties that shared users’ “pre-approval application activities,” including application progress, coborrower status, whether they own real estate, and whether they are applying for a purchase or refinance.
In addition to claims for the Electronic Communications Privacy Act ( ECPA), CIPA, the California Comprehensive Computer Data Access and Fraud Act (CDAFA), and several torts, the complaint asserted a claim under the CCPA’s private right of action — a right of action that the legislature expressly noted was limited for data breaches. The May 2026 decision joins a growing line of courts stretching the statute well beyond what its drafters intended. Understanding how these courts got there — and where their reasoning falls short — is essential for any company evaluating its litigation exposure.
Background of CCPA’s Private Right of Action
The CCPA was enacted in 2018 as a compromise. Alastair Mactaggart, the real estate developer who drove the effort, had prepared a sweeping privacy ballot initiative before California voters that included a broad private right of action covering essentially all violations of the statute. To head that off, California lawmakers negotiated with Mactaggart and passed the CCPA instead. The tradeoff, as Mactaggart himself later explained, was that the private right of action was narrowed to data breach violations only. Everything else would be left to the California attorney general to enforce.
The result is § 1798.150(a)(1), which allows a consumer to sue when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” Statutory damages run from $100 to $750 per consumer per incident. That word — disclosure — is what plaintiffs’ attorneys have been targeting.
The statute also limits who can sue: only consumers whose “personal information” was exposed, defined narrowly as a name combined with a Social Security number, driver’s license number, financial account number with access credentials, medical information, health insurance information, biometric data, or genetic data. The data website trackers collect, such as browsing history, page visit data, IP addresses, and application status indicators, are not on that list.
Recent Court Decisions Expanding the Private Right of Action
Courts have not honored that intent. A handful of decisions over the past several years have allowed CCPA private claims to proceed even without an underlying data breach, each building on the last. The May 2026 decision is the most recent. We examine what these courts did — and what they missed.
The May 2026 decision is notable for what it did not address. The defendant argued that the CCPA’s private right of action only applies to traditional data breaches where a hacker or unauthorized third party breaks in and steals information. The court rejected that argument on the plain language of the statute, finding nothing in § 1798.150(a)(1) that limits its reach to third-party security breaches. The court concluded the statute covers unauthorized disclosure of information “regardless of whether the disclosure was intentional or merely negligent, and regardless of whether the disclosure was made by a third party or agents of the defendant.” In doing so, it relied on two earlier decisions from courts in the Northern District of California — one against a financial institution and another against an online mental health company — which in turn traced back to a 2020 decision from a Southern District of California court involving a healthcare company. What neither the May 2026 decision nor any of the cited authority addressed is whether the information allegedly captured by the trackers constitutes “personal information” as the CCPA defines it. That question remains open, and as discussed below, it may be the most important one for companies defending these claims.
A Closer Look at the Cases
Prior to the May 2026 decision, another judge in the Northern District of California also allowed a CCPA claim to proceed past the pleading stage. There, the plaintiffs alleged they discovered their bank was using third-party trackers from AdTech vendors on the bank’s website after the plaintiffs began receiving targeted ads for competing financial products on their Facebook feeds shortly after using the bank’s site to apply for or manage credit cards.
The court let the CCPA claim survive with minimal analysis. It cited an earlier decision holding that a company’s failure to prevent trackers from transmitting user information to third parties without consent is sufficient. The court focused on whether allegations of “hacking” or “data theft” were required and held they were not. The court never examined, however, whether the information allegedly sent to those trackers (browsing activity, credit card application status, employment information, bank account information, IP addresses, and cookies) actually qualifies as “personal information” under the CCPA’s private right of action.
As noted above, the CCPA’s private right of action provision only allows consumers whose “personal information” was exposed to sue. That provision requires a name combined with specific sensitive identifiers like Social Security numbers, financial account numbers with access codes, or medical information. Standard tracker data typically does not fit that definition. The plaintiffs had framed the information using financial privacy law concepts rather than the CCPA’s own definition, and the court passed over the issue entirely.
The two 2026 Northern District of California decisions relied on two prior decisions as precedent for their holdings, a 2024 decision from the Northern District of California and a 2020 decision from the Southern District of California. The 2024 decision involved a defendant operating an online platform to connect users with mental health providers. The plaintiff alleged the defendant used analytics technology that could identify individual users from the data collected and that his mental health search information, health insurance details, and personal identifiers were all transmitted to the analytics provider without his knowledge.
The court denied the defendant’s motion to dismiss claims under § 1798.150, framing the dispute as whether the CCPA allows a plaintiff to bring a claim for anything other than a data breach. The court held the CCPA was not so limited and noted “courts have let CCPA claims survive a motion to dismiss where a plaintiff alleges that defendants disclosed plaintiff’s personal information without his consent due to the business’s failure to maintain reasonable security practices.” The emphasized language is critical for two reasons. First, the requirement to allege the failure to maintain reasonable security practices was not addressed in the post-2024 decisions that cite to this decision, showing a further drift away from the CCPA’s limitations. Second, although the 2024 decision quoted § 1798.150’s limitation to a consumer whose “personal information” was disclosed, the court did not address whether the plaintiff had alleged the information met that definition. Because the data included mental health information and health insurance details, it at least overlapped with categories that can qualify as “personal information” under the statute. But the court never examined whether those specific data elements actually met the statutory definition.[1]
The 2020 decision, which the 2024 decision cited for the proposition that other courts have allowed CCPA claims to survive a motion to dismiss, is the oldest case in the chain and the only one involving what can be categorized as a data breach. The plaintiff alleged the defendant, a medical billing company, misconfigured a webpage setting and consequently allowed search engines to index internal pages used for business operations, making the health and personal information of roughly 1.5 million patients publicly searchable by anyone with a browser. The defendant acknowledged this publicly. The exposed data included names, addresses, Social Security numbers, dates of birth, and medical claim information including diagnosis codes and treating physicians. The court rejected the defendant’s argument that the CCPA claim should be dismissed because no one had actually stolen the information.
This decision, which addressed what is unquestionably “personal information” under CCPA, has since served as the foundation for the expansion of CCPA claims into the adtech space. Courts citing it miss, however, that the 2020 decision was never about whether tracker data or browsing history qualifies as “personal information.” about it addressed only whether a disclosure without a traditional hack could trigger the statute. That is a different question, and the adtech cases that follow have conflated the two. The personal information issue that Stasi never needed to address has never been addressed by any court — and it remains the most significant open question for companies facing these claims.
What This Means if Your Company Is Sued
These decisions establish that plaintiffs can survive a motion to dismiss on a CCPA claim based on website tracker disclosures. That is a real development and companies should take it seriously. But courts have been ruling on a narrow threshold question — whether the private right of action requires a third-party hack — without examining the statutory definition of “personal information” that determines whether the claim is viable.
The CCPA’s private right of action is triggered only when a consumer’s “personal information” as defined in § 1798.81.5(d)(1)(A) is disclosed without authorization. That definition is narrow: a name or initial combined with a Social Security number, driver’s license number, financial account number with an access code, medical information, health insurance information, biometric data, or genetic data. Browsing activity, page visit history, IP addresses, application status indicators, and most other data that standard trackers collect do not fit that list. No court has yet ruled on whether they do. That argument is available, it is strong, and companies facing these claims should be pressing it.
[1] In a May 2025 decision, the court again denied the defendant’s attempt to dismiss the CCPA claim, holding that the court had already resolved the issue and the defendant failed to show why the court should again address the issue.