ARTICLE
8 August 2025

Broadening The Scope Of Private Claims Under The CCPA

FH
Finnegan, Henderson, Farabow, Garrett & Dunner, LLP

Contributor

Finnegan, Henderson, Farabow, Garrett & Dunner, LLP is a law firm dedicated to advancing ideas, discoveries, and innovations that drive businesses around the world. From offices in the United States, Europe, and Asia, Finnegan works with leading innovators to protect, advocate, and leverage their most important intellectual property (IP) assets.
California courts have seemingly broadened the scope of privacy actions brought under the data breach section of the California Consumer Privacy Act (CCPA).
United States California Privacy
  1. Broader Scope of CCPA Claims: Recent California court decisions have expanded the scope of privacy actions under the CCPA to include claims for unauthorized disclosure of personal information without permission, even if a data breach did not occur.

  2. Examples of Court Rulings: In cases like Shah v. Capital One and M.G. v. Therapymatch, courts allowed CCPA claims to proceed based on allegations of unauthorized disclosures through tracking tools, highlighting that a specific data breach is not necessary to maintain such claims.

  3. Implications for Businesses: Companies must maintain robust security measures and transparent privacy policies, especially regarding third-party tracking tools, to mitigate risks of potential CCPA violations and litigation.

California courts have seemingly broadened the scope of privacy actions brought under the data breach section of the California Consumer Privacy Act (CCPA). While actions for violations of other provisions of the CCPA may be brought by the California Privacy Protection Agency, individuals may file suit for personal information data breaches.1 Specifically, "any consumer whose nonencrypted and nonredacted personal information, . . . or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . may institute a civil action . . . ."2

While practitioners understood this provision to be specifically related to data breaches, some California courts have begun to allow claims under this provision to survive preliminary motions, even where the facts alleged do not include breach specifically, and instead assert the claim based on the disclosure of personal information without consent due to the business's failure to maintain reasonable security practices.3 For example, in a March 2025 ruling on a motion to dismiss in Shah v. Capital One, the Northern District of California granted-in-part and denied-in-part Capital One's motion to dismiss, particularly finding that the plaintiffs had stated a claim with respect to allegations under the CCPA despite not alleging a data breach.4

In this instance, the Plaintiffs in this class action asserted 17 causes of action based on allegations that the financial institution unlawfully disclosed their personal information, financial information, and communications to third parties through tracking software embedded on the Capital One website.5 The Court found that because these trackers were used and transmitted Plaintiffs' personal and financial information, the plaintiffs did not need to allege a data breach to maintain the CCPA claim.6

Previous California decisions have held similarly. In another Northern District decision, M.G. v. Therapymatch, the court held that a CCPA claim could survive a motion to dismiss where the plaintiffs alleged disclosure of personal information, including confidential medical and health insurance information via online tracking tools.7 In Ramos v. Wells Fargo Bank, N.A., a Southern District court held that the plaintiff was not required to plead that there was a data breach and found the plaintiff's CCPA claim sufficient to file a motion to dismiss because the plaintiff alleged that unknown individuals accessed information regarding his savings account due to the bank's failure to implement and maintain reasonable security procedures.8

These decisions indicate a changing landscape in privacy litigation under the CCPA. Companies should take extra care to ensure they understand the data collected and shared with third-party tracking tools on their websites, obtain consent when required, and work to ensure that their privacy policies are up-to-date and can account for any transmission of personal or sensitive information.

Footnotes

1. Cal. Civ. Code §§ 1798.150, 1798.199.10.

2. Id. § 1798.150(a)(1).

3. Shah v. Capital One, 768 F.Supp.3d 1033, 1048-49 (N.D.Cal. 2025).

4. See id. at 1048-49, 1053-56.

5. See id. at 1042-43, 1048-49.

6. See id.

7. 23-cv-04422-AMO, 2024 WL 4219992, at *7 (N.D. Cal. Sept. 16, 2024).

8. 23-cv-0757-L-BGS, 2023 WL 5310540, at *2 (S.D. Cal. Aug. 17, 2023).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More