On May 1, 2025, the California Privacy Protection Agency (CPPA) issued a Final Order in one of its first enforcement actions under the California Consumer Privacy Act (CCPA), imposing a fine of nearly $350,000.
Shah v. Capital One Financial Corporation was accused of violating consumer privacy due to the use of embedded tracking technologies like Meta Pixel and Google Analytics. The court’s ruling signals that routine data-sharing technologies commonly used by many businesses are no longer allowed. Data sharing with third parties now carries the same litigation risk as data breaches for security incidents when customer data is leaked or stolen.
The Final Order gives an important takeaway: simply posting a Privacy Policy on your website or app is not enough. Businesses themselves must take responsibility for the data management practices of third-party services and actively monitor and control that the third parties’ technologies protect consumer rights and comply with the CCPA.
Read more about the Final Order of the CPRA on the Shah v. Capital One Financial Corporation and its implications on businesses.
Practical Takeaways
- Test your links and forms regularly across devices and browsers.
- Provide transparent and user-friendly cookie banners.
- Review webforms and verification tools to ensure they correctly identify and respond to verifiable consumer requests without collecting excessive personal data.
- Ensure that your contracts with all third-party service providers and vendors are up-to-date and CCPA-compliant.
- Record consent logs and document your due diligence to illustrate your commitment to compliance.
- Use professional Consent Management Platforms (CMPs) to manage Cookie Consent.
- CookieScript helps manage all of this, offering features like geo-targeting, CCPA-compliant Cookie Banner, consent logging, automatic third-party cookie blocking, opt-out signals like Global Privacy Control (GPC) respect, and integrations with Google Consent Mode v2 and IAB TCF 2.2.
Beyond the Breach: How CCPA Enforcement Is Cracking Down on Cookies and Tracking Tech?
For years, private right of action under California have understood the California Consumer Privacy Act (CCPA) was primarily applied to data breaches. In most cases, data breaches occurred for inadequate security, when unauthorized parties could access consumer data. However, recent California court rulings have changed the situation, dramatically expanding the interpretation of data breaches.
Now, data breaches could also include the use of third-party tracking technologies like analytics or ad services without Cookie Consent from consumers. This creates significant new legal risks for virtually any business operating in California or collecting data from California residents.
Regulators now treat unconsented data sharing through cookies, pixels, and tracking scripts as unauthorized disclosures, similar in severity to data breaches.
The CCPA watchdog focuses on third-party tracking without clear disclosures or opt-outs. Businesses must obtain cookie consent before loading any tracking technologies on users’ websites or apps, including cookies, session storage, local storage, ad pixels, and others.
CCPA Enforcement in 2025: Why Website Cookies and Tracking Tools Are Now a Legal Risk?
In 2025, website cookies and tracking tools pose a legal risk in California. Recent enforcement actions show that the CPPA is now pursuing companies not only for consumer data leaks in breaches, but also for sharing consumer data with third parties through Third-Party Cookies, ad pixels, and behavioral tracking tools. Businesses using these technologies without prior consent are risking huge penalties.
A recent case saw a $350,000 fine for a malfunctioning Cookie Banner that persisted for 40 days.
The CCPA provides a private right of action for consumers whose "nonencrypted and nonredacted Personal Information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices." Until now, this provision could be used only for the data breach.
Capital One case: key court rulings
In the Capital One case, the CPPA found multiple violations of the CCPA and its implementing regulations. The most severe violations include:
- Absence of an opt-out mechanism
The company used third-party tracking software on its website, including cookies and pixels, to share data about consumers’ online behavior with third parties. It shared the data for purposes such as analytics and cross-context behavioral advertising. It is a common practice used by many companies. Although the business's cookie notice informed consumers that they could opt out of sharing their Personal Information, the "Cookie Preferences Center" link on the company's website was non-functional. Consumers could not use the opt-out option for 40 days. - Failure to properly identify verifiable requests and the excess collection of verification information
The company offered a webform where consumers could exercise their CCPA rights, including the right to opt out of the selling or sharing of personal information. However, the webform required consumers to provide excessive personal information, including a picture of the consumer holding an “identity document.” This method created two problems: a) the webform collected sensitive personal information (identity document) to make the request, and b) it did not distinguish requests to opt out of the sale or sharing of personal information, which are not verifiable consumer requests.
CPPA concluded that the webform collected more personal information than necessary for verifiable consumer requests and failed to authenticate consumers in a way, that was compliant with CCPA.
The court’s ruling suggests that commonly used data-sharing mechanisms are no longer valid and could now carry litigation risks. Organizations using third-party tracking services should now rethink their business operations and data flows.
M.G. v. Therapymatch, Inc. case: court ruling overview
In M.G. v. Therapymatch, Inc. case, the plaintiff challenged Therapymatch’s practice of embedding Google Analytics on its therapy-matching website, which allegedly transmitted sensitive personal and mental health information to Google without adequate disclosure or user consent. This was a potential violation of California’s privacy laws.
The core question was whether unauthorized third-party disclosure of personal information could trigger the CCPA’s private right of action. Until then, the private right of action required an “unauthorized access and exfiltration, theft, or disclosure” of personal data as a result of inadequate security practices, which usually occurred during the traditional data breach.
On September 16, 2024, the Northern District of California issued a ruling, which granted in part and denied in part Therapymatch's motion to dismiss the case. The CCPA claim was allowed to proceed, with the court finding that a data breach is not required for the statute’s private right of action to apply. Unauthorized sharing via third-party tracking like Google Analytics could qualify for a private right of action.
The decision acknowledges that unauthorized third-party data sharing, even without a traditional data breach, can form a basis for liability.
From Consent Banners to Cookies: CCPA Expands Focus Beyond Data Breaches
These court rulings significantly change the understanding of an "unauthorized disclosure" under the CCPA and the compliance practices with the CCPA. It's not just about unauthorized access of customers’ data through data breaches, but it also affects everyday data collection and sharing with third parties for the purposes of advertising or analytics.
Now, your website or app could violate the CCPA in the following cases:
- When cookies, ad pixels, or other tracking scripts fire before the website or app obtains consent. Unfunctional or delayed cookie banners have triggered six-figure fines.
- If a website or app provides misleading or hard-to-navigate cookie banners.
- If there is no "Do Not Sell or Share My Personal Information" link.
- In cases of insufficient documentation of user consent logs.
- When using dark patterns.
Cookies and Consent: What New CCPA Enforcement Actions Mean for Your Website
The expanded interpretation of the CCPA private right of action significantly changes the cost-benefit analysis of using third-party tracking technologies. When CPRA imposed fines that could range from $100 to $750 per consumer per incident, the potential liability for businesses with large user bases could be substantial. Businesses must now weigh this potential liability against the marketing and analytics benefits provided by third-party analytics or tracking technologies.
If your website uses cookies or embedded third-party scripts (like analytics, embedded ad services, or retargeting pixels), you're likely subject to CCPA scrutiny. If you want to avoid potential liability, you should make sure the consent mechanism is working properly. To avoid penalties, businesses should double-check:
- Whether opt-outs actually work.
- If cookies are blocked until consent is given.
- Whether users have an easy option to exercise their rights.
Even short periods of non-compliance, which occurred due to broken banners or JavaScript errors, can lead to fines and reputational damage.
Nationwide Implications
While these rulings specifically apply to California, they could affect the interpretation of similar provisions in other state privacy laws. Courts in other states’ jurisdictions may look to California's interpretation of the CCPA as persuasive precedent.
This decision broadens the interpretation of the CCPA’s private right of action. This potential for nationwide impact makes it even more important for businesses to limit the sharing of personal information with third parties even for commonly accepted services such as analytics or ads. It also acknowledges that unauthorized third-party data sharing can form a basis for liability.
Beyond litigation, the current Final Order for the Shah v. Capital One Financial Corporation could also have the following consequences for any company:
- Reputational risk: Individuals are worried about their privacy, and no one wants to hear about invasive data practices. Privacy-related litigation could scare away potential consumers.
- Compliance risk: The current implication could also affect compliance with other privacy laws, such as CTDPA (Connecticut), TDPSA (Texas), MPDPA (Michigan), GDPR (EU), and others.
- Operational risk: You should rethink data flows in your company and coordinate them accordingly between legal, marketing, and product teams.
Not sure if your website uses cookies? Scan your website for free and see what cookies, including Third-Party Cookies, your website uses:
Dark Patterns, Pixels & Penalties: The New Face of CCPA Enforcement
The CPPA defines dark patterns as manipulative UX in cookie banners, including banner design that nudge users toward accepting tracking. and confusing and difficult-to-find opt-out processes hidden in settings.
California regulators are now carefully checking the banner designs that:
- Prioritizes “Accept All” over “Reject All” buttons, making "Accept All" more prominent than "Reject All";
- Uses confusing language that discourages consent withdrawal;
- Hides opt-out options in multiple layers.
If a company collects personal data through cookies, pixels, and any other behavioral trackers and shares it with a third-party, these practices expose businesses to risk not just from regulators but also from private lawsuits.
Is Your Cookie Consent Enough? CCPA Enforcement Signals a Shift in Focus
Compliance is no longer a formality—now, businesses must provide real user control over their data. As the regulatory spotlight shifts, businesses need to revisit their Cookie Consent strategies.
These rulings send a critical message: businesses can no longer simply deploy a consent or opt-out tool and assume compliance.
Responding to CCPA enforcement, businesses must embed privacy compliance into everyday operations, including:
- Provide transparent and user-friendly cookie banners.
- Provide easy-to-find opt-out mechanisms that block tracking.
- Use accessible privacy settings.
- Collect the minimum information necessary to fulfill a request based on the type of request received.
- Ensure that opt-out sale or sharing requests and the right to restrict the use of sensitive personal data do not require identity verification.
- Respect opt-out signals like Global Privacy Control (GPC) automatically.
- Have up-to-date, CCPA-compliant contracts with all third-party service providers and vendors.
- Routinely audit third-party scripts and consent logs.
- Train staff on how to handle individual rights requests.
- Monitor legal developments and enforcement trends.
- Use professional Consent Management Platforms (CMPs) to manage Cookie Consent.
Even temporary issues or short-term failures, like a broken script that bypasses consent for a few days, are treated as full violations with respective consequences. This requires implementing real-time compliance mechanisms, such as CMPs.
How Can CookieScript Help You to Comply with the CCPA?
CookieScript can help you manage all the above-mentioned requirements and comply with CCPA and other privacy laws.
CookieScript CMP has the following features:
- Privacy-laws compliant cookie banner
- Geo-targeting
- Consent logging
- Google-certified CMP
- Integration with Google Consent Mode v2
- Integration with IAB TCF v2.2
- Global Privacy Control (GPC) signal respect
- Cookie Scanner
- Privacy Policy Generator
- Automatic blocking of third-party scripts
- CookieScript API
- Integration with CMS like Joomla, Shopify, WordPress, etc.
In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-reviewed site G2.
Frequently Asked Questions
How is CCPA enforcement targeting website cookies and tracking?
On May 1, 2025, the California Privacy Protection Agency (CPPA) fined Shah v. Capital One Financial Corporation for violating consumer privacy due to the use of embedded tracking technologies like Meta Pixel and Google Analytics. This decision broadens the interpretation of the CCPA’s private right of action. It also acknowledges that unauthorized third-party data sharing can form a basis for liability. Use CookieScript CMP to comply with the CCPA.
What banner should I use to avoid litigation risk under the CCPA?
The “Accept All” over “Reject All” buttons should be equal in size and color, use plain language in cookie notice, do not hide opt-out options in multiple layers, and do not use dark patterns. Use CookieScript CMP to create a privacy-laws compliant cookie banner.
What does the recent California court ruling on the Capital One Financial Corporation mean for businesses?
On May 1, 2025, the CPPA fined Shah v. Capital One Financial Corporation for violating consumer privacy due to the use of embedded tracking technologies. Now, data breaches could also include the use of commonly used third-party tracking technologies like analytics or ad services without cookie consent from consumers. Regulators now treat unconsented data sharing as unauthorized disclosures, similar in severity to data breaches. Use CookieScript CMP to comply with the CCPA.
When could a private right of action under the CCPA be used?
Until 2025, this provision could be used only for a data breach. On May 1, 2025, the CPRA fined Capital One Financial Corporation for violating consumer privacy due to the use of third-party tracking technologies. So now, unauthorized third-party data sharing can also form a basis for liability. CookieScript CMP can help you to comply with the CCPA and avoid penalties.