Allison v. PHH Mortgage opens the CCPA's private right of action to pixel tracking claims

The US District Court for the Northern District of California ruled on March 27, 2026, that the California Consumer Privacy Act's (CCPA) private right of action is not limited to data breaches. It can also cover unauthorized disclosures caused by tracking pixels.

• The court held that "nothing in the plain language" of California Civil Code § 1798.150 limits the private right of action to data breaches by outside attackers
• This extends exposure to intentional disclosures through tracking pixels, session replay tools, and third-party analytics tags
• The complaint also included claims under the California Invasion of Privacy Act (CIPA) and the federal Electronic Communications Privacy Act (ECPA), stacking legal theories against the same tracking conduct

What is this case about?

Ethan Allison sued PHH Mortgage, alleging that trackers on its website shared users' personal information with third parties without consent. The complaint raised CIPA, ECPA, and CCPA claims together.

PHH Mortgage tried to get the CCPA claim dismissed. Its argument was that the CCPA's private right of action only applies when a business's bad security lets an outside attacker grab consumer data. 

The court rejected that argument.

What did the court decide?

Before this ruling, most businesses assumed tracking pixel lawsuits were a CIPA problem, not a CCPA problem. The CCPA was thought to cover data breaches only.

The court found that the CCPA's "reasonable security procedures" obligation also covers consent and data governance controls. A pixel that fires before consent is captured is now potentially an unauthorized disclosure under the CCPA.

Damages under the CCPA's private right of action are $100 to $750 per consumer per incident, or actual damages if higher. At class-action scale across a big website, that adds up fast.

Why does this matter for advertising?

Most tracking pixels on commercial websites are there for advertising. Meta Pixel, Google Ads tags, DoubleClick, and LinkedIn Insight Tag all send identifiers (IP address, device ID, page URL, behavioral signals) to third parties.

If any of these tags fire before the user interacts with the consent banner, or keep firing after opt-out, that is now potentially a CCPA violation on top of a CIPA violation.

Tag managers, SDKs, and server-side tracking all need to be checked. The relevant question is no longer just "did we say this in the privacy policy?" It is "did the script actually fire before consent was logged?"

Key takeaways

• Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
• Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
• Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

‍Privado AI's Web Auditor continuously scans websites to verify that consent banners are correctly configured, that tracking pixels do not fire before consent is captured, and that opt-outs are honored end-to-end.