California’s Consumer Privacy Act (CCPA) Assists a Private Right of Action–Shah v. MyFitnessPal
* * *
This is one of an ever-growing number of cases alleging that a website purported to let users decline cookies but then disregarded those instructions and placed the cookies anyway.
Among other claims, the plaintiffs alleged that the unconsented cookie placements and resulting consumer tracking violated the common law invasion of privacy and intrusion upon seclusion doctrine. The court says that the CCPA’s statutory provisions bolster these common law claims:
The California Consumer Privacy Act (CCPA) further supports the conclusion that plaintiffs Shah and Wiley had a reasonable expectation of privacy in the information that was collected by cookies they had attempted to reject. As the California Attorney general’s website explains, the CCPA requires that companies give users the choice to opt out of any collection of personal information for “cross-context behavioral advertising, which is the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s online activity across numerous websites.”
Two obvious points. First, CA AG’s website explanations aren’t binding interpretations of the CCPA. As the Dude might say, that’s just like, uh, their opinion, man. (Though this AG quote is just trying to summarize the overwhelmingly complex CPRA).
Second, the CPRA’s cross-context behavioral advertising restriction doesn’t implicate all cookie placements. In other words, there are many reasons why a website might place a cookie that have nothing to do with that awkward statutory construct. In this case, some of the defendants’ activity at issue would not be related to the AG’s guidance.
The court continues:
When evaluating Californians’ reasonable expectations of privacy, the CCPA’s provisions are highly relevant “customs, practices, and circumstances,” because they provide Californians with the reasonable expectation that they will have some control over their data and necessarily shape users’ expectations about their ability to opt out of websites’ collection of data for profit.
Say what? The CCPA expressly precludes private rights of action for violations of its privacy provisions (there’s an unrelated limited private right of action for some data breaches). However, if courts will treat the CCPA’s statutory text as norm-shaping in a way that strengthens common law privacy claims, the CCPA’s text nevertheless facilitates a private right of action workaround despite its clear and contrary statutory intent. Nice.
Some courts have already been mangling the CCPA’s data breach private right of action to apply to any data disclosures, not just those we’d consider to be a result of a “breach.” Now, if the CCPA further turbocharges common law-based private rights of action, plaintiffs are getting an expanding toolkit of options to bypass the CCPA’s clear, express, and very-much-intended prohibition on private rights of action.
To be fair, I don’t think the court needs the CCPA’s norm-setting to establish the problems with asking users for their cookie preferences and then (allegedly) disregarding those instructions. If the website says X and then does not-X, consumers have a pretty reasonable expectation of X–no need for any statutory backup to legitimize that expectation. At the same time, I think of cases, like the old In re JetBlue case, where there’s a “no harm/no foul” realpolitik outcome when a privacy violation is inconsequential. If the plaintiffs don’t like a website’s data collection, but suffer no adverse consequence from it, what are we even doing?
Case Citation: Shah v. MyFitnessPal, Inc., 2026 WL 216334 (N.D. Cal. Jan. 27, 2026)
Because this case involves both the CCPA and CPRA, I might as well include the CPRA meme too:
Prior CCPA/CPRA Posts
* My Comments to the CPPA Regarding its Initial CPRA Proposed Regulations
* Will California Eliminate Anonymous Web Browsing? (Comments on CA AB 2273, The Age-Appropriate Design Code Act)
* Can Facebook Stop Data Snarfers?–Meta v. BrandTotal
* Quick Links From the Past Year, Part 1 (CCPA and Privacy)
* Three More Yearbook/People Database Cases Signal Trouble for Defendants
* My Comments on the California Consumer Privacy Rights Act (CPRA) Rulemaking
* Court Casts Doubt on the Legality of the Data Brokerage Industry–Brooks v. Thomson Reuters
* New Primer on the California Privacy Rights Act (CPRA)
* CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud
* A Roundup of CCPA Court Decisions (I Only Know of 7)
* CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
* The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
* SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
* Over 50 Privacy Professionals & Experts Oppose Prop. 24
* Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
* A Review of the “Final” CCPA Regulations from the CA Attorney General
* The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
* My Third Set of Comments to the CA DOJ on the CCPA Regulations
* Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
* Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
* Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
* Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
* A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
* Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)