Here are some recent privacy and cybersecurity related news stories that caught our attention over the past couple of weeks.

Court Rejects Class Certification in Pixel Tracking Suit Against AddShoppers and Peet’s Coffee

In a significant win for the defense, a California federal judge denied class certification in a California Invasion of Privacy Act (CIPA) suit alleging that AddShoppers and Peet’s Coffee unlawfully tracked website visitors using pixel technology. Under the Federal Rules of Civil Procedure, a party seeking class certification must satisfy all four prerequisites: numerosity, commonality, typicality, and adequacy of representation.

Here, the court dismissed the proposed class action after finding that the named plaintiffs failed to meet the typicality and adequacy requirements. One plaintiff could not establish that he received any marketing emails - the very harm alleged - while the other deleted key browsing history after discovery began.

Because CIPA liability turns on whether tracking occurred without consent, the court emphasized that the plaintiffs’ credibility - particularly their testimony regarding cookie consent and typical browsing behavior - was central to the analysis. If a plaintiff’s account is unreliable, they are unlikely to satisfy the adequacy and typicality prongs required for class certification.

The bottom line:

This ruling provides a roadmap for companies to challenge class certification in privacy lawsuits involving tracking pixels and email targeting. Courts are scrutinizing plaintiffs' credibility, data preservation, and standing, and will reject certification where the named plaintiffs' claims are not representative of the class.

What you need to do:

Companies facing CIPA or pixel tracking litigation should:

• Carefully examine the named plaintiffs’ standing and factual allegations early;
• Highlight inconsistencies or deficiencies in the plaintiffs’ data or testimony;
• Preserve documentation showing users’ consent mechanisms, data flows, and how marketing emails were generated;
• Be prepared to argue that the plaintiffs' experience is not typical of the proposed class.

Judge Chhabria's parting words were clear: “If the only named plaintiff you can find is someone whose presence threatens to weaken the claims of the absent class members, don’t bring the lawsuit. And if you’ve already brought the lawsuit, don’t just plow ahead hoping that it won’t become a big deal.”

Recent Activity Related to Children’s Data Protection

New York:

Mark your calendars -- New York’s Child Data Protection Act goes into effect June 20, 2025. The New York Office of the Attorney General has published Implementation Guidance, which notes that the Office of the Attorney General intends to issues rules with further details for compliance and will exercise discretion in pursuing enforcement actions, taking into account a company’s good-faith efforts to comply with the Act until the rules are finalized.

Nebraska:

On May 30, 2025, the Nebraska governor signed the Age-Appropriate Online Design Code Act, which applies to certain online services, including those with design features that encourage or increase the frequency, time, or activity of a user on the online service.

Connecticut:

On June 3, 2025, Connecticut voted to adopt amendments to the Act Concerning Social Media Platforms and Online Services, Products and Features. The amendment includes a concept of “heighted risk of harm” caused by processing a minor’s personal data in a manner that presents any reasonably foreseeable risk of minors.

Read the full article here.

Connecticut Enacts Amendments to State’s Data Privacy Law

Connecticut has strengthened its data privacy law with SB 1295, expanding the CTDPA’s scope and adding new protections for sensitive data and minors. With a July 1, 2026, effective date, businesses should review their compliance strategies now.

Read the full article here.

California Attorney General Secures $1.55 million CCPA Settlement Against Healthline

Earlier this month, California AG Bonta announced the largest settlement with Healthline Media LLC (Healthline). Between the AG’s office and the California Privacy Protection Agency, this marks the CCPA’S third cookie related settlement this year. Healthline (which publishes medical information) shared consumer information in a manner that would have been a “share” or “sale” under the CCPA, but Healthline’s opt out tools improperly functioned such that Healthline did not properly honor consumer preferences. Healthline also didn’t set a clear exception for consumers that their inferred health interests (i.e., based on the pages viewed) would be shared for online advertising.

What you need to do:

Businesses that deploy cookies, pixels, or other website tracking tools should audit their current practices to ensure what information they are collecting and sharing is in compliance with CCPA rules. It is also important to address, that if you sell or share personal information, you must inform consumers of their opt-out rights, specifically addressing online tracking and sensitive information, and honor those rights requests immediately. Finally, businesses should confirm that contracts include CCPA-required provisions and that providers are compliant with those requirements.

Be sure to follow the firm’s LinkedIn page to see more of these news snippets with our commentary.