This Month in Privacy: Tracking Pixels Face Even More Civil Liability, AI Deployments Increase Privacy Risk, and Pressure Mounts on Data Brokers

Keeping up with privacy news is a full-time job. As regulatory expectations shift and legal landscapes evolve, our monthly dispatch cuts through the noise, highlighting key trends and recommendations to help you stay ahead of enforcement.

Courts expand CCPA’s civil right of action

For years, CCPA’s private right of action has been understood as narrow: consumers can sue, but only when there has been a data security breach in the traditional sense. A bad actor, a security exploit, exposed data. 

But this month, a California court issued a ruling interpreting “breach” broadly enough to cover situations where consumer data ends up somewhere the consumer did not expect, even without an external attacker or security vulnerability. Civil plaintiffs may no longer need to demonstrate a hack or intrusion. 

CIPA litigation has already demonstrated how expensive California civil privacy claims can be in large volumes. This ruling could indicate a similar direction for CCPA compliance. Tracking pixels are a direct exposure point, particularly for any website where browsing behavior could imply something sensitive about a user and where partial identifying information passes through the pixel. Think health content, financial distress resources, or legal services.

The Takeaway

If your tracking pixel data flow is not clearly documented and consented to, your risk profile just got higher. The dominoes are falling slowly, but they are falling. As a best practice, privacy teams should audit every tracking pixel deployment on pages where users’ browsing activity could infer sensitive attributes. Review what data is transmitted through those pixels and to which third parties. 

Many privacy teams already treat California with an “opt-in” tracking model similar to GDPR if they deploy tracking pixels to prevent potential CIPA claims. DataGrail Consent gives you flexibility in your approach. You can choose to adopt a strict opt-in model, or simply use your consent banner to provide notice of the tracking behavior and keep a default opt-out model contingent on the user interacting with the banner (e.g. dismissing it). Best practices will continue to evolve with enforcement news. 

AI ambitions collide with privacy obligations (or lack thereof)

Three recent news stories share an underlying pattern: AI’s capacity for data processing implicitly encourages organizations to collect more data. The difference in these stories is the role of the regulator versus the role of the public. 

Meta now allows employees to request exemption from their computer activity being used to train the company’s AI models after backlash from employees and the media. Meta has notably less regulatory friction to navigate before deploying processes like this one since employees do not receive equal privacy protections to consumers under most privacy laws.

Meanwhile, a joint investigation by Canada’s federal and three provincial privacy commissioners found that OpenAI’s launch of ChatGPT violated Canadian privacy laws, and consumers were completely unaware of how their personal and sensitive data was used to train the model. While OpenAI has made some improvements based on the report and disagrees with much of the investigation’s findings overall, Canadian regulators still argue the company has failed to take accountability. 

Lastly, X Corp. petitioned the FTC to lift a past settlement order, arguing in part that total compliance with the order would prohibit AI innovation. The original order issued a $150M penalty and required Twitter implement more MFA options, disclose privacy violations, limit employee access to personal data, and implement a privacy and security program including risk assessment process. The FTC is seeking public comments on the petition until July 2, and their final decision will be a critical indicator of how the FTC will weigh AI benefits versus risks moving forward.

The Takeaway

AI regulation is an important factor to consider when building, fine-tuning, or integrating AI systems, but it’s not the only factor. Both regulators and the general public expect transparency from their AI providers. To provide those disclosures, you need to understand the data your models process and on what legal basis. 

The first step is shadow AI detection across your tech stack. The 2026 Privacy and AI Trends report proved that you can’t rely on your procurement process to accurately flag AI risk. DataGrail Live Data Map detects and categorizes risk across your tech stack. From there, privacy teams use Risk Register to slice AI risk against related risk categories 

Consumers are demanding their data back, and data brokers are in the hot seat

The California Delete Act established the loosest definition of a data broker to date in 2023. But as much as the industry complained the definition was too broad, other regulators have followed suit. Connecticut just passed Senate Bill 4, which expands the state’s legal definition of a data broker to include many adjacent industries. Brokers will need to register with the Connecticut Department of Consumer Protection and follow a strict set of requirements, including compliance with the state’s own version of California’s Delete Request and Opt-out Platform (DROP). 

Companies in the business of buying and selling consumer data won’t be able to hide behind other labels for much longer. The FTC’s $930,000 settlement with Cox Media Group and two affiliated firms signals that federal regulators are paying attention too. Cox marketed an “Active Listening” AI advertising service that it claimed could target ads based on real-time conversations captured from consumers’ smart devices. The service did not do that. What it actually did was resell email lists sourced from other data brokers at a significant markup, while claiming consumers had “opted in” by accepting app terms of service. The FTC alleged this violated the FTC Act.

The problem isn’t just transparency with data practices. Acknowledging your company is a data broker opens the door to much heftier privacy compliance requirements that many teams aren’t ready for. According to CalPrivacy, more than 300,000 California consumers have already signed up for the DROP platform to exercise their rights under the Delete Act. That’s 300,000 deletion and opt out requests every data broker must receive and begin processing between August 1 and September 15th of this year. Failing to process this unprecedented request volume risks fines starting at $60M based on a penalty of $200 per day per consumer. As Connecticut has signalled, the compliance requirements and potential fines will only grow from here. 

The Takeaway

California still provides the broadest definition of a data broker. If you’re unsure if that includes you, start there. If sharing or monetizing third-party data is a critical component of your organization’s business model, transparency is not optional. Take automation seriously. Consumer demand for data controls is real, measurable, and growing. The resulting request volume can’t be handled as an afterthought. You need a data subject request automation platform that scales with you. 

Looking ahead

Enforcement is becoming more specific, more expensive, and harder to defer. Privacy programs built on visibility into where data actually lives, and what happens to it, will be better positioned than those still treating compliance as a periodic exercise. 

DataGrail is built for exactly that kind of continuous, connected oversight. Request a demo to see what it looks like in practice.