What Did the Allison v. PHH Mortgage Ruling Change?
The Allison v. PHH Mortgage case just reclassified something developers drop into every site without thinking: tracking pixels. A California court ruled that PHH Mortgage violated the CCPA by sharing user data through third-party trackers without proper consent mechanisms. The kicker? PHH thought their privacy policy covered it.
It didn't.
This wasn't about malicious intent. PHH used standard analytics and advertising pixels — Meta Pixel, Google Analytics, the usual suspects. The court said that constitutes "selling" personal information under CCPA, even when no money changes hands directly. If you're running these tools on a site with California users and you haven't implemented explicit opt-out mechanisms, you're in the same boat.
The ruling exposes a gap most teams ignore: privacy policies aren't consent mechanisms. You need actual technical controls. A privacy policy that says "we share data with partners" doesn't satisfy CCPA's opt-out requirement when those partners get data automatically through client-side pixels. The law demands you give users the ability to prevent that sharing before it happens.
How Do Tracking Pixels Violate CCPA Requirements?
Diagram showing how tracking pixels violate CCPA by sharing data before opt-out
CCPA defines "sale" broadly: any disclosure of personal information to a third party for valuable consideration. Courts have consistently ruled that behavioral advertising qualifies, even when you're not invoicing Meta for the data. The exchange is simple — you give them user behavior, they give you targeting capabilities. That's a sale.
Tracking pixels fire on page load. They collect IP addresses, browser fingerprints, page views, click patterns, and session data. Then they send it to third-party servers. Under CCPA, California residents must have a clear way to opt out of these sales. Not a privacy policy acknowledgment. Not a cookie banner that says "we use cookies." An actual "Do Not Sell My Personal Information" mechanism.
The PHH ruling makes it explicit: if your pixels fire before a user can opt out, you're violating CCPA. That affects:
- Meta Pixel on marketing sites
- Google Analytics tracking code
- LinkedIn Insight Tag
- Twitter/X conversion pixels
- TikTok Pixel
- Any analytics tool that shares data with the vendor's other customers
Most implementations fail this test. They load pixels in the <head>, fire on page load, and consider a privacy policy link in the footer sufficient compliance. It's not. According to the CCPA risk assessment requirements, you need documented consent mechanisms and data flow controls.
What Should Developers Do About Third-Party Analytics Now?
Three options, none perfect:
Option 1: Implement proper consent management. Use a consent management platform that blocks pixels until users explicitly allow them. This requires:
- Blocking script execution until consent is granted
- Providing a clear "Do Not Sell" link
- Documenting which vendors receive data
- Maintaining consent records for compliance audits
This works but degrades your analytics. Expect 40-60% of users to either decline or ignore the prompt, creating blind spots in your data.
Option 2: Switch to server-side tracking. Move pixel functionality to your backend. You collect the data, then decide what to forward to third parties based on user consent. This gives you control but requires infrastructure. You're now responsible for:
- Building consent logic into your tracking pipeline
- Proxying requests to analytics vendors
- Filtering out data from opted-out users
- Managing the compliance burden yourself
Server-side tracking is technically compliant, but it's also technically complex. Small teams struggle to implement it correctly.
Option 3: Ditch behavioral tracking entirely. Use privacy-focused analytics that don't share data with third parties. Tools like Plausible, Fathom, or self-hosted Matomo never send user data to other customers. They don't trigger CCPA's "sale" definition.
The tradeoff: you lose retargeting pixels, conversion tracking, and cross-platform attribution. If your business model depends on Meta ads, this isn't viable.
Before you make changes, scan your site free to see exactly which tracking scripts are firing. Most teams underestimate how many third-party requests their pages make. The cookie scanner reveals what data those pixels actually collect — it's often more than you think.
Why Privacy Policies Don't Protect You Anymore
PHH Mortgage had a privacy policy. It disclosed data sharing with third parties. It explained how behavioral advertising worked. The court didn't care.
The ruling clarifies that CCPA requires actionable controls, not just disclosure. A privacy policy that says "we may share your data" doesn't give users the ability to prevent that sharing. That's the compliance gap.
This has downstream implications. If you're using AI coding tools to build sites quickly, you're probably inheriting tracking patterns without reviewing them. We've seen this with AI-built apps that collect data without documenting it. The code works, the pixels fire, and nobody checks what they're sending until a compliance audit happens.
The PHH ruling makes those oversights expensive. CCPA penalties start at $2,500 per violation. Each user whose data gets shared without proper opt-out mechanisms is a separate violation. Do the math on your monthly active users.
If you're shipping fast, this needs to be part of your launch checklist. Not after you have traction — before you collect a single data point from California users. Because once you're processing that data without compliant controls, you're already liable.