Allison v. PHH Mortgage: Opt-Out Does Not Mean Unmanaged — Why CCPA Tracking Pixels Still Need a CMP

There is a persistent assumption that consent management platforms are only necessary under opt-in regimes like GDPR. If CCPA only requires opt-out, the thinking goes, you can let pixels fire freely and just provide an opt-out link somewhere on the site.

The March 2026 ruling in Allison v. PHH Mortgage exposes exactly why that assumption fails. The Northern District of California held that CCPA's private right of action under § 1798.150 covers unauthorized tracking pixel disclosures — not just traditional data breaches. Opt-out mode does not mean unmanaged mode.

Allison v. PHH Mortgage: Opt-Out Does Not Mean Unmanaged

The Ruling: Pixels Are Not Just a Breach Problem Anymore

PHH Mortgage argued that § 1798.150 only covers external data breaches — hackers stealing files, not the business's own pixels sending data to Meta or Google. The court rejected that reading: "[n]othing in the plain language of the provision limits its application to data breaches."

The plaintiff alleged that PHH Mortgage's website fired tracking technologies that disclosed personal information to third parties without authorization. The court found that a business disclosing data through its own tracking infrastructure falls within the statute's plain language, opening the door to statutory damages of $100–$750 per consumer per incident. Two earlier cases, Shah v. Capital One Financial Corp. and M.G. v. Therapymatch Inc., had pointed in this direction. Allison provides the most thorough statutory analysis to date.

CCPA Is Opt-Out — But Opt-Out Has Operational Requirements

CCPA remains primarily an opt-out regime. A pixel firing before a banner click is not automatically a CCPA violation just because the user did not affirmatively consent. That is a GDPR analysis, not a CCPA one. The CCPA baseline requires notice at collection, a functioning opt-out mechanism that honors Global Privacy Control signals, and vendor contracts that properly classify recipients as service providers or third parties.

The Allison theory does not require opt-in consent. It requires that the disclosure was authorized — meaning properly noticed, properly scoped, and properly controllable when a user exercises their opt-out right. Those are operational requirements that cannot be met with a static link buried in a privacy policy page.

There are narrower scenarios where CCPA does require affirmative consent — sensitive personal information, minors under 16, financial incentives, and re-opting-in a consumer who previously opted out. If your pixels capture SPI categories like health data or precise geolocation, you are in opt-in territory regardless of the general framework. But even outside those carve-outs, the opt-out baseline itself demands real-time enforcement infrastructure.

How Pixel Disclosures Become "Unauthorized"

Under the Allison theory, plaintiffs can frame a pixel disclosure as unauthorized without invoking GDPR-style consent. The four paths that have emerged in litigation each point to a different operational failure.

The first is incomplete notice at collection. If your privacy disclosures do not specifically identify that user data is being sent to Meta, Google, TikTok, or other platforms via pixels, the disclosure is not authorized. Generic language about "advertising partners" is insufficient. The notice must describe the actual data flows.

The second is ignored opt-out signals. When a user sends a GPC signal or clicks "Do Not Sell" and the pixel keeps firing, that continued disclosure is unauthorized and now actionable under § 1798.150 with statutory damages.

The third — and the one doing the most doctrinal work — is that the pixel recipient does not qualify as a service provider. Meta, Google Ads, and TikTok typically retain contractual rights to use pixel data for their own purposes: model training, ad optimization, profile enrichment. Under CCPA, that makes them third parties, and the data transfer constitutes a "sale" or "share" subject to opt-out obligations. The Taylor v. ConverseNow court went further, holding that even contractual capability for the vendor to use data for its own purposes destroys the service-provider safe harbor.

The fourth is mishandled sensitive personal information. If page URLs reveal health conditions, financial product interests, or other SPI categories, pixels firing on those pages transmit SPI to third parties without honoring the consumer's right to limit such use.

The Stacking Problem

Plaintiffs are now combining CCPA § 1798.150 claims with California Invasion of Privacy Act (CIPA) claims in single complaints. The same facts support both theories. CIPA treats the interception itself as a wiretapping violation. CCPA treats the unauthorized disclosure as the violation. Stacked claims compound exposure and make early dismissal harder because a defendant who defeats one legal theory still faces the other.

Why Your Pixels Need a CMP Even in Opt-Out Mode

Each of the four Allison theories points to a requirement that cannot be met without tag management infrastructure. This is not a matter of legal caution — it is a matter of basic operational capability.

When a visitor opts out, every pixel that constitutes a sale or share must stop firing for that session immediately. Not on the next page load, not after a cache refresh, but within the same interaction. Without a CMP controlling your tag layer, there is no mechanism to enforce this. The opt-out link exists, but nothing connects it to the pixels actually running in the browser.

Proving that a disclosure was authorized at the moment it occurred is now a factual question with real evidentiary demands. If a plaintiff claims their data was sent to Meta after they opted out, your defense depends on documented proof of the consent state and pixel suppression at that specific timestamp. A CMP generates these records automatically and continuously. A standalone opt-out page generates nothing.

You also cannot give accurate notice at collection if you do not know which third-party tags are active on your pages, what data they transmit, and to whom. Most sites accumulate tracking tags over time as marketing teams add vendors. Without systematic scanning, your privacy notice almost certainly does not match your actual data flows — and that mismatch is itself one of the Allison theories.

Not all vendors are equal under CCPA. Some qualify as service providers; others are third parties. The rules differ for each. A CMP lets you apply different firing rules based on each vendor's actual contractual status — continuing service-provider tags while suppressing third-party pixels for opted-out users.

How UniConsent Addresses the Allison Exposure

UniConsent was built around the principle that consent signals must control tag behavior at the execution layer, not just record preferences in a database. Several specific features map directly to the operational requirements that this ruling creates.

The tag gating system ensures that no third-party pixel fires until the user's consent state is resolved. In opt-out mode, this means pixels fire by default for users who have not opted out, but are suppressed in real time the moment a user exercises their right. The suppression applies within the same page session, closing the timing gap that plaintiffs exploit.

UniConsent's Global Privacy Control integration detects GPC signals at the browser level and syncs them with the IAB CCPA framework and vendor-specific consent signals. When a California user's browser sends a GPC signal, UniConsent interprets it as an opt-out of sale and sharing and applies that signal across all connected vendors without requiring any additional user interaction. This is the mechanism that prevents the "opt-out was ignored" theory from gaining traction.

The cookie scanner maps every active tracker on your site, identifies the vendors receiving data, and documents the data flows. This gives you the raw information needed to write notice-at-collection disclosures that actually match your site's behavior. Running the scanner periodically catches new tags that marketing teams add, preventing the notice-reality gap from reopening.

UniConsent maintains timestamped consent records structured for regulatory and litigation audit. Each record documents what the user was shown, what choice they made, and what tag behavior resulted from that choice. This audit trail is the evidentiary foundation for defending against claims like the one in Allison. The consent data validator checks that these records are correctly structured and internally consistent.

The vendor categorization system within UniConsent allows you to classify each tag as belonging to a service provider or a third party based on the actual contractual relationship. Third-party tags are automatically subject to opt-out suppression. Service-provider tags continue to fire. This distinction, applied at the tag management layer rather than in a legal document, is what makes the service-provider defense operationally real rather than merely contractual.

What to Audit Now

After Allison, four questions need defensible answers. Does your notice at collection specifically identify the third parties receiving data through pixels? Are GPC signals and opt-out requests actually suppressing pixels in the browser, not just updating a database entry? Do your vendor contracts genuinely restrict the recipient from using data for their own purposes — and does your tag infrastructure reflect that classification? Are pixels on pages with SPI-relevant URLs subject to additional controls?

If any of those answers is "no," a plaintiff now has a CCPA private-right-of-action hook with statutory damages on top of any CIPA wiretapping claim. The fix is not to switch to GDPR-style opt-in. The fix is to make your opt-out infrastructure actually work — with a consent management platform that enforces the signals your site promises to respect.

About UniConsent

UniConsent is a part of Transfon's privacy-first User Experience Platform serving tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post-GDPR. Contact us to know more: hello@uniconsent.com