Data breaches and website tracking technologies may seem like distinct privacy risks, but the California Supreme Court’s recent decision in J.M. v. Illuminate Education could affect litigation involving both. Businesses that collect sensitive information should review how they characterize, protect, and share that information, as plaintiffs will likely rely on the decision to challenge both cybersecurity practices and disclosures involving website tracking technologies.

The case arose from a cyberattack on a K-12 education software provider that stored student health-related information. A student filed a putative class action alleging violations of California’s Confidentiality of Medical Information Act (CMIA) and Customer Records Act (CRA). Although the California Supreme Court ultimately held that Illuminate was neither a covered health care provider under the CMIA nor subject to liability under the CRA because the plaintiff was not a “customer,” it adopted a broader standard for CMIA confidentiality claims. The Court held that actual viewing or misuse of compromised information is not required where a breach creates a significant risk of unauthorized access or use.

The broader significance of Illuminate is the Court’s focus on exposure to unauthorized access or use rather than proof that someone actually viewed the data. Plaintiffs will likely seek to extend that reasoning beyond CMIA claims and into litigation involving the California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), and website tracking technologies. In particular, plaintiffs may argue that liability can arise from the transmission of information through cookies and pixels without proof that anyone actually viewed the data, so long as the disclosure created a significant risk of unauthorized access or use.

Therefore, Illuminate should not be viewed as a case affecting only healthcare organizations or victims of data breaches. Its reasoning could ultimately affect virtually every California employer that maintains employee data and every website owner that collects personal information through cookies, pixels, or similar technologies.

Review How Your Business Characterizes and Handles Sensitive Information

Although the Court ultimately found that Illuminate was not covered by the CMIA, the decision highlights how statutory coverage arguments often turn on the nature of the information collected and how it is used. Businesses should review their products, services, privacy policies, and marketing materials to ensure they accurately describe the collection, use, and disclosure of health-related and other sensitive information. They should also document the types of data they collect and evaluate whether they are collecting more information than is reasonably necessary.

For example, a health-adjacent business may use cookies or pixels that track a user’s interactions with health-related webpages, leading plaintiffs to argue that sensitive health information was disclosed to third-party providers without authorization. The larger lesson is that businesses should not assume information is non-sensitive simply because it does not expressly identify a medical condition; plaintiffs increasingly rely on the context of collection to characterize seemingly routine data as sensitive.

Strengthen Data Governance, Security, and Retention Practices

The Court acknowledged that evolving cyber threats and automated technologies can facilitate unauthorized access or misuse without evidence that a human actor actually viewed the data. While the Court rejected a rule that any loss of data automatically establishes liability, it identified factors relevant to whether confidentiality was compromised, including the nature and extent of the breach, the duration of the exposure, mitigation efforts, and whether the loss resulted from negligence.

Businesses should therefore review, test, and document security controls, incident response procedures, and vendor management practices. Importantly, they should also avoid retaining sensitive information longer than necessary, as legacy data can increase both the scope of a security incident and resulting litigation risk.

Audit Data Handling Practices and Third-Party Data Disclosures

Plaintiffs are likely to argue that they need not prove a third party actually viewed information collected through tracking technologies or exposed in a data breach. The Court’s focus on exposure to a significant risk of unauthorized access or use may prompt greater scrutiny of how businesses control access to personal information once it is shared outside the organization.

Businesses should review vendor relationships, data-sharing arrangements, access controls, and contractual restrictions governing personal information. Particular attention should be paid to what information is disclosed to third parties, who receives it, and whether those disclosures align with privacy notices, consent mechanisms, and consumer expectations.

The privacy litigation landscape will continue to evolve as plaintiffs test the boundaries of Illuminate and other privacy statutes. As businesses navigate balancing those risks and their compliance obligations under laws such as the CCPA, they should remain focused on privacy-preserving practices that align with consumer expectations and protect personal information through its lifecycle.