Capital One Sent Your Job and Income to Meta

Introduction

Capital One told you it uses "targeted advertising." What it didn't tell you: when you typed your employment status, your income, and whether you'd been preapproved into a credit card application, that data went to Meta in real time, while the page was still loading. A federal judge looked at the gap between what the bank said and what the bank did, and kept the case alive. Trial is set for April 2027.

What the Application Page Was Actually Doing

The lawsuit is Shah v. Capital One Financial Corporation, filed in the Northern District of California in August 2024. The complaint runs 99 pages, and its central allegation is specific: Capital One had 11 tracking tools running on its website, including the Meta Pixel, Google, Microsoft, DoubleClick, Adobe, and Tealium. Those trackers sat on the pages where customers applied for credit cards and submitted financial information. Between November 30, 2023 and June 24, 2024, the complaint alleges, they transmitted that information to advertising platforms as customers entered it.

This wasn't a record of which pages you browsed. The complaint names employment information, bank account information, citizenship and dual-citizenship status, credit card preapproval and eligibility status, approval status, existing-customer status, and application status. That is your financial profile, captured at the exact moment you handed it to a bank, then routed to companies whose business is selling ads.

Here's why that matters more than a normal pixel story. Capital One is not a startup that got sloppy with a JavaScript snippet. It's a federally regulated bank, the third-largest U.S. Visa and Mastercard issuer as of 2023 per the complaint, and federal law gives it a specific duty. The Gramm-Leach-Bliley Act, Section 502, bars a financial institution from disclosing your nonpublic personal financial information to unaffiliated third parties unless it gives you notice and a real chance to opt out. Employment data, income, credit eligibility, the stuff you put on a credit card application, sits squarely inside the FDIC's definition of what that law protects. So this is a banking-accountability story before it's a tracking one. Capital One had a statutory bargain with every applicant, and it built an ad-tech data pipeline on top of the exact pages where that bargain was supposed to hold.

The Receipt Is Capital One's Own Privacy Policy

The strongest evidence here is what the bank itself wrote, and what a federal judge then said about it.

In March 2025, Judge Trina L. Thompson ruled on Capital One's motion to dismiss. Capital One's defense was consent: our privacy policy discloses targeted advertising, so customers agreed to this. The policy does say that. It tells customers that Capital One and "third-party providers may collect information about your activities on our Online Services and across different websites" for "targeted advertising purposes." Standard ad-targeting language. The kind most people skim past assuming it means their browsing got tracked.

The judge drew a line the bank's policy never had. The court found Capital One's policy disclosed general ad targeting but did not disclose that specific financial information, such as "employment information and credit card preapproval or approval status," was being shared with third parties. General browsing data is one thing. Your income and whether the bank approved your application is another, and the policy never said that second category was in play. The consent defense runs into trouble not because the policy ignored advertising, but because it got specific about browsing while staying quiet about the financial data that actually moved.

The same order kept the heavy claims alive: common-law negligence (using GLBA to establish the duty of care Capital One allegedly breached), the California Consumer Privacy Act, the California Invasion of Privacy Act, the Electronic Communications Privacy Act, and unjust enrichment. GLBA itself has no private right of action, so plaintiffs can't sue under it directly. What they did instead is use it as the floor: a federal statute already says a bank has a duty to protect this data, and breaching that duty through trackers is negligence. The CCPA piece is its own development. Legal commentators at Benesch flagged the ruling as a departure from prior interpretations, because the court treated pixel-based transmission as "unauthorized disclosure" actionable under the CCPA's private right of action, which had mostly been limited to traditional data breaches before.

Then there's the routing layer most coverage skips. Capital One didn't hand-install eleven separate trackers and babysit each one. It ran Tealium, a customer data platform that markets itself to banks and advertises more than 1,300 available integrations, including a direct Meta Conversions API connection. Tealium is the middleware: one implementation on the website, and visitor data fans out to dozens of ad-tech destinations at once. What Capital One stood up was infrastructure built to send the same financial data to dozens of buyers at once, not one careless pixel.

Who Benefits

Start with Capital One, because the money is direct. The bank spent $4.01 billion on marketing in 2023, and its entire business is credit cards. A tracker on your application page closes a feedback loop most advertisers can only dream about: Capital One sees who clicked an ad, who started an application, who got approved, and what income bracket converts best. The complaint puts it plainly, alleging Capital One "utilized data from trackers to improve and to save costs on its marketing campaigns" and to attract new customers. Retarget the people who abandoned the form, then build lookalike audiences off approved applicants to find more of them.

Then Meta, which is the reason this data is worth sending. Meta's 2023 revenue was $134.9 billion, about 98% of it advertising, per its own filings cited in the complaint. A person filling out a credit card application is, by definition, a high-value ad target: financially active, income disclosed, creditworthiness signaled by the approval decision itself. Feeding that into Meta's targeting engine makes every one of those users more valuable to every other advertiser Meta sells to. Google, Adobe, and Microsoft sit in the same downstream seat, building behavioral profiles from the same flow. And Tealium gets paid for being the pipe, charging more as a client routes data to more destinations.

So the incentive runs both directions through one set of pixels. Capital One gets cheaper, sharper marketing for its own cards. Meta and the other ad platforms get financial-profile data they could not assemble on their own. The customer who typed in their income is the product moving between them, and the only one who didn't get notice that the specific data was changing hands.

The Fed Knew Before It Approved Discover

A federal agency already had these allegations in front of it, and approved the merger anyway.

In April 2025, the Federal Reserve approved Capital One's $35 billion acquisition of Discover. In the order's analysis of public comments, the Fed acknowledged the lawsuit directly, noting "a lawsuit alleging that Capital One improperly disclosed nonpublic personal information to third parties without consent," and recording that the litigation was ongoing with no adjudication of fault. The nation's top banking regulator had the data-sharing allegations in front of it, in writing, while signing off on a deal that made Capital One bigger. It did not block the merger on privacy grounds or attach data conditions. No OCC, FDIC, or FTC enforcement action against Capital One over the tracking has surfaced either. The civil suit is the only accountability mechanism currently in motion.

Capital One is also the test case for an industry. Wells Fargo and PNC are facing their own 2026 bank website-tracking suits, and more than 1,000 CIPA-based tracking lawsuits hit companies in California in 2025. That makes Capital One the bellwether for the sector, and whatever a jury or a settlement establishes about a regulated bank routing financial application data to ad networks becomes the reference point for the banks behind it.

The case isn't a guaranteed win for plaintiffs, and the honest version says so. The court already dismissed the California constitutional privacy claim, finding that disclosure of employment and credit eligibility data does not rise to an "egregious breach of social norms" under California's high bar. A separate Meta Pixel case involving tax-filing websites had class certification denied in April 2026, with the court demanding actual evidence that Meta collected specific plaintiffs' data rather than allegations about how pixels work. And on May 22, 2026, Judge Thompson dismissed named plaintiff Gary Ingraham, after he applied for more credit cards post-filing in a way that undercut his privacy claim. The case proceeds as a proposed class action with Deia Williams as the remaining named plaintiff, whom the court found had alleged injury enough to establish standing. No class has been certified. Trial is scheduled for April 2027.

The Bottom Line

Strip away the legal machinery and one fact carries the piece: a federally regulated bank wrote a privacy policy that disclosed "targeted advertising" in the abstract, then transmitted your employment status and your approval decision to Meta without telling you those specific things were leaving the building. The judge zeroed in on exactly that gap, where the policy got specific about harmless browsing data and stayed quiet about the sensitive financial data that actually moved — and that's the part heading to trial in April 2027.

The open question is whether GLBA's promise means anything when the breach happens through a pixel instead of a hack. The law was written for an era of paper statements and mailed notices, and it assumes the danger is a bank handing your file to a partner. Nobody drafting it in 1999 imagined the file would be transmitted in milliseconds, to a dozen ad platforms at once, before the page you were reading finished loading. A jury in 2027 gets the first real answer on whether that counts. The 99-page complaint lays out every data type Capital One allegedly sent and where it went, and it's worth reading before you fill out the next application form.