San Diego has quietly become one of the most active venues for California consumer privacy litigation, and Blood Hurst & O’Reardon, LLP — sometimes called BHO Law — is one of the firms most responsible for that distinction. Operating out of San Diego’s downtown financial district, this plaintiff-side consumer protection firm has built a practice at the intersection of California’s most powerful consumer protection statutes and the digital tracking technologies that define how modern businesses collect, analyze, and monetize user behavior. They join Swigart Law Firm, Jarrett Charo, & Shay Legal some of the most prolific privacy lawsuit filers in Southern California and Captain Compliance continues to lead the way to protect business owners and corporations from these claims.
Led by Timothy Blood, Leslie Hurst, and their partners, the firm brings together deep consumer protection litigation experience with a sophisticated understanding of how advertising pixels, analytics platforms, and behavioral tracking tools generate liability under California law. Their cases are not speculative — they are methodically constructed around the specific technologies deployed on defendants’ websites, the data those technologies capture, and the gap between what companies disclose and what they actually do.
About the Firm
Blood Hurst & O’Reardon focuses on plaintiff-side consumer class action litigation across consumer fraud, false advertising, product liability, and digital privacy. In the privacy space specifically, the firm has carved out a practice targeting companies whose websites deploy third-party tracking infrastructure — advertising pixels, analytics tags, session replay tools — without the consent mechanisms or disclosures California law requires.
Their target profile is broad by design. BHO Law’s tracking and pixel cases have reached digital media companies, e-commerce and retail platforms, healthcare information sites, and financial services businesses. The common thread across defendants is not industry — it is the presence of advertising technology operating on a consumer-facing website serving California users without a California-compliant consent framework underneath it.
The Legal Theories
CIPA Pen Register Claims — § 638.51
Blood Hurst & O’Reardon has been among the more active firms advancing pen register claims under the California Invasion of Privacy Act, arguing that standard tracking pixels and analytics tools — tools that capture IP addresses and browsing patterns and relay them to third parties — function as illegal pen registers under California law.
The pen register theory has faced significant pushback in California federal courts through 2024 and into 2025, with multiple judges narrowing its application to standard web analytics. BHO Law has continued advancing these claims where the underlying technology and factual record can be distinguished from the analytics tools courts have declined to reach. For businesses, the key lesson is that even tools widely considered routine — Google Analytics, Meta Pixel, Pinterest tags — have been the subject of pen register litigation, and the theory is not fully foreclosed.
California Unfair Competition Law — Business & Professions Code § 17200
The UCL is the foundation of most BHO Law digital tracking cases. It prohibits unlawful, unfair, and fraudulent business practices broadly — and critically, a UCL claim does not require proof that the underlying conduct violated a specific privacy statute. If a court finds that a tracking practice was unfair or inconsistent with reasonable consumer expectations, UCL liability can attach even where CIPA’s technical requirements are not met.
This makes the UCL a significant backstop. A company might successfully defeat a CIPA pen register claim on technical statutory grounds and still face UCL exposure for the same underlying conduct. BHO Law uses UCL claims as a durable layer in multi-theory complaints precisely because of this resilience.
CPRA Claims
As California’s privacy framework has expanded under the California Privacy Rights Act and the California Privacy Protection Agency, Blood Hurst & O’Reardon has incorporated CPRA-based theories into their tracking cases. Their CPRA claims typically allege that the transmission of user behavioral data to advertising platforms through pixels constitutes a “sale” or “sharing” of personal information under the CPRA’s expanded definitions — and that companies doing so without an accessible opt-out mechanism violate consumers’ statutory rights.
CPRA claims pair naturally with UCL claims: the failure to provide an adequate opt-out can simultaneously be a CPRA violation and an unlawful or unfair business practice under the UCL. Firms like BHO Law routinely stack both theories in the same complaint.
What They Target
BHO Law’s cases cluster around a specific technology profile:
- Third-party advertising pixels — Meta Pixel, Google Ads tags, Pinterest and Snapchat tags — that transmit behavioral data to advertising networks without explicit opt-in consent
- Analytics platforms collecting IP address data and browsing metadata without California-adequate disclosures
- Session replay and behavioral analytics tools operating without compliant consent mechanisms
- Any tracking infrastructure that enables the “sale” or “sharing” of personal information as defined under the CPRA without the required opt-out mechanism in place
A more recent and significant area of focus involves websites that handle health-adjacent user activity. When tracking pixels are present on pages where users search for medical conditions, view diagnosis-related content, or interact with health-related services, the data those pixels capture and transmit carries heightened sensitivity — and heightened legal exposure. BHO Law has brought cases specifically targeting this pattern, where standard advertising infrastructure on health-context pages creates CIPA, UCL, and potentially HIPAA-adjacent risk for the defendant.
What This Means for Your Business
Blood Hurst & O’Reardon’s practice creates concrete, specific risk for consumer-facing businesses, particularly those operating websites with standard advertising and analytics infrastructure:
The UCL is a wide net. Because UCL liability does not require a predicate statutory violation, digital tracking practices that are common, widespread, and not clearly illegal under any specific statute can still generate UCL exposure if a court finds them unfair or deceptive. The industry norm defense has limits.
CPRA compliance is a litigation defense, not just a regulatory obligation. Businesses that have implemented documented opt-out mechanisms, conducted data mapping, and built accurate privacy disclosures are materially harder to sue than those that have not. The compliance record matters in court, not just in front of regulators.
Multi-theory complaints increase settlement pressure. When a complaint alleges CIPA pen register violations, UCL unfairness, and CPRA opt-out failures simultaneously, the cost and complexity of defense increases substantially — even if individual theories are beatable. The combination is a deliberate litigation strategy.
Health-context tracking is a priority target. If your website touches health-related content in any capacity, the presence of advertising pixels on those pages is a specific, identified litigation risk. This is not a theoretical concern — it is the factual predicate for active cases.
Opt-out usability is a litigation variable. California consumers who cannot locate or successfully use a company’s opt-out mechanism are potential plaintiffs. The accessibility and functionality of privacy controls is not a UX consideration — it is a legal exposure factor.
Compliance Priorities
Audit your tracking infrastructure. Conduct a full inventory of every third-party tag, pixel, and analytics tool deployed on your website, the data each captures, and the parties each transmits data to. You cannot defend what you have not documented.
Implement a functional CPRA opt-out. A CPRA-compliant opt-out of sale and sharing must be clearly accessible from your homepage, must cover all categories of data sharing with advertising and analytics platforms, and must actually work. Decorative opt-outs that do not suppress data transmission are not a defense.
Upgrade your consent framework. Cookie consent banners that disclose categories generically, omit vendor names, or allow tracking to proceed before consent is given do not meet the standard BHO Law’s cases are litigated against. Consent must be specific, informed, and prior.
Prioritize health-context remediation. If your website handles any health-adjacent user activity, remove advertising pixels from those pages and implement explicit consent for any behavioral tracking that occurs in that context before doing anything else.
Review and update your privacy policy. Your policy must accurately describe every category of personal information collected, every purpose for collection, every third party with whom data is shared, and all consumer rights — including the right to opt out of sale and sharing. Policies that lag actual data practices create independent exposure.
Bottom Line
Blood Hurst & O’Reardon, LLP represents what plaintiff-side California privacy litigation looks like at its most developed — methodical case construction, multi-theory complaints built on CIPA, UCL, and CPRA in combination, and a consistent focus on the gap between what companies’ privacy policies say and what their tracking infrastructure actually does.
The compliance imperative their practice creates is not abstract. A documented, functional privacy program — accurate disclosures, working consent mechanisms, enforceable opt-out rights, and clean data mapping — is the most durable defense against the specific claims BHO Law pursues. Companies that treat privacy compliance as operational infrastructure rather than legal boilerplate are meaningfully less exposed.
