I'm not exactly clear from the website article of the exact architecture of the Superfish MITM software setup, but if it's acting as a proxy and is intercepting all traffic without informed user consent then there has to be a privacy aspect here - they may be processing private information and so the Data Protection Act could come into play.
If Superfish were masquerading as other businesses via certificates issued under their root certificate then I wonder if the other businesses would have a cause of action in terms of passing off. Certainly if I was Bank of America or any other business offering services via https or suchlike then I'd be pi**ed off about the potential damage to my reputation and business if customers knew that I would do nothing about other people pretending to be me and intercepting private sessions with my customers. Any EULA the consumer nominally agreed to would be irrelevant in terms of whether or not an act of passing off had occurred.
I would also wonder about copyright infringement - by modifying webpages users were requesting to display ads for other "similar" products, and doing that without the consent of the copyright owner, then that might be an unauthorised adaptation of the copyright work (the webpage).
As other commentards have said, roll on DNSSEC.