CCPA Privacy FAQs: Can a company be sued under the CCPA for failing to post a “do not sell my personal information” link?

Bryan Cave Leighton Paisner


Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1  The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to include a “do not sell my personal information” link on the company’s homepage.2

The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3  Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4

An amendment to the CCPA – Senate Bill 561 – has been proposed, which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages for all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review. 

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to include a “do not sell my personal information” link, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with a failure to include the opt-out link on webpages. 

For more information and resources about the CCPA visit 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar

1. Cal. Civil Code 1798.150(a)(1).

2. Cal. Civil Code 1798.135(a)(1). Note, however, that the CCPA permits the California Attorney General to pursue civil penalties.

3. Cal. Bus. & Prof. Code 17200.

4. Cal. Civil Code 1798.150(c).

[View source.]

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide