Litigation Case Claims Violation of CCPA Under Statutory Private Right of Action

Robinson+Cole Data Privacy + Security Insider

One of the most significant consumer rights offered by the new California Consumer Privacy Act (CCPA) is what we call the “private right of action” afforded by the law. A private right of action under a law basically means that if someone violates the law and a person is damaged, the person can assert a specific claim against the offender by citing the specific law. If the person damaged can prove that s/he was damaged and that the damage was caused by the one who violated the law, that person can potentially get past a Motion to Dismiss.

It is significant that CCPA provides a private right of action, and there has been much speculation about whether the CCPA will open the floodgates of litigation.

One of the first cases that specifically alleges a violation of CCPA was filed on March 10, 2020 in California federal court against Sunshine Behavioral Health Group, LLC (Sunshine). The suit alleges that Sunshine, a drug and alcohol rehabilitation facility, violated CCPA when it suffered a data breach in September of 2019 and did not have appropriate security measures in place. The Plaintiff, a resident of Pennsylvania, alleges that following the data breach (which affected 3,500 patients’ protected health information), someone tried to open a credit card account in his name and that he has received magazine subscriptions he did not order.

The plaintiff is attempting to represent a class of individuals affected by the data breach, and is seeking an order requiring Sunshine to implement “reasonable” security measures. It is unknown whether the plaintiff provided 30 days’ notice to Sunshine to implement security measures before the suit was filed, which is required under CCPA.

Nonetheless, we predict that there will be many more suits alleging a private right of action following a data breach under CCPA, and this case is a good reminder of the CCPA statutory requirement for companies to have appropriate security measures in place to protect personal information in its possession relating to California residents.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.