Update: July 2020 California Consumer Privacy Act (“CCPA”) Litigation Tracker

Bryan Cave Leighton Paisner

Current trends in litigation stemming from the CCPA

As of January 1, 2020, California became the first state to permit residents whose sensitive personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm. Further, the California Attorney General may bring a civil action against any entity violating the CCPA, seeking an injunction and civil penalties between $2,500 (for each violation) and $7,500 (for each intentional violation).

As of this report, there have been 42 actions filed referencing the CCPA in some capacity, although not all of them relate to data breaches.  Moreover, only 15 of the 97 unique reports of data breaches reported to the California Attorney General in 2020 have resulted in CCPA-related litigation.  The remainder of the CCPA-related lawsuits either relate to a breach that was reported prior to 2020 (and, arguably, the CCPA violation alleged should fail), relate to an unreported breach, or do not relate to a data security incident.  For an updated list of the pending litigation through July 2020, please see BCLP’s CCPA Litigation Tracker.

So far, CCPA litigation continues to generally fall into three “buckets:”

  1. Data security breach. In many of these cases, Plaintiffs seek CCPA damages in connection with a data breach. Interestingly, at least one complaint seeks damages for a breach that occurred before the effective date of the CCPA. Multiple complaints were filed before the defendant company had the chance to respond to the statutorily-required 30 day notice to cure demand issued by plaintiffs. These complaints are likely testing the waters on how courts will interpret the CCPA’s private right of action for breaches.
  2. Data privacy. The CCPA does not currently provide consumers with the right to sue for a violation of its privacy (e.g., privacy notices, access rights, etc.) provisions. Nonetheless, there has been an uptick in complaints where the plaintiffs allege that the defendant failed to meet a requirement under CCPA, such as providing proper disclosure of privacy practices. Plaintiffs are seeking injunctive relief and damages.
  3. Miscellaneous references. In a few cases, the CCPA is not listed as a cause of action or claim for relief. Instead, the plaintiff typically alleges that the defendant company committed an “unlawful” business practice by failing to properly safeguard the plaintiff’s personal information, and as such, violated applicable laws, including the CCPA.

BCLP has produced a report analyzing data security breach class actions for the past several years. As detailed in our most recent report, the likelihood of being sued after a breach has remained between 4-6% year over year. With the passage of the CCPA, we are already seeing that begin to increase, although not perhaps at the rate expected.

The best defense to breach litigation is to prepare for and effectively respond when you have a breach. 

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bryan Cave Leighton Paisner | Attorney Advertising

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.