[co-author: Arabi Hassan]

This post is part of a series of articles we are doing on 2023 data protection litigation trends.

While the California Consumer Privacy Act (CCPA) is most known for its onerous privacy compliance obligations, the law also provides for a limited private right of action for certain data breaches. Section 1798.150(a)(1) of the CCPA allows consumers to sue a business if consumers’ “nonencrypted and nonredacted personal information” is subject to unauthorized access and exfiltration, theft, or disclosure caused by a business’s failure to “implement and maintain security procedures and practices.” Cal. Civ. Code. § 1798.150(a)(1). Damages available to consumers under this private right of action provision can be as high as $750 per violation. Courts can also provide consumers injunctive or declaratory relief and “any other relief the court deems proper.” Cal. Civ. Code. § 1798.150(a)(1)(B) and (C).

Plaintiffs have been testing this provision since the law went into effect in 2020, and 2023 was no different. In this article, we look at some notable litigation trends in cases brought under the California Consumer Privacy Act (CCPA) last year. Our key takeaways from the cases we reviewed involve the following include the following:

1. Courts analyzed companies’ specific privacy practices to determine if the data breach alleged in the lawsuit was a result of the company’s “failure to implement and maintain reasonable security procedures and practices,” as required by the CCPA.
2. Courts looked for substantial compliance with the CCPA’s right to cure provision, which provides companies with the opportunity to “cure” alleged violations before an affected consumer can bring a lawsuit against the company for violation of the CCPA.
3. While most cases where the CCPA’s private right of action is implicated involve a true data breach, consumers do not necessarily need to prove that a data breach occurred in order to move forward with a claim.

We have provided additional details on each of these takeaways below.

In addition to the law’s private right of action, companies should also be aware of CCPA enforcement by the California Attorney General (“California AG”) (and eventually by the California Privacy Protection Agency (CPPA)). The California AG’s office recently brought its second announced enforcement action under the law. It is likely that both the California AG and CPPA will significantly expand their enforcement actions under the law in the coming months.

2023 CCPA Litigation Trends

1. Cases discussing a business’s “failure to implement and maintain reasonable security procedures and practices”

Throughout the year, courts pointed to a wide array of different actions (or lack thereof) that demonstrated businesses’ “failure to implement and maintain reasonable security procedures and practices.” See Cal. Civ. Code. § 1798.150(a)(1).

For example, in Durgan v. U-Haul Int'l Inc., No. CV-22-01565-PHX-MTL, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023), the Court ruled that the Plaintiffs, who are customers of U-Haul, has sufficiently pleaded a violation of § 1798.150(a) by alleging that U-Haul International should have “destroyed the data it no longer had a reasonable need to maintain or only stored data in an Internet-accessible environment when there was a reasonable need ... to do so and with proper safeguards.” Plaintiffs also identify fourteen cybersecurity best-practices that Defendant should have followed but allegedly did not. The court also found that plaintiffs have sufficiently shown a causal connection between Defendant’s purported failure to implement reasonable security procedures and the hackers’ ability to infiltrate plaintiffs’ personal information. For example, if U-Haul had utilized an adequate filtering software, the phishing emails that caused the data breach would never have reached the employees’ inboxes.

2. Cases implicating the CCPA’s right to cure

Courts also addressed the CCPA’s right to cure provision. §1798.150 of the CCPA requires an affected consumer to give a business thirty days’ notice of a CCPA violation before initiating any lawsuit for individual or class-wide statutory damages. See Cal. Civ. Code. § 1798.150(b). If the business actually cures the noticed violation and informs the consumer in a written statement that the violations have been cured and no further violations will occur, the CCPA bars an individual or class-wide statutory damages action against the business.

It is important for businesses to actually cure the violations. In Florence v. Ord. Express, Inc., No. 22 C 7210, 2023 WL 3602248 (N.D. Ill. May 23, 2023), the Court found that, instead of curing the alleged violation in response to consumer’s notice, Defendant Order Express enhanced its security measures which amounted to the “implementation and maintenance of reasonable security procedures and practices”—rather than a cure—under § 1798.150(b). The Court also found that Order Express’ response to consumer’s notice did not explain how its enhanced security measures actually cured the alleged CCPA violation. For example, Order Express did not encrypt consumer’s personal identifying information or delete the information it no longer needed to maintain on its internet-accessible network.

Simply stating that the violation has been cured is not enough to prevent consumers from raising a CCPA claim in court. In Prutsman v. Nonstop Admin. & Ins. Servs., Inc., No. 23-CV-01131-VC, 2023 WL 5257696 (N.D. Cal. Aug. 16, 2023), the Court denies Defendant Nonstop Administration & Insurance Service’s argument that plaintiffs have failed to state a claim because Nonstop has already cured the alleged violations. Stating that the violations have been cured, however, “does not render implausible the plaintiffs’ allegations to the contrary.”

Another court made a distinction between circumstances where a notice is required and where it is not. In Guy v. Convergent Outsourcing, Inc., No. C22-1558 MJP, 2023 WL 4637318 (W.D. Wash. July 20, 2023), the Court clarifies that a pre-suit notice is not required where a consumer is seeking non-statutory damages. However, a pre-suit notice is required if a consumer is seeking statutory damages.

If a consumer sends a CCPA violation notice, companies should provide the complaining consumer with a written statement stating that the violations have been cured, explaining the steps taken to cure the violations, and assuring that no further violations will occur.

3. Cases that do not explicitly allege a data breach

A pair of cases against Wells Fargo in the Southern District of California indicate that the unauthorized access of a consumer’s personal information, even when not subject to true “data breach”, is sufficient to bring a claim under the CCPA’s private right of action.

In Alexander v. Wells Fargo Bank, N.A., No. 23-CV-617-DMS-BLM, 2023 WL 8358550 (S.D. Cal. Dec. 1, 2023) and Ramos v. Wells Fargo Bank, N.A., No. 23-CV-0757-L-BGS, 2023 WL 5310540 (S.D. Cal. Aug. 17, 2023), the Court disagreed with Wells Fargo that Plaintiffs failed to bring a claim under the CCPA because they did not allege that their information was disclosed as the result of a data breach. The Court held in Ramos that "[Wells Fargo] does not point to any authority that would require Plaintiff to plead that there was a data breach,” and found that Plaintiff sufficiently pled a claim under CCPA. Ramos, No. 23-CV-0757-L-BGS at 2. In both cases, Plaintiffs sufficiently pleaded a CCPA violation by alleging that, because of Wells Fargo’s failure to properly maintain Plaintiffs’ nonredacted and nonencrypted information, unknown individuals accessed and withdraw funds from their Wells Fargo bank accounts without Plaintiffs’ knowledge, permission, or authorization. Ramos, No. 23-CV-0757-L-BGS at 2; Alexander, No. 23-CV-617-DMS-BLM.