Skip Repeated Content

Update: July 2020 California Consumer Privacy Act (“CCPA”) Litigation Tracker

Current trends in litigation stemming from the CCPA

July 7, 2020

As of January 1, 2020, California became the first state to permit residents whose sensitive personal information is exposed in a data breach to seek statutory damages between $100-$750 per incident, even in the absence of any actual harm. Further, the California Attorney General may bring a civil action against any entity violating the CCPA, seeking an injunction and civil penalties between $2,500 (for each violation) and $7,500 (for each intentional violation).

27 of the 89 unique reports of data breaches reported to the California Attorney General in 2020 have resulted in CCPA-related litigation in California.  To date, there have been 34 actions filed referencing the CCPA in some capacity.  For an updated list of the pending litigation through June 2020, please see BCLP’s CCPA Litigation Tracker.

So far, CCPA litigation continues to generally fall into three “buckets:”

  1. Data security breach. In many of these cases, Plaintiffs seek CCPA damages in connection with a data breach. Interestingly, at least one complaint seeks damages for a breach that occurred before the effective date of the CCPA. Multiple complaints were filed before the defendant company had the chance to respond to the statutorily-required 30 day notice to cure demand issued by plaintiffs. These complaints are likely testing the waters on how courts will interpret the CCPA’s private right of action for breaches.
  2. Data privacy. The CCPA does not currently provide consumers with the right to sue for a violation of its privacy (e.g., privacy notices, access rights, etc.) provisions. Nonetheless, there has been an uptick in complaints where the plaintiffs allege that the defendant failed to meet a requirement under CCPA, such as providing proper disclosure of privacy practices. Plaintiffs are seeking injunctive relief and damages.
  3. Miscellaneous references. In a few cases, the CCPA is not listed as a cause of action or claim for relief. Instead, the plaintiff typically alleges that the defendant company committed an “unlawful” business practice by failing to properly safeguard the plaintiff’s personal information, and as such, violated applicable laws, including the CCPA.

BCLP has produced a report analyzing data security breach class actions for the past several years. As detailed in our most recent report, the likelihood of being sued after a breach has remained between 4-6% year over year. With the passage of the CCPA, we are already seeing that begin to increase to approximately 30% of CA-Attorney General reported breaches.

The best defense to breach litigation is to prepare for and effectively respond when you have a breach. For additional information, BCLP’s Data Security Breach Handbook provides a practical and comprehensive guide breach response.  Click here for the handbook.  BCLP also works with clients to assess – and mitigate – risks by putting in place the policies, procedures, and protocols needed to address data security breach issues, and by conducting breach tabletop exercises with executive leadership teams.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.