What is the statute of limitations for claims brought pursuant to the CCPA?

The CCPA itself does not contain a limitations period, but, like many states, California has, within its rules of civil procedure, omnibus limitations periods that apply to statutes for which a limitations period is not otherwise set.  That source gives two possibilities depending upon the type of suit initiated:

• Four Years.  Code of Civil Procedure section 343, is the "catch-all" statute of limitations, providing that "an action for relief not hereinbefore provided for must be commenced within four years after the cause of action shall have accrued."  It is possible that someone (e.g., the AG) could argue that the limitations period runs for four years.  The net result is that if you were to do something like collect a consumer’s consent to transmit information to a third party (in order to take it out of the definition of “sale”), the best practice would be to keep the documentation of that consent for four years.
• Three Years.  Pursuant to Code of Civil Procedure section 338, subdivision (a), the default statute of limitations that generally applies to actions for personal injuries based on statutory violations is three years.  Specifically, it applies to “[a]n action upon a liability created by statute ....” Code Civ. Proc., § 338, subd. (a).  The net result is that if a consumer is given a private right of action (or figures out a workaround to create a private right of action), their period for filing suit would likely be three years. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.