Privacy Litigation 2020 Year in Review: CCPA Litigation

In data breach class actions filed before the California Consumer Privacy Act’s (CCPA) January 1, 2020 operative date, the challenges plaintiffs faced in showing actual damages resulted in settlements with low payouts; depending on how you count, recovery can be less than $2 per class member, and often much lower. The CCPA gives California residents who can meet the Act’s requirements the possibility of recovering between $100 and $750 in statutory damages “per consumer per incident or actual damages, whichever is greater.”[1] So has that changed the course of litigation and outcome of data breach cases filed under the CCPA?

It’s too early to tell.

Nearly 50 cases have been filed seeking damages under the CCPA, either in connection with data breaches or based on alleged violations of the Act’s other consumer rights (with even more using the CCPA to add context to other privacy-related claims). In these cases, plaintiffs are challenging the limits of the CCPA’s private right of action in every way they can:

• First, plaintiffs are seeking to apply the CCPA retroactively. By its plain terms, the substantive provisions of the CCPA became operative only on January 1, 2020.[2] Nevertheless, a number of cases purport to state claims based on alleged data breaches or other conduct that occurred before January 1, 2020. Based on the plain text of the CCPA, and case law establishing that California follows the “time-honored principle that in the absence of an express retroactivity provision, a statute will not be applied retroactively unless it is very clear from extrinsic sources that the Legislature must have intended a retroactive application,”[3] one would expect courts to reject any effort to find the CCPA retroactive.
• Second, plaintiffs are seeking to apply the CCPA beyond its geographic limits. The CCPA’s private right of action is available to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”[4] Under the Act, “consumer” is defined as “a natural person who is a California resident.”[5] Yet non-California resident plaintiffs nonetheless purport to assert claims under the CCPA on behalf of themselves and residents of other states.
• Third, plaintiffs are ignoring that the CCPA limits the kinds of violations on which the private right of action can be based. The CCPA explicitly limits the scope of the private right of action “only to violations as defined in [§1798.150(a)]” and prohibits claims under the private right of action based on “violations of any other section of [the Act].”[6] The violation defined in §1798.150(a) is a “business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”[7] Nevertheless, at least nine cases have been filed purporting to predicate a CCPA private right of action on other violations of the Act, such as violations around consumer rights to know or opt out of the sale of their personal information.[8] Plaintiffs are bringing these claims notwithstanding the textual limitation of the private right of action to a violation of the “duty to implement and maintain reasonable security procedures and practices.”[9]
• Finally, plaintiffs are seeking to use the CCPA as the standard of care for other statutory or common law claims. In at least 19 cases, plaintiffs cite the CCPA as the legal predicate for a claim under California’s Unfair Competition Law or as support for a common-law invasion of privacy claim. Again, the text of the CCPA (and its legislative history) plainly forecloses such claims: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”[10]

Given the early stages that all of these cases are in, no court has yet weighed in on plaintiffs’ efforts to expand the scope of the private right of action. We expect courts to resolve these issues in 2021.

[1] Cal. Civ. Code § 1798.150(a)(1)(A).

[2] Cal. Civ. Code § 1798.198 (providing “this title”—meaning, Title 1.81.5, the California Consumer Privacy Act of 2018, §§ 1798.100-1798.199—“shall be operative January 1, 2020”); see also Cal. Civ. Code § 3 (“[n]o part of [this Code] is retroactive, unless expressly so declared.”).

[3] See, e.g., People v. Brown, 54 Cal. 4th 314, 319–20, 278 P.3d 1182, 1184–85 (2012), as modified on denial of reh’g (Sept. 12, 2012) (ellipses omitted) (quoting Evangelatos v. Superior Court, 44 Cal.3d 1188, 1208–09 (1988)).

[4] Cal. Civ. Code § 1798.150(a)(1).

[5] Cal. Civ. Code § 1798.140(g).

[6] Cal. Civ. Code § 1798.150(c).

[7] Cal. Civ. Code § 1798.150(a)(1).

[8] Cal. Civ. Code § 1798.100(b) (requiring notice of categories of collected PI and purposes); § 1798.110(c) (requiring disclosure of categories of PI collected, sources of PI, commercial purposes for which PI is collected or sold, and third parties with whom PI is shared); § 1798.115(c) (requiring disclosure of categories of PI sold, or whether PI has not been sold, and categories of PI disclosed for a business purpose, or whether PI has not been disclosed for a business purpose); § 1798.120(b) (requiring notice of sale and right to opt out of sale to third parties); and § 1798.135(a) (requiring “Do Not Sell My Personal Information” link on webpage and respecting consumer opt-outs).

[9] Cal. Civ. Code § 1798.150(a)(1).

[10] Cal. Civ. Code § 1798.150(c).