An early review of litigation trends under the CCPA

Among the most watched provisions in the California Consumer Privacy Act (Civil Code Sections 1798.100-1798.199) is its private right of action for certain breaches of Californians' "nonencrypted and nonredacted personal information." In data breach class actions filed before the CCPA's Jan. 1, 2020, operative date, the challenges plaintiffs faced in showing actual damages resulted in settlements with low payouts: Depending on how you count, recovery can be less than $2 per class member, and often much lower. The CCPA gives California residents who can meet the act's requirements the possibility of recovering between $100 and $750 in statutory damages "per consumer per incident or actual damages, whichever is greater." So to say that the CCPA could dramatically increase companies' exposure is an understatement.

It is no surprise, then, that consumers have already filed many lawsuits seeking statutory damages under the CCPA -- and that almost all of the cases seek to drastically expand the CCPA's private right of action provision. Nearly 50 cases have been filed seeking damages under the CCPA, either in connection with data breaches or based on alleged violations of the act's other consumer rights (with even more using the CCPA to add context to other privacy-related claims). In these cases, plaintiffs are challenging the limits of the CCPA's private right of action in every way they can. Given the early stages that all of these cases are in, no court has yet weighed in on plaintiffs' efforts to expand the scope of the private right of action.

First, plaintiffs are seeking to apply the CCPA retroactively. By its plain terms, the substantive provisions of the CCPA became operative only on Jan. 1, 2020. Nevertheless, a number of cases purport to state claims based on alleged data breaches or other conduct that occurred before Jan. 1, 2020. Based on the plain text of the CCPA, and case law establishing that California follows the "time-honored principle that in the absence of an express retroactivity provision, a statute will not be applied retroactively unless it is very clear from extrinsic sources that the Legislature must have intended a retroactive application" (see, e.g., People v. Brown, 54 Cal. 4th 314, 319-20 (2012)), one would expect courts to reject any effort to find the CCPA retroactive. That's all the more true, since the Legislature made clear its intention to make the CCPA operative only after Jan. 1, 2020, not before that date.

Second, plaintiffs are seeking to apply the CCPA beyond its geographic limits. The CCPA offers its private right of action to "[a]ny consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." The act limits the definition of "consumer" to "a natural person who is a California resident." Yet non-California resident plaintiffs nonetheless purport to assert claims under the CCPA on behalf of themselves and for residents of other states.

Third, and perhaps most significantly, plaintiffs are ignoring that the CCPA limits the kinds of violations on which the private right of action can be based. The CCPA explicitly limits the scope of the private right of action "only to violations as defined in [Section 1798.150(a)]" and prohibits claims under the private right of action based on "violations of any other section of [the act]." The violation defined in Section 1798.150(a) is a "business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Nevertheless, at least nine cases have been filed purporting to predicate a CCPA private right of action on other violations of the act, such as violations around consumer rights to know or opt out of the sale of their personal information. Plaintiffs are bringing these claims notwithstanding the textual limitation of the private right of action to a violation of the "duty to implement and maintain reasonable security procedures and practices."

Finally, plaintiffs are seeking to use the CCPA as the standard of care, or as establishing protected privacy interests, for other statutory or common law claims. In at least 19 cases, plaintiffs cite the CCPA as the legal predicate for a claim under California's Unfair Competition Law or as support for a common-law invasion of privacy claim. Again, the text of the CCPA (and its legislative history) seems to plainly foreclose such claims: "Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law."

So what do we know about the CCPA's private right of action, based on current litigation trends? Only that the answers the CCPA seemingly provided to questions about the scope of its private right of action are being challenged, despite the clear text of the statute and its legislative history, which is marked by failed attempts to expand the private right of action to "any" violation of the CCPA. And while courts presiding over dozens of cases may resolve those challenges, so far courts have provided no guidance. For now, we continue to wait to see how strictly courts will construe the CCPA, keeping our eye on a growing list of cases testing the limits of the CCPA.