The California Consumer Privacy Act of 2018 (“CCPA”) has been in effect for more than two years, and litigation trends are emerging. Specifically, 2021 saw a steep increase in cases filed, from 91 cases in 2020 to 145 cases in 2021, and this uptick is expected to continue.  As with most new laws and regulations, plaintiffs are testing the boundaries of the CCPA.  The increased filings is attributable to multiple factors, including more awareness of breaches partly due to more rigorous disclosure requirements, a more active Plaintiffs’ Bar, and a deeper understanding of how courts interpret CCPA claims.

In 2020, more than half of the class actions involving CCPA claims failed because they were outside of the scope of the CCPA’s private right of action.  Specifically, while the CCPA does significantly broaden consumer privacy rights, the private right of action only applies to individuals impacted by a data breach.  The failed claims in 2020 typically alleged that a business failed to provide one of the consumer rights under CCPA (i.e., the right to notice, the right to know, the right to opt out, the right to deletion).  By contrast, 90% of the 2021 CCPA cases specifically tied back to data breaches.

CCPA section 1798.150(a)(1) provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure” resulting from a business failing to “implement and maintain reasonable security procedures and practices.”  Damages available for a private right of action include a statutory amount between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

There has also been a rise of class action lawsuits claiming companies violated the CCPA.  In 2021, there were at least 17 class settlements with CCPA claims that have received—or are awaiting—final court approval.  Each of these settlements involved a data breach or data security incident and no other privacy right claims.  The median settlement value was $2.6 million, with settlements ranging from $0.46 to $244 per class member and usually additional relief requirements, like credit monitoring or internal security enhancements.  One such class suit claimed that a consumer goods company failed to notify or protect customers when the company’s site was hacked, and customers later experienced fraudulent charges and other losses. Plaintiffs claim that, without the company’s “careless acts and omissions and the failure to protect customers’ data,” the data breach would not have occurred. In this case, the company settled for $4.35 million.

While the majority of these cases are still filed in the federal courts in California, given the CCPA’s extraterritorial jurisdiction, suits have been filed in 33 courts across 20 states.  The cases have come from multiple industries, including telecommunications, financial services, tech, healthcare, and hospitality.  Some notable trends have begun to emerge from this first wave of CCPA litigation:

1. Claims must be related to a data security incident or a data breach.As noted above, half of cases in 2020 were dismissed because they did not relate to a security incident.Notably, court are indicating that consumers may not use the CCPA as a predicate for other claims, including California’s Unfair Competition Law.

2. To form a basis of a claim, the security incident must have occurred after the CCPA became effective.Courts have ruled that the CCPA does not apply retroactively to any claims prior to January 1, 2020.

3. The CCPA cannot be used to limit discovery in a civil trial.Plaintiff in a civil case sought discovery that included the personal information of consumers, and the defendant objected claiming that the CCPA expanded protects the consumers’ personal information. The District Court in the Central District of California, however, has said that nothing in the CCPA presents a bar to civil discovery.

4. The question of whether a plaintiff must suffer actual injury from the security incident is still up for debate.For example, the Central District of California dismissed a class action because a breach exposed “essentially useless” information and the plaintiff failed to show injury. However, other courts have allowed claims to proceed without clear damages.

5. Courts are still shaping CCPA definitions. One defendant argued that a class action should be dismissed because they were a service provider and not a business under the CCPA.In that case, the U.S. District Court in South Carolina denied the motion to dismiss a CCPA-based claim because defendant is not insulated from liability just because it may qualify as a service provider.

While companies grapple with this rise in litigation, they will also be required to comply with the California Privacy Rights Act (“CPRA”), effective January 1, 2023, which expands protections afforded under the CCPA. The CPRA expands the definition of personal information to include email addresses with passwords or security questions and answers, which likewise expands obligations to report personal data breaches. In addition, when facing a state enforcement action, businesses will no longer have the CCPA’s 30-day cure period, and the CPRA provides discretionary enforcement authority to the California Attorney General and delegates administrative authority to the newly-established California Privacy Protection Agency.

There are several steps businesses can take to proactively comply with the CCPA. Most importantly, businesses should have safeguards in place to protect personal data and have mechanisms to respond to consumer requests.  Businesses should also provide an easily-accessible privacy notice that is updated annually and informs consumers about information collection and whether they have sold or transferred personal information. Finally, the CCPA and CPRA require businesses to have a way for individuals to opt-out of the sale or sharing of their personal data.

We will continue to closely monitor privacy developments in California and elsewhere. If you have a question about how to comply with privacy obligations under state, federal, or international law, Baker Botts attorneys can help.  Please reach out to any members of the Privacy and Data Security team for further assistance.

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.