The first wave of California Consumer Privacy Act (CCPA) litigation has started to roll in, with recent data breach lawsuits filed against large U.S. companies like Walmart, Zoom, Minted, TikTok, and Salesforce. The CCPA includes a private right of action, which allows consumers whose personal information is subject to a data breach resulting from a business’ failure to implement and maintain “reasonable safeguards” to seek damages. In addition to this type of claim, many of these initial complaints have included claims under other various legal theories. While it’s too early to tell how these suits will ultimately be resolved, it is worth taking note of some themes and legal questions we’ve seen so far.
- Federal Class Actions: Most, if not all, of the suits we’ve seen to date have been class actions filed in federal court. Seeing these complaints filed as class actions is not surprising, as the CCPA allows for statutory damages on a per incident, per customer basis. The formula for damages, coupled with the fact that consumers need not show actual harm to prevail, makes for an attractive class action claim. The more interesting procedural issue is whether the CCPA will be addressed by a federal court, before it is addressed by a state court in California. The California AG may be incentivized to bring early enforcement actions before these claims are adjudicated in federal court, in order to set a precedent that would at least be binding in California.
- How to “Cure” a Breach, and Violations of CCPA Privacy Provisions: Another trend we have seen throughout these initial complaints is that many of these claims were filed by consumers prior to the expiration of the statutorily required 30-day notice and cure period. Under the CCPA, if a business responds to a plaintiff’s written notice and is able to “cure” the alleged violation, statutory damages may no longer be available. However, there is no guidance on how a data breach may be sufficiently “cured” (if at all), leaving many organizations who receive a notice to decide whether their response and the implementation of additional safeguards may do more harm than good (e.g., would the implementation of additional safeguards demonstrate that an organization did not have “reasonable” security measures in place to begin with?). Additionally, at least one of the initial suits alleges a data breach that occurred prior to the date that the CCPA went into effect, leaving organizations to wonder if previous breach notifications will resurface and result in new litigation. How these issues are ultimately resolved will impact how an organization prepares for, handles, and publicly communicates information related to a data breach in the future.
- Claims Under the CCPA’s Privacy Provisions and the CCPA as a Basis For Other Claims: Despite the CCPA’s private right of action being limited to data breaches, many of these initial suits have also tacked on claims relating to improper notice and violations of various data subject rights under the CCPA. Since the CCPA’s private right of action is limited to data breaches, many of these initial complaints have attempted to leverage the CCPA’s privacy provisions as a basis for other claims under California law (e.g., California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq.). In one of the initial complaints filed against the popular video-conferencing platform Zoom, for example, plaintiffs allege that failing to provide a proper CCPA privacy notice constitutes an unfair trade practice. Although the CCPA does prohibit the use of its provisions as the basis of a claim under other laws, it will be important to keep an eye on whether these claims are ultimately upheld. If so, it could essentially create a private right of action for any violation of the CCPA.
While the outcomes are still unknown, these initial suits will likely provide important insight as to how the CCPA may be interpreted by the courts. They also highlight the broad range of legal risks presented to businesses that are subject to the CCPA. For additional information or assistance complying with the CCPA or other privacy and security laws, please contact a member of the Michael Best Privacy & Security team.