Recent Litigation Under the California Consumer Privacy Act (CCPA)
Recent Litigation Under the California Consumer Privacy Act (CCPA)
Since the California Consumer Privacy Act (CCPA) took effect in January 2021, more than 50 lawsuits have been filed based fully or partially on the Act. When enacted, the CCPA became the first generally applicable data breach and privacy law, detailing obligations which businesses must fulfill regarding the collection and handling consumer data. Now, current cases that have been filed under it seek to determine the right to litigate and how its privacy and security standards will be handled within the court system.
The cases come in a variety of forms, with lawsuits pleading CCPA violations to various degrees of precision. Most of the suits allege a data breach and use the CCPA as a general means of asserting the violation. In these cases, plaintiffs have sought damages and restitution, as well as injunctive relief based upon the defendants’ alleged improper handling of data. These claims are often filed alongside the assertions of negligence, breach of contract, and other causes of action, including violation of California’s Unfair Competition Law (UCL).
Cases that assert a UCL violation typically justify the right to litigation by asserting that a violation of the CCPA is an automatic violation of the UCL, which includes “any unlawful, unfair, or fraudulent business act.” These claims are seeking court validation that the UCL can be an avenue for private action under the CCPA. This could provide approval to expand further upon CCPA enforcement, given the breadth of its provisions and the ability to echo a violation under the UCL.
The lawsuits brought more directly under provisions of the CCPA often have plaintiffs seeking injunctive relief and damages. One such case includes a plaintiff who alleges the defendant’s website collected more information than was disclosed or used personal information in a way that wasn’t included in their privacy policy. However, it appears that cases like this ignore the CCPA provisions that describe how an individual may take action only after specific data breaches. Some other cases with more specificity may also be under scrutiny, as plaintiffs may not have provided the required 30 day notice to the defendant before filing.
Some of the recent lawsuits avoid asserting their claims under provisions directly found in the CCPA, instead focusing on how the defendants used personal information and alleging a violation of state privacy rights. In these instances, their cases rely on the judicial system to determine liability with the CCPA.
Of those that specifically cited the CCPA, about half of the cases were connected to data breaches. Others included claims about consumer rights, noncompliance with the CCPA, and how the CCPA may become a pathway to enforcing other business and consumer relationship related legislation.
There were also cases of business-to-business litigation evident in recent months. One case of note included competing business which engaged in the marketing and sale of personal information. The plaintiff alleges that the defendant violated the CCPA by not providing consumers with sufficient notice of its privacy practices. This alleged act is asserted to have provided them with an unfair and unlawful advantage in their business practices and between their competition.
In January of 2019, the city of Los Angeles filed a lawsuit against The Weather Channel, alleging that it shared its mobile app users’ geolocation with third parties without providing sufficient notice. They cited this as a violation of the UCL due to unfair and fraudulent business practices. The utilization of the CCPA between businesses may bring rise to new levels and methods of case litigation under its provisions and relation to other business laws.
These cases may serve as a look into how broader cybersecurity measures are enforced and how they may be asserted as causes of action in private cases. Keeping up-to-date with the CCPA and how these cases unfold should provide valuable insight into the uncharted territory of evolving data handling practices, how consumers can act when their rights are violated, and what business can expect from the courts when found in violation.
The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.