The California Consumer Privacy Act provided plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged violations of the CCPA’s privacy (as opposed to security) provisions, the lack of a specified private right of action has not deterred some plaintiffs from filing suit.
During 2020, 73 class actions were filed in, or removed to, federal court and referenced either the “CCPA” or the “California Consumer Privacy Act.” Note that this represents only a portion of CCPA-related litigation as it does not include cases brought by individuals outside of the class action mechanism, or cases that were filed in state court and were not removed to a federal forum.
What industry is most at risk for CCPA litigation? Hint: It’s not what you think!
The California Consumer Privacy Act provided plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged violations of the CCPA’s privacy (as opposed to security) provisions, the lack of a specified private right of action has not deterred some plaintiffs from filing suit. Based upon a review of federal class actions filed in 2020 that referenced either “CCPA” or “California Consumer Privacy Act,” plaintiffs focused most heavily on bringing CCPA-related lawsuits against the health care and health services industries. Indeed, nearly one in five class actions was filed against a health care-related company.