In data breach class actions filed before the California Consumer Privacy Act’s (CCPA) January 1, 2020 operative date, the challenges plaintiffs faced in showing actual damages resulted in settlements with low payouts; depending on how you count, recovery can be less than $2 per class member, and often much lower. The CCPA gives California residents who can meet the Act’s requirements the possibility of recovering between $100 and $750 in statutory damages “per consumer per incident or actual damages, whichever is greater.”[1] So has that changed the course of litigation and outcome of data breach cases filed under the CCPA?
It’s too early to tell.
Nearly 50 cases have been filed seeking damages under the CCPA, either in connection with data breaches or based on alleged violations of the Act’s other consumer rights (with even more using the CCPA to add context to other privacy-related claims). In these cases, plaintiffs are challenging the limits of the CCPA’s private right of action in every way they can:
Given the early stages that all of these cases are in, no court has yet weighed in on plaintiffs’ efforts to expand the scope of the private right of action. We expect courts to resolve these issues in 2021.
[1] Cal. Civ. Code § 1798.150(a)(1)(A).
[2] Cal. Civ. Code § 1798.198 (providing “this title”—meaning, Title 1.81.5, the California Consumer Privacy Act of 2018, §§ 1798.100-1798.199—“shall be operative January 1, 2020”); see also Cal. Civ. Code § 3 (“[n]o part of [this Code] is retroactive, unless expressly so declared.”).
[3] See, e.g., People v. Brown, 54 Cal. 4th 314, 319–20, 278 P.3d 1182, 1184–85 (2012), as modified on denial of reh’g (Sept. 12, 2012) (ellipses omitted) (quoting Evangelatos v. Superior Court, 44 Cal.3d 1188, 1208–09 (1988)).
[4] Cal. Civ. Code § 1798.150(a)(1).
[5] Cal. Civ. Code § 1798.140(g).
[6] Cal. Civ. Code § 1798.150(c).
[7] Cal. Civ. Code § 1798.150(a)(1).
[8] Cal. Civ. Code § 1798.100(b) (requiring notice of categories of collected PI and purposes); § 1798.110(c) (requiring disclosure of categories of PI collected, sources of PI, commercial purposes for which PI is collected or sold, and third parties with whom PI is shared); § 1798.115(c) (requiring disclosure of categories of PI sold, or whether PI has not been sold, and categories of PI disclosed for a business purpose, or whether PI has not been disclosed for a business purpose); § 1798.120(b) (requiring notice of sale and right to opt out of sale to third parties); and § 1798.135(a) (requiring “Do Not Sell My Personal Information” link on webpage and respecting consumer opt-outs).
[9] Cal. Civ. Code § 1798.150(a)(1).
[10] Cal. Civ. Code § 1798.150(c).
Disclaimer
Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.