The scope of the CCPA’s Private Right of Action may be expanded
The impact of this right may go further than just data breach cases. By Simon Frankel, Cortlin Lannin, Kathryn Cahoy and Rafael Reyneri of Covington & Burling.
The California Consumer Privacy Act (CCPA) is the first comprehensive privacy law of its kind in the United States. While the California Attorney General has sweeping enforcement power under the law, the private right of action in the CCPA is much more limited in scope. Nevertheless, since the law went into effect on 1 January 2020, several private plaintiffs have asserted claims under the CCPA, some seemingly seeking to expand the private right of action. This article analyzes certain trends reflected in these actions.
The CCPA’s limited private right of action
Although the CCPA contains a wide-ranging set of requirements, most cannot be enforced through the CCPA’s private right of action. That provision authorizes private civil suits only for consumers “whose nonencrypted and nonredacted personal information, as defined [by the California data breach law], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures ... .” Cal. Civ. Code § 1798.150(a)(1). Put another way, a claim brought under the CCPA’s private right of action must satisfy four elements: