The California Consumer Privacy Act (CCPA) (Cal. Civil Code
§§1798.100 et. seq.) was enacted in 2018 and took effect on
January 1, 2020. California was the first state to enact landmark
privacy legislation of this scale, granting new privacy rights to
California consumers with respect to collection and handling of
their personal information by businesses. The CCPA requires the
California Attorney General to issue regulations by July 1, 2020
and enforce the Act no earlier than that date.
Due to its expansiveness, complexity, and lack of clarity, CCPA
has created huge litigation risks for businesses. The CCPA
provides a private right of action for data breaches with no
required showing of actual damages. The act allows recovery of
statutory damages between $100 and $750 “per consumer per
incident or actual damages, whichever is greater.” These can add
up quickly. For example, a data breach affecting 25,000
California residents could expose a business to almost $20
million in damages.
While the CCPA does not have a private right of action for claims
outside of data breaches, in initial lawsuits filed under CCPA,
plaintiffs are attempting enforce noncompliance under
California’s Unfair Competition Law (B&P Code, Section
17200), which treats technical violations of other laws as unfair
The intent behind the CCPA was not to include a broad
private right of action. There is language within the CCPA that
states the act should not be interpreted to provide a basis for a
private right of action under other laws.
CCPA and implementing regulations need to be revised to provide
needed clarifications and remove unreasonable burdens. CCPA
should also be revised to clarify and limit the private rights of
action available for alleged violations of its provisions. Absent
these reforms, CCPA will be the impetus for a next great wave of
unwarranted litigation in California.