More Lawsuits Are Being Filed Under California’s Influential Consumer Privacy Law

California’s consumer privacy law has only been in effect since 2020, but the number of lawsuits claiming businesses have violated it is climbing quickly—and they’re cropping up well beyond the borders of the Golden State.

Plaintiffs filed 145 lawsuits last year to enforce provisions under California’s Consumer Privacy Act (CCPA), a 60 percent increase from the 91 filed in 2020. That’s according to a report published Wednesday by Akin Gump Strauss Hauer & Feld, which found that the jump in litigation was also accompanied by a shift in strategy.

Under the law, which gives California consumers a number of unprecedented data protections—including the right to know what personal data businesses have collected on them and the right to prohibit the sale of that data—plaintiffs are permitted to bring a civil action only if their personal data is breached due to a business failing to implement reasonable security procedures and practices.

In 2020, more than half the consumer-based class-action lawsuits brought under the CCPA failed to meet this requirement. But that first year of court rulings evidently guided plaintiffs in the right direction: Most of the CCPA lawsuits filed in 2021 included claims that plaintiffs’ personal information was disclosed or stolen via a data breach.

Lawsuits alleging violations of the California law were also filed across the country, pending at one point in 33 courts across 20 states, according to the report.

While the law applies to entities doing business in California, even if their primary place of business is in another jurisdiction, “The CCPA doesn’t define what doing business in California means,” said Michelle Reed, a Dallas-based partner at Akin Gump who co-authored Wednesday’s report.

Reed, who is also co-head of the law firm’s cybersecurity, privacy, and data protection practice, noted that states throughout the country are considering similar consumer privacy legislation that allows private plaintiffs to sue. Colorado, Virginia, and Utah already have enacted their own laws, but none allows private plaintiffs to sue.

“The frequency with which plaintiffs bring action, the implications of having a private right of action, the implications of having statutory damages that are more easily calculated than more uncertain damages—all of those things come into play as the different states consider what their options are for enforcement and whether it’s private enforcement or whether it’s regulatory enforcement by the state,” Reed said.

While many plaintiffs in 2021 were able to hone their arguments based on what did and didn’t work in litigation in 2020, some questions remain, the report said. One notable question for in-house counsel concerns whether data service providers—entities that help businesses process consumers’ personal data—could be held liable for data breaches under the CCPA.

“If you were to ask, ‘OK, what are the three most interesting case law developments coming out of 2021?’ I [think] definitely service provider potential liability is number one,” said Natasha Kohne, a partner at Akin Gump’s San Francisco and Abu Dhabi offices who also co-authored the report.

“What is interesting is that the service providers are arguing that they are not liable under the private right of action in the CCPA,” which applies only to businesses and not data service providers, Kohne said.

“One court says you’re a service provider and a business at the same time … and then another court says you’re a service provider or you’re a business, depending on the hat you wear, and so therefore, because you’re a business, you can be sued under the CCPA,” Kohne said. “It’s interesting to see how the courts are bringing in these service providers and not dismissing them yet from the case.”

Reed added, “There’s conflicting decisions on how [the private right of action provision is] being interpreted. There’s nothing that’s controlling, so I think this is going to be an area where we see a lot of action. But it’s certainly going to have ripple effects across business negotiations” between data service providers and their clients.

In 2023, the California Privacy Rights Act, which expands the protections offered by the CCPA, goes into effect, but it will not change the CCPA’s private right of action provision, Reed and Kohne said.

From: Corporate Counsel