**Originally published by Bloomberg Law.**
On July 1, 2020 California’s attorney general started enforcing the California Consumer Privacy Act by sending letters to companies with requests to cure alleged violations, as contemplated by the CCPA. The legislation took effect on Jan. 1, 2020, as part of the California Civil Code, and called on the attorney general to enforce the law within six months of enacting regulations or July 1, 2020 the latest. The CCPA regulations became final only on Aug. 14, 2020, and the attorney general announced that they would apply with immediate effect on the same day.
Despite a seemingly clear division between the domains of government and private enforcement, plaintiffs’ attorneys have been busy exploring ways that the CCPA can supply a basis for private civil litigation outside the data breach context. Whether private plaintiffs will be successful in this attempted expansion of the CCPA remains to be determined, but current trends in CCPA litigation can provide insight on what might be in store. This article explores those trends.
Within the CCPA, subsection (a) of Cal. Civ. Code § 1798.150 creates a narrowly framed right to private action in case of certain security breaches and clarifies in subsection (c) that aside from this one cause of action, “nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” By design, the CCPA vests enforcement authority in the attorney general.
We begin by examining a few selected lawsuits asserted under the data breach private right of action (Cal. Civ. Code § 1798.150), as the statute expressly contemplates. We then summarize some of the CCPA-related legal theories in nondata breach lawsuits, grouped generally into three main categories: unfair competition law claims based on underlying violations of the CCPA, negligence per se claims incorporating various apparent CCPA standards of care, and actions asserted directly under the CCPA.
Click here to read on.