**Originally published by Bloomberg Law.**

On July 1, 2020 California’s attorney general started enforcing the California Consumer Privacy Act by sending letters to companies with requests to cure alleged violations, as contemplated by the CCPA. The legislation took effect on Jan. 1, 2020, as part of the California Civil Code, and called on the attorney general to enforce the law within six months of enacting regulations or July 1, 2020 the latest. The CCPA regulations became final only on Aug. 14, 2020, and the attorney general announced that they would apply with immediate effect on the same day.

Despite a seemingly clear division between the domains of government and private enforcement, plaintiffs’ attorneys have been busy exploring ways that the CCPA can supply a basis for private civil litigation outside the data breach context. Whether private plaintiffs will be successful in this attempted expansion of the CCPA remains to be determined, but current trends in CCPA litigation can provide insight on what might be in store. This article explores those trends.

Within the CCPA, subsection (a) of Cal. Civ. Code § 1798.150 creates a narrowly framed right to private action in case of certain security breaches and clarifies in subsection (c) that aside from this one cause of action, “nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” By design, the CCPA vests enforcement authority in the attorney general.

We begin by examining a few selected lawsuits asserted under the data breach private right of action (Cal. Civ. Code § 1798.150), as the statute expressly contemplates. We then summarize some of the CCPA-related legal theories in nondata breach lawsuits, grouped generally into three main categories: unfair competition law claims based on underlying violations of the CCPA, negligence per se claims incorporating various apparent CCPA standards of care, and actions asserted directly under the CCPA.

Click here to read on.

Author

Lothar has been helping companies in Silicon Valley and around the world take products, business models, intellectual property and contracts global for nearly 20 years. He advises on data privacy law compliance, information technology commercialization, interactive entertainment, media, copyrights, open source licensing, electronic commerce, technology transactions, sourcing and international distribution at Baker McKenzie in San Francisco & Palo Alto.

Author

Teresa advises on all aspects of dispute resolution, primarily complex business disputes, class actions, intellectual property and international arbitration. She is the Co-Chair of the North American Class Action Subgroup.

Author

Alexander represents domestic and multinational corporations and individuals involved in complex commercial litigation as well as internal and white-collar investigations. He has substantial experience in state and federal courts representing clients involved in breach of contract, business tort and related commercial litigation.

Author

Gary is an associate in the Chicago office. His practice focuses on regulatory and transactional issues in global privacy and data protection, including cross-border data transfers, data security, data breach notification, global privacy, website privacy policies, behavioral advertising, and comprehensive compliance programs.

Author

Ed's practice focuses on class actions, complex commercial litigation and securities litigation. He represents a broad spectrum of clients including banks and other financial institutions, outsourcing companies, retailers and hotels. In recent years, Ed has defended numerous class actions brought under the Telephone Consumer Protection Act and the California Invasion of Privacy Act.