Interesting to compare and contrast the CCPA actions against the more privacy-related GDPR enforcement actions…:
[…] So far, CCPA litigation continues to generally fall into three “buckets:”
- Data security breach. In many of these cases, Plaintiffs seek CCPA damages in connection with a data breach. Interestingly, at least one complaint seeks damages for a breach that occurred before the effective date of the CCPA. Multiple complaints were filed before the defendant company had the chance to respond to the statutorily-required 30 day notice to cure demand issued by plaintiffs. These complaints are likely testing the waters on how courts will interpret the CCPA’s private right of action for breaches.
- Data privacy. The CCPA does not currently provide consumers with the right to sue for a violation of its privacy (e.g., privacy notices, access rights, etc.) provisions. Nonetheless, there has been an uptick in complaints where the plaintiffs allege that the defendant failed to meet a requirement under CCPA, such as providing proper disclosure of privacy practices. Plaintiffs are seeking injunctive relief and damages.
- Miscellaneous references. In a few cases, the CCPA is not listed as a cause of action or claim for relief. Instead, the plaintiff typically alleges that the defendant company committed an “unlawful” business practice by failing to properly safeguard the plaintiff’s personal information, and as such, violated applicable laws, including the CCPA.