As we are all well aware by now, the California Consumer Privacy Act (CCPA) (Cal. Civ. Code Sections 1798.100 et seq.) went into effect on Jan. 1. Through its amendments and regulations (the latter of which have yet to be finalized as of this article’s publication), one aspect of the act has stayed largely consistent: the CCPA grants a private right of action only in limited situations. While the California Attorney General has the ability to impose fines for any CCPA violation, the private right of action is specifically limited (over significant debate and a proposed amendment that failed to pass) to data breach. Moreover, in creating that private right of action, the act specifically notes that violations “shall not be interpreted to serve as the basis for a private right of action under any other law.”

Does that mean there will not be significant litigation concerning the CCPA outside of the data breach realm? The answer is clearly a resounding “no.” Indeed, we have already seen multiple lawsuits filed taking direct aim at the CCPA’s claimed limitations on private enforcement. In those cases, in direct contravention of the stated limitation on private rights of action, plaintiffs have claimed (among other things) that the failure to provide proper notice required by the CCPA predicates a violation of California’s Unfair Competition Law (Cal Civ. Code. Section 17200) (the UCL). See, e.g., Burke v. Clearview AI, Case No. 3:20-cv-00370 (S.D. Cal., filed Feb. 27, 2020); Sheth v. Ring, Case No. 2:20-cv-01538 (C.D. Cal., filed Feb. 18, 2020). Whether such claims will fail as expressly barred by the act remains to be seen.

But there are at least two additional areas where we expect to see the CCPA used in actions brought by plaintiffs’attorneys: (i) in connection with suits brought on behalf of cities and counties to enforce provisions of the CCPA, and (ii) where privacy statements and advertised activities required by the CCPA do not match the company’s actual practices, and thus potentially amount to actionable false claims under California’s false advertising law (the FAL) (Cal. Civ. Code Section 17500) and the California Consumers Legal Remedies Act (the CLRA) (Cal. Civ. Code Section 1750).

The past has shown that such laws provide fertile soil for consumer protection lawsuits, and we expect the CCPA to provide rich humus for a bumper crop of related enforcement claims.

Cities and Counties

The CCPA’s limitation on actions specifically limits “private” actions. Actions brought by cities and counties, then, are necessarily permitted under the act. Indeed, such governmental entities are likely to see this provision of the act as an opportunity to protect their constituents at no cost, since plaintiffs attorneys may be willing to take such cases on a contingency basis. Alternatively, cities and counties may find opportunities to engage counsel on a low-cost or hybrid fixed rate/contingency basis, a common practice in California. This type of engagement is permissible so long as the plaintiff city/county maintains supervisory control of the action (often by acting as co-counsel) while enforcing the rights of its residents. In connection with the CCPA, we had expected to see cities and counties taking a large role in enforcement, and in the new economic landscape created by the COVID-19 pandemic, alternative fee relationships are likely to be an attractive vehicle of resident protection for resource-strapped city and county departments to protect consumers without diverting resources away from other pressing health and safety mandates.

False Claims

The CCPA may also provide opportunities for plaintiffs attorneys to act on behalf of private citizens in claims not expressly based on a violation of the CCPA. As above, several such lawsuits have already been filed alleging violations of the UCL. Additional areas ripe for litigation are likely to include claims based on the FAL and the CLRA. These statutes, and potentially others, are likely to provide particularly fertile ground where, in their rush to comply with the CCPA notice and disclosure requirements described in Cal. Civ. Code Section 1798.130 (a)(5), businesses post privacy policies that later are exposed as not entirely accurate.

The FAL provides a cause of action against any person or company that, in the course of promoting or advertising a product, service, or business, makes a public statement that the speaker knows or should know is untrue or misleading. See generally, Cal. Bus. & Prof. Code Section 17500. Similarly, the CLRA prohibits “unfair methods of competition and unfair or deceptive acts or practices” by a business. Cal. Civ. Code Section 1770(a). Statements made concerning the collection, storage, use, and sharing of personal information as provided in an online privacy policy would surely support such claims where the statements, while arguably satisfying CCPA requirements, are demonstrably false or misleading.

The CLRA, which allows consumers to bring class action lawsuits to recover damages and enjoin false and unfair business practices, also provides for the recovery of punitive damages and attorney fees, making it a preferred vehicle for consumer protection claims.

While the attorney general’s enforcement will likely begin with review of company policies to ensure the company has provided the disclosures and notices required by the CCPA, consumer protection attorneys will no doubt be digging deeper sooner to investigate whether the company’s practices align with its stated policies. As such, it is imperative that companies don’t merely post privacy policies that meet the CCPA requirements, but rather they ensure that the policies they post fully and faithfully reflect the company’s practices.

The overall impact of the CCPA’s limitations on private actions is not clear. But we expect the new privacy landscape will provide a new and rich harvest for consumer protection attorneys.

Reprinted with permission from the May 5, 2020 issue of The Recorder. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Photo of Nate Garhart Nate Garhart

Nate Garhart’s practice centers on protecting and maximizing the value of various forms of intellectual property, which often represent important assets and major revenue sources for organizations ranging from startups to public companies and nonprofits.

Nate’s work spans the gamut from selecting and…

Nate Garhart’s practice centers on protecting and maximizing the value of various forms of intellectual property, which often represent important assets and major revenue sources for organizations ranging from startups to public companies and nonprofits.

Nate’s work spans the gamut from selecting and registering trademarks, to protecting and enforcing copyrights, to strategic negotiation of licenses of all kinds. He also works with clients to minimize the legal risks related to their branding, advertising, and publicity strategies.

Online, he counsels clients on internet issues and e-commerce topics, drafts website terms of use and privacy policies helping clients comply with Europe’s GDPR and California’s CCPA, and reviews customer communications for compliance with current laws.

Contact: ngarhart@fbm.com