Trends in Privacy Enforcement and Litigation in California

If your business is operating in California, pay close attention because California law gives individuals a private right of action to seek statutory damages if their personal information is part of a data breach. Read on to uncover trends in privacy enforcement and litigation in California.

Quick Facts About California Consumer Privacy Act (CCPA) Litigation Trends

• The average class action payout is $3.1 million total, and $29.30 per class member (based on at least 17 class-action settlements so far). 
• While many class actions settle for under $1 million, large breaches (like the Accellion breach) seem to be settling for around $5 million.
• There were around 40% more lawsuits filed in 2021 than in 2020. 
• 90% of the lawsuits filed in 2021 were related to data breaches.
• Finance and software companies were in the top 5 industries which attracted CCPA lawsuits in both 2020 and 2021.

These figures were taken from the CCPA Litigation 2021 Year in Review coverage. 

So far, the California Attorney General (AG) has not yet commenced legal proceedings against any company under California privacy law. However, the AG has issued notices of non-compliance, many of which require companies to update their opt-out mechanisms, revise their privacy policy, add Do Not Sell My Personal Information links, and stop selling personal information – which is broadly defined to include disclosing or providing access to personal information for monetary or other value.

Key Rulings in CCPA Litigation

The CCPA Is Not Retroactive. 

In one matter, a plaintiff alleged that his data was available for sale on the dark web in 2019 and remained there in 2021. The court ruled that the CCPA private right of action only applies to security breaches that occurred on or after the law came into effect on January 1, 2020. 

This ruling was anticipated, but provided relief for business owners who had suffered earlier data breaches. 

Private Rights of Action Limited Under CCPA.

Multiple proceedings have been dismissed because there were no allegations of a data breach – and private rights of action under the CCPA are limited to matters where a data breach occurred. 

This is significant because 10% of filings in 2021 and 66% of filings in 2020 related to circumstances where no data breach occurred. 

Key Takeaways: California Privacy

Litigation Will Likely Continue to Increase.

Given how new the private right of action is (and that it remains intact when the CPRA comes into effect in 2023), it is likely that individuals will continue to test the boundaries of these new rights. As a result, we anticipate another leap in the number of filings in 2022. 

Loyalty Programs Require Disclosure. 

Many businesses use loyalty programs to collect, use, store, and sell data. If your business does this, you will need provide consumers with a Notice of Financial Incentive.

In addition to details about the actual incentive, businesses must provide information about how the financial incentive is reasonably related to the value of the consumer’s data. This must include an estimate of the value of the data, as well as how that value has been calculated. 

The AG has already sent out notices of non-compliance relating to this requirement.

We have planned future coverage discussing the key changes coming with the 2023 CPRA law. We’ve also recently covered key lessons from recent data breaches in a recent episode of Conversation with CGL. 

But if you need assistance navigating California’s privacy law, reach out. Our privacy attorneys would love to help. 

• Privacy