Eric Goldman writes:
This post recaps the court decisions analyzing the California Consumer Privacy Act (CCPA) so far. I only know of seven opinions as of May 1, 2021, a number that struck me as surprisingly small. (If you think I’m missing any, please email me).
Overview
CCPA lawsuits generally fit into one of the following four categories:
- Data breach Private Right of Action (PRA). Since Jan. 1, 2020, the CCPA authorizes a private right of action with respect to certain data breaches. I expected this would be a popular claim; I thought plaintiffs would allege it in every data breach lawsuit. We’ve seen many of those filings, but few of the cases have issued opinions yet. 16 months isn’t very long in the lifespan of litigation, so this jurisprudence is still emerging.
- AG enforcement. The AG’s office gained partial enforcement power on July 1, 2021 (the remainder in August 2020). An AG enforcement will produce a court opinion only if the parties actually fight in court, which businesses are reluctant to do. Plus, the CCPA also gives businesses a mandatory cure period, which further reduces the odds of litigated disputes. I’m not aware of any AG enforcements of the CCPA spilling into court. In fact, I’m not aware of any publicized CCPA enforcement actions–a surprising stat given the target-rich enforcement environment.
- Non-data breach PRA. The CCPA does not authorize PRAs for any statutory violations other than specified data breaches. Some plaintiffs have asserted those CCPA claims anyways. They will fail.
- Constitutional challenges. In the CCPA’s early days, I heard a lot of chatter that unhappy businesses were going to challenge the CCPA, but I don’t believe any lawsuits were ever filed. Given the CCPA’s imminent deprecation due to the CPRA, I don’t expect any court challenges to the CCPA to emerge at this point.
TL;DR: it’s been pretty quiet on the CCPA litigation front so far.
Read his roundup of case summaries on Technology & Marketing Law Blog.