The California Consumer Privacy Act (CCPA) took effect Jan. 1. As has been well documented, the statute provides consumers with certain rights regarding their personal information, including the right to know whether businesses are collecting such information and how it is being used, the right to request deletion of such information, and the right to opt out of the sale of such information to third parties.

The CCPA also includes what was supposed to be a limited private right of action that permits consumers to recover up to $750 in statutory damages per incident when certain types of personal information are exposed in connection with a data breach. Perhaps unsurprisingly, this private right of action has already spawned dozens of class actions in California state and federal courts. These suits shed light on the various ways plaintiffs are testing the boundaries of the CCPA and its private right of action. Several categories of boundary-testing CCPA lawsuits are discussed below.

CCPA Lawsuits Premised on Violations of the Statutory Notice and Opt-Out Provisions