California consumers have only a narrow private right of action under the recently enacted California Consumer Privacy Act (CCPA) to bring suit if a data breach results in the loss or theft of their personal information. To date, two lawsuits have been filed asserting direct claims under the CCPA’s private right of action, in both cases complaining about data breaches that occurred in 2019, prior to the law’s going into effect. The plaintiff in Barnes v. Hanna Andersson, No. 4:20-cv-00812-DMR (N.D. Cal.), initially asserted only negligence and §17200 claims, but then amended to add a CCPA claim in a case arising out of a data breach that clothing retailer Hanna Andersson announced in early 2020, but that occurred in late 2019. A few weeks later, the plaintiff in Fuentes v. Sunshine Behavioral Health Group, No. 8:20-cv-00487 (C.D. Cal.), similarly included a direct claim under the CCPA alongside other contractual, common law, and statutory causes of action concerning a breach involving rehab facilities that occurred in the fall of 2019 but was only disclosed publicly in January 2020. Putting aside the issue of their reliance on breaches that occurred prior to the CCPA’s effective date, the Barnes and Fuentes complaints allege the kind of post-data breach claims directly under the CCPA’s private right of action that have long been expected.

More interesting than these direct claims, however, are the attempts by litigants in recent filings to employ the CCPA indirectly (in particular via California’s Unfair Competition Law), where a direct CCPA claim is unavailable, asserting that the CCPA’s substantive provisions support claims that the private right of action does not cover. The CCPA does not provide any private right of action for a CCPA violation outside the data breach context, nor does it provide a private right of action as to every data breach, but that has not stopped plaintiffs from relying upon the CCPA’s substantive provisions in lawsuits not predicated on the CCPA’s limited private right of action. These efforts have the potential to increase the litigation costs and possible legal exposure for businesses collecting personal information from Californians, even if the plaintiffs may face hurdles in ultimately prevailing. So what is a business to do? This article looks in depth at this recent effort by private plaintiffs to rely on the CCPA to support claims not falling within the CCPA’s private right of action and provides practical tips businesses can use now to help minimize the risks presented by such claims in future litigation.

Limitations of the CCPA Private Right of Action