The California Consumer Privacy Act (CCPA) (Cal. Civil Code §§1798.100 et. seq.) was enacted in 2018 and took effect on January 1, 2020. California was the first state to enact landmark privacy legislation of this scale, granting new privacy rights to California consumers with respect to collection and handling of their personal information by businesses. The CCPA requires the California Attorney General to issue regulations by July 1, 2020 and enforce the Act no earlier than that date.

Due to its expansiveness, complexity, and lack of clarity, CCPA has created huge litigation risks for businesses. The CCPA provides a private right of action for data breaches with no required showing of actual damages. The act allows recovery of statutory damages between $100 and $750 “per consumer per incident or actual damages, whichever is greater.” These can add up quickly. For example, a data breach affecting 25,000 California residents could expose a business to almost $20 million in damages.

While the CCPA does not have a private right of action for claims outside of data breaches, in initial lawsuits filed under CCPA, plaintiffs are attempting enforce noncompliance under California’s Unfair Competition Law (B&P Code, Section 17200), which treats technical violations of other laws as unfair business practices.

The intent behind the CCPA was not to include a broad private right of action. There is language within the CCPA that states the act should not be interpreted to provide a basis for a private right of action under other laws.

CCPA and implementing regulations need to be revised to provide needed clarifications and remove unreasonable burdens. CCPA should also be revised to clarify and limit the private rights of action available for alleged violations of its provisions. Absent these reforms, CCPA will be the impetus for a next great wave of unwarranted litigation in California.