Data breaches were the leading cause of lawsuits brought under the California Consumer Privacy Act in 2021, according to a recent report on CCPA litigation trends compiled by the law firm Akin Gump.
The firm’s 2021 CCPA Litigation Report identified 145 lawsuits brought under the still-new California law last year, an increase of about 60 percent from 2020.
Akin Gump noted that the CCPA litigation landscape in 2021 was driven by bold plaintiffs “suing more often, all over the country, against business in all industries, and for higher stakes.”
As California residents increasingly seek relief under the law, it’s important for businesses across the country that operate in California understand and engage in CCPA compliance efforts in order to best protect against costly litigation.
What is the California Consumer Privacy Act (CCPA)?
The CCPA is a landmark California data privacy law approved by voters in 2018 that governs the personal information businesses collect on state residents. The law took effect January 1, 2020 and a voter-approved expansion – The California Privacy Rights Act – takes effect in 2023.
The privacy law, which applies to for-profit companies, gives California residents the right to sue companies both located in the state of California and those doing business in California if their sensitive personal information is subject to unauthorized access and exfiltration, theft or disclosure as a result of a business’s failure to implement and maintain reasonable security procedures.
A California resident’s social security number, driver’s license number, health insurance information, internet protocol address, internet browsing history and employment-related information can all qualify as personally identifiable consumer data under CCPA. Additionally, records about a California consumer’s personal property may also be subject to the law.
Under the law, a California resident also has the right to opt out of companies selling their personally identifiable information and to request the deletion of their personal information. The CCPA allow California residents to seek statutory damages of $100 to $750 per incident or actual damages, whichever is greater, and any other relief the court deems proper.
What kinds of CCPA cases were litigated in 2021?
The majority of the 2021 lawsuits stemmed from data breaches. Akin Gump identified 40 unique data breaches leading to litigation last year.
The firm said the increase in the number and complexity of cyberattacks will likely fuel more consumer privacy litigation in the coming years.
Notable data breaches included the following companies:
- California Pizza Kitchen
- Arthur Gallagher & Co.
- Herff Jones
What’s the Status of Consumer Privacy Laws Elsewhere?
Since California residents adopted the CCPA, four more states have followed in its footsteps in adopting similar legislation: Virginia, Colorado, Utah, and Connecticut. Each of these new laws will take effect in 2023.
As more states adopt similar legislation, it’s more important than ever for companies that collect consumers’ personal information to be cautious about how they handle it, and to ensure compliance with applicable laws through their policies and procedures.
We recommend companies work to assess their cybersecurity risks and implement reasonable security procedures to better help defend legal claims that may arise under these new consumer privacy laws.
Digital Silence specializes in helping organizations with their cybersecurity programs, including working with customers when they have experienced data breaches. Contact us for help strengthening your defenses before an incident occurs.