Skip to content

The California Consumer Privacy Act (CCPA) provides plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged violations of the CCPA’s privacy (as opposed to security) provisions, the lack of a specified private right of action has not deterred some plaintiffs from filing suit and arguing that their case should be permitted to proceed or from repackaging a CCPA privacy violation as a violation of California’s unfair practices law.

The rate of CCPA class action filings has steadily increased since the CCPA was enacted, although it continues to lag behind more established data privacy and data security related theories, like negligence, fraud, or breach of contract. In 2021, 281 federal court cases were filed in, or removed to, federal court and referenced either the “CCPA” or the “California Consumer Privacy Act.” Note that this represents only a portion of CCPA-related litigation as it does not include cases brought by individuals outside of the class action mechanism or cases that were filed in state court and were not removed to a federal forum. Year-over-year, that represents a 44.10% increase in litigation filings – more than almost any other data privacy related topic.[1] Although CCPA cases are on the rise, in absolute terms they still do not represent the most popular data privacy or data security theory utilized by the plaintiff’s bar. For example, nearly 3x more Telephone Consumer Protection Act (TCPA) cases were filed in federal court, or removed to federal court, in 2021 than CCPA cases.


[1] Statistics from Lex Machina based upon a search of “California Consumer Privacy Act” or “CCPA,” and “class actions” filed between Jan. 1, 2021, and Dec. 31, 2021. Note that Lex Machina did not code each of these cases as a class action, a criteria which was used in previous reports regarding the quantity of CCPA litigation. As a result, it’s possible that some of the referenced cases were not filed as putative class actions although they utilize the term “class action.” An initial review of the cases, however, suggests that Lex Machina’s coding of cases as “class actions” was under-inclusive.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jena M. Valdetero Jena M. Valdetero

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against…

Jena M. Valdetero serves as Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice where she advises clients on complex data privacy and security issues. She has led more than 1,000 data breach investigations. A litigator by background, Jena defends companies against privacy and data breach litigation, with an emphasis on class action lawsuits. She has designed and conducted dozens of data breach tabletop exercises to empower clients to respond effectively to a data security incident. She also counsels companies on data privacy and security compliance programs and advises on cyber risks associated with mergers and transactions. Jena also advises a diverse array of clients on compliance with existing and emerging privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Gramm Leach Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act (HIPAA). She is a certified privacy professional through the International Association of Privacy Professionals (CIPP/US), for which she is a former KnowledgeNet Co-Chair.
Jena is a passionate advocate of diversity and inclusion. She currently serves as a board member of the Chicago chapter of Women in Law Empowerment Forum.

Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).