The California Consumer Privacy Act (CCPA) provides plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of personal information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged violations of the CCPA’s privacy (as opposed to security) provisions, the lack of a specified private right of action has not deterred some plaintiffs from filing suit and arguing that their case should be permitted to proceed or from repackaging a CCPA privacy violation as a violation of California’s unfair practices law.
The rate of CCPA class action filings has steadily increased since the CCPA was enacted, although it continues to lag behind more established data privacy and data security related theories, like negligence, fraud, or breach of contract. In 2021, 281 federal court cases were filed in, or removed to, federal court and referenced either the “CCPA” or the “California Consumer Privacy Act.” Note that this represents only a portion of CCPA-related litigation as it does not include cases brought by individuals outside of the class action mechanism or cases that were filed in state court and were not removed to a federal forum. Year-over-year, that represents a 44.10% increase in litigation filings – more than almost any other data privacy related topic. Although CCPA cases are on the rise, in absolute terms they still do not represent the most popular data privacy or data security theory utilized by the plaintiff’s bar. For example, nearly 3x more Telephone Consumer Protection Act (TCPA) cases were filed in federal court, or removed to federal court, in 2021 than CCPA cases.
 Statistics from Lex Machina based upon a search of “California Consumer Privacy Act” or “CCPA,” and “class actions” filed between Jan. 1, 2021, and Dec. 31, 2021. Note that Lex Machina did not code each of these cases as a class action, a criteria which was used in previous reports regarding the quantity of CCPA litigation. As a result, it’s possible that some of the referenced cases were not filed as putative class actions although they utilize the term “class action.” An initial review of the cases, however, suggests that Lex Machina’s coding of cases as “class actions” was under-inclusive.