Consumer privacy continues to be an ever evolving and active area of law and California is still leading the way. In today’s update, we discuss the latest developments in enforcement and litigation for California consumer privacy law.
The CPRA and the Privacy Protection Agency Inches Closer
The California Privacy Rights Act (CPRA), approved by voters as a ballot proposition in November 2020, supplements and expands the current California Consumer Privacy Act (CCPA), and established the California Privacy Protection Agency (CPPA or the “Agency”), which is vested with full power and authority to enforce the CCPA (including the additional requirements added by the CPRA). The Agency had already appointed a Board of Directors and been holding regular meetings, but has recently taken additional important steps in its formation.
On October 4, 2021, Ashkan Soltani was named as the first executive director of the CPPA Agency. Director Soltani is a former chief technologist at the United States Federal Trade Commission and senior advisor to the White House, as well as a key contributor to the text of the CCPA and CPRA, and an advocate for the Global Privacy Control initiative. As executive director, Mr. Soltani’s responsibilities will include, among others, carrying out day-to-day operation of the Agency, overseeing enforcement activities, and finalizing the required CPRA regulations by July 2022. Reactions to Director Soltani’s appointment have been predominantly positive in the general privacy community, due in part to his collaborative approach and understanding of technology to advance privacy solutions. However, businesses can also expect a robust and aggressive stance on enforcement with the CCPA and CPRA, and should take the upcoming time to focus on compliance with the CPRA before its implementation.
CCPA Related Litigation
In the meantime, CCPA private litigation continues to rise. Since its inception, more than 170 cases have been filed that cited to the CCPA, more than 80 of which were filed in 2021, with varying degrees of success. The majority of cases filed have relied on the CCPA’s private right of action provision for data breaches, and it is unsurprising that class actions have dominated. For example, in one of the most prominent recent cases, Menezes v. Regents of the University of California, a class action complaint was filed against the University of California San Diego Health for allegedly failing to protect consumer data. The complaint alleges that a data breach exposed the sensitive personal information of almost half a million individuals. The lawsuit alleges that San Diego Health failed to implement reasonable security measures, as well as failed to adequately train employees on how to avoid phishing attacks, and lacked procedures to detect malicious intrusions. As a result, according to the complaint, patients’ personal and medical data was allegedly compromised over a four-month period before being discovered. Plaintiff’s first cause of action in Menezes was the private right of action provision of the CCPA, California Civil Code § 1798.150, based on defendant’s alleged failure to exercise reasonable security measures required by the CCPA. Plaintiff is seeking injunctive and equitable relief on behalf of the putative class. The complaint has also leveraged the CCPA to, in part, assert a separate cause of action of California’s Unfair Competition Law (California Business & Professional Code §§ 17200, et seq.).
Conclusion
If you have any privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions or compliance questions. If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in California privacy law and are ready to step in and defend you.
This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The firm is not responsible for inadvertent errors that may occur in the publishing process.
© 2021 Atkinson, Andelson, Loya, Ruud & Romo
- Partner
Brian Wheeler is Chair of the firm’s Commercial and Complex Litigation Practice Group. He also leads the firm’s Intellectual Property and Data Privacy practices within the Practice Group, overseeing AALRR’s team of ...
Other AALRR Blogs
Recent Posts
- Alert: FinCEN Announces Limited Extensions to Corporate Transparency Act Reporting Deadlines
- Court of Appeal Sheds Light On The Rights Of Limited Liability Companies And Its Members
- Dueling OpenAI Copyright Cases to Remain Separate, Parallel Actions on Both Coasts
- Section 16600 and the Fate of Trade Secret Exception
- The Contract Is In The Details
- Teaming With Our Clients – California Adopts “Initial Disclosures” in State Court Civil Litigation
- Recent Court of Appeal Decision Shows The Limits Of Exculpatory Clauses In Commercial Leases, Including Limitation of Damages Provisions
- Understanding Deceptive California Statement of Information Scams
- Closing of Pre-Hearing Discovery Loopholes in Arbitration
- International Enforcement of U.S. Trademarks: Simplicity for Complexity’s Sake
Popular Categories
- (26)
- (24)
- (1)
- (15)
- (4)
- (4)
- (2)
- (3)
- (3)
- (2)
- (2)
- (5)
- (2)
- (4)
- (5)
- (4)
- (1)
- (1)
- (3)
- (2)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
- (1)
Contributors
- Cindy Strom Arellano
- Reece C. Bennett
- Eduardo A. Carvajal
- Michele L. Collender
- Scott K. Dauscher
- Christopher M. Francis
- Evan J. Gautier
- Carol A. Gefis
- Edward C. Ho
- Micah R. Jacobs
- John E. James
- Jonathan Judge
- David Kang
- Jeannie Y. Kang
- Joseph K. Lee
- Shawn M. Ogle
- Kenneth L. Perkins, Jr.
- Jon M. Setoguchi
- Jon Ustundag
- Brian M. Wheeler