California Privacy Law Update:  The California Privacy Protection Agency Takes Shape and CCPA Litigation Update
California Privacy Law Update:  The California Privacy Protection Agency Takes Shape and CCPA Litigation Update

Consumer privacy continues to be an ever evolving and active area of law and California is still leading the way.  In today’s update, we discuss the latest developments in enforcement and litigation for California consumer privacy law. 

The CPRA and the Privacy Protection Agency Inches Closer

The California Privacy Rights Act (CPRA), approved by voters as a ballot proposition in November 2020, supplements and expands the current California Consumer Privacy Act (CCPA), and established the California Privacy Protection Agency (CPPA or the “Agency”), which is vested with full power and authority to enforce the CCPA (including the additional requirements added by the CPRA).  The Agency had already appointed a Board of Directors and been holding regular meetings, but has recently taken additional important steps in its formation. 

On October 4, 2021, Ashkan Soltani was named as the first executive director of the CPPA Agency.  Director Soltani is a former chief technologist at the United States Federal Trade Commission and senior advisor to the White House, as well as a key contributor to the text of the CCPA and CPRA, and an advocate for the Global Privacy Control initiative.  As executive director, Mr. Soltani’s responsibilities will include, among others, carrying out day-to-day operation of the Agency, overseeing enforcement activities, and finalizing the required CPRA regulations by July 2022.  Reactions to Director Soltani’s appointment have been predominantly positive in the general privacy community, due in part to his collaborative approach and understanding of technology to advance privacy solutions.  However, businesses can also expect a robust and aggressive stance on enforcement with the CCPA and CPRA, and should take the upcoming time to focus on compliance with the CPRA before its implementation. 

CCPA Related Litigation

In the meantime, CCPA private litigation continues to rise.  Since its inception, more than 170 cases have been filed that cited to the CCPA, more than 80 of which were filed in 2021, with varying degrees of success.  The majority of cases filed have relied on the CCPA’s private right of action provision for data breaches, and it is unsurprising that class actions have dominated.  For example, in one of the most prominent recent cases, Menezes v. Regents of the University of California, a class action complaint was filed against the University of California San Diego Health for allegedly failing to protect consumer data.  The complaint alleges that a data breach exposed the sensitive personal information of almost half a million individuals.  The lawsuit alleges that San Diego Health failed to implement reasonable security measures, as well as failed to adequately train employees on how to avoid phishing attacks, and lacked procedures to detect malicious intrusions.  As a result, according to the complaint, patients’ personal and medical data was allegedly compromised over a four-month period before being discovered.  Plaintiff’s first cause of action in Menezes was the private right of action provision of the CCPA, California Civil Code § 1798.150, based on defendant’s alleged failure to exercise reasonable security measures required by the CCPA.  Plaintiff is seeking injunctive and equitable relief on behalf of the putative class.  The complaint has also leveraged the CCPA to, in part, assert a separate cause of action of California’s Unfair Competition Law (California Business & Professional Code §§ 17200, et seq.). 


If you have any privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions or compliance questions.  If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in California privacy law and are ready to step in and defend you.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2021 Atkinson, Andelson, Loya, Ruud & Romo


Other AALRR Blogs

Recent Posts

Popular Categories



Back to Page

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Privacy Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.