Business Law Journal

On October 4, 2021, Ashkan Soltani was named as the first executive director of the CPPA Agency.  Director Soltani is a former chief technologist at the United States Federal Trade Commission and senior advisor to the White House, as well as a key contributor to the text of the CCPA and CPRA, and an advocate for the Global Privacy Control initiative.  As executive director, Mr. Soltani’s responsibilities will include, among others, carrying out day-to-day operation of the Agency, overseeing enforcement activities, and finalizing the required CPRA regulations by July 2022.  Reactions to Director Soltani’s appointment have been predominantly positive in the general privacy community, due in part to his collaborative approach and understanding of technology to advance privacy solutions.  However, businesses can also expect a robust and aggressive stance on enforcement with the CCPA and CPRA, and should take the upcoming time to focus on compliance with the CPRA before its implementation. 

CCPA Related Litigation

In the meantime, CCPA private litigation continues to rise.  Since its inception, more than 170 cases have been filed that cited to the CCPA, more than 80 of which were filed in 2021, with varying degrees of success.  The majority of cases filed have relied on the CCPA’s private right of action provision for data breaches, and it is unsurprising that class actions have dominated.  For example, in one of the most prominent recent cases, Menezes v. Regents of the University of California, a class action complaint was filed against the University of California San Diego Health for allegedly failing to protect consumer data.  The complaint alleges that a data breach exposed the sensitive personal information of almost half a million individuals.  The lawsuit alleges that San Diego Health failed to implement reasonable security measures, as well as failed to adequately train employees on how to avoid phishing attacks, and lacked procedures to detect malicious intrusions.  As a result, according to the complaint, patients’ personal and medical data was allegedly compromised over a four-month period before being discovered.  Plaintiff’s first cause of action in Menezes was the private right of action provision of the CCPA, California Civil Code § 1798.150, based on defendant’s alleged failure to exercise reasonable security measures required by the CCPA.  Plaintiff is seeking injunctive and equitable relief on behalf of the putative class.  The complaint has also leveraged the CCPA to, in part, assert a separate cause of action of California’s Unfair Competition Law (California Business & Professional Code §§ 17200, et seq.). 

Conclusion

If you have any privacy related questions, contact the authors and the other attorneys in the Data Security and Privacy Team at Atkinson Andelson Loya Ruud & Romo to help you navigate any potential actions or compliance questions.  If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in California privacy law and are ready to step in and defend you.

This AALRR post is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR publication does not create an attorney-client relationship. The firm is not responsible for inadvertent errors that may occur in the publishing process. 

© 2021 Atkinson, Andelson, Loya, Ruud & Romo