A Review of the CCPA’s Private Right of Action
In March, we examined trends in the California Attorney General’s enforcement of the California Consumer Protection Act (the “CCPA”), and this month we’ll look at trends in suits arising from the CCPA’s private right of action. As a reminder, the CCPA provides a private right of action that allows consumers to seek, either individually or as a class, statutory or actual damages and injunctive and other relief, if their non-encrypted, non-redacted personal information is subject to unauthorized access or disclosure as a result of a business’s failure to implement and maintain required reasonable security procedures and practices commensurate in scope with the nature of the personal information. Statutory damages range between $100 and $750 per California resident per incident, or actual damages, whichever is greater. Notably, a plaintiff bringing a suit must give the business notice of the breach and a thirty day period to cure the breach, if possible.
While the scope of this private right of action is limited, it has led to numerous class action suits being filed, typically after a company suffers a data breach. One recent case illustrates a success story for plaintiffs bringing suit under the CCPA. A federal judge earlier this month in Atkinson et al v. Minted, Inc., Case No. 3:20-cv-03869 (N.D. Cal.), preliminarily approved a $5 million non-reversionary settlement fund. The plaintiffs in Atkinson, brought suit against Minted after the business suffered a data breach at the hands of a group named Shiny Hunters that reportedly sold 73.2 million records containing personally identifiable information of consumers from 11 different companies, including Minted.
Specifically, the plaintiffs alleged that the personal information disclosed met the heightened definition of personal information, as the records included first and last name in connection with an email address and a hashed or salted password. Further, the plaintiffs alleged that this disclosure was a failure of Minted to maintain adequate security measures to detect intrusion as required under the CCPA. While it appears that this case will ultimately settle, it does provide a framework to showcase how these private suits survive the technical challenges often brought forth by defendants as successful defenses.
Finally, while the private right of action is limited under the CCPA, it has not stopped individuals from bringing claims against businesses for other violations of the CCPA, such as the notice and opt-out provisions. However, it appears unlikely that these suits will gain traction, given the prescriptive requirements for the private right of action. We will continue to monitor CCPA litigation as we move forward in this new era of individual privacy rights.
 Personal information for purposes of the private right of action is defined more narrowly, relying on the definition of personal information under Section 1798.81.5 requiring the individual’s name in connection with another data element, rather than the broad definition of personal information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.