The California Consumer Privacy Act (CCPA) is different from other U.S. state privacy laws in that it gives consumers a private right of action, meaning California residents can sue businesses over violations. However, that private right of action has always been accompanied by a huge asterisk: It only applies in the context of data breaches.

Given the multitude of potential legal liabilities a business faces after a data breach, many companies simply shrugged their shoulders at this private right of action. Even though the CCPA ups the ante by allowing for recovery of up to $750 in statutory damages without any showing of actual damages, businesses already have plenty of motivation to keep personal data secure.

A recent string of data privacy cases has thrown the status quo into doubt, though, with courts stating that a data breach is not actually required to support a private right of action under the CCPA.

The CCPA’s Private Right of Action

Only certain types of especially sensitive personal information are subject to the CCPA’s private right of action. These can be divided into two groups:

1. Email address in combination with a password or security question and answer that would permit access to the account, OR
2. An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
   • Social security number;
   • Any government-issue ID number commonly used to verify the identity of a specific individual;
   • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
   • Medical information;
   • Health insurance information;
   • Unique biometric data; or
   • Genetic data.

A consumer has a private right of action against a business when any of the above types of personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”

What Courts Have Had to Say

The language in any statute is open to interpretation, and judicial decisions add another layer of understanding as to what the text actually means. For the most part, the CCPA’s private right of action has been applied in the expected scenario: a business’s cybersecurity systems were breached and personal data was illicitly taken.

There have been other situations, outside of the typical data breach, in which courts have nonetheless upheld a private right of action under the CCPA. 

In Stasi v. Inmediata Health Group, for example, the defendant was accused of allowing search engines to index their entire site, even those pages that contained individuals’ protected health information. The result was that all of that data was openly available on the internet. The court ruled that this was a disclosure of the data, even if the plaintiffs couldn’t prove that someone had accessed it.

The plaintiff in Ramos v. Wells Fargo Bank alleged that, because of the bank’s failure to properly maintain his personal information, unknown persons were able to access his savings account and withdraw his money. The court held that this allegation was enough to sustain a lawsuit under the CCPA, even if it wasn’t a data breach.

A more recent case has gone significantly farther in interpreting the CCPA’s private right of action. In M.G. v. Therapymatch, the defendant was alleged to have implemented Google Analytics on its website (an online platform for helping consumers find mental health professionals), and Google was therefore able to intercept consumers’ medical information. The court found this to be sufficient for a private right of action under the CCPA.

There are a few unknowns in M.G. v. Therapymatch. For instance, the court never addresses why the CCPA should apply to medical information, which is broadly exempted from the privacy law. Also, the court mentions that the defendant had opted to share information with Google Analytics in order to improve Google’s products and services, and that the defendant’s privacy policy didn’t mention sharing personal information with Google. Did these facts affect the outcome? We don’t know because the court doesn’t discuss why they are important.

Regardless of the uncertainties, M.G. v. Therapymatch is likely to be cited in many plaintiff’s briefs going forward.

Takeaways for Businesses

While the CCPA’s private right of action is limited, businesses should not assume that it can only apply in the context of a data breach because some courts have been willing to apply it more broadly than that. In evaluating the level of risk for your business, here are some important consideration:

1. Determine whether your business is processing the types of personal information that can give rise to a private lawsuit under the CCPA.
2. Don’t focus on cybersecurity measures to the exclusion of all other types of disclosure. Take a look at any technology that allows these categories of data to be shared with third parties (such as analytics and advertising tools).
3. Medical information in particular has been the subject of numerous lawsuits where businesses used technologies such as tracking pixels and data analytics that automatically share that data with third parties.
4. Consider adding a cookie consent banner that puts consumers in control of what technologies will be used on your site.
5. Regularly review security measures that are meant to protect these kinds of sensitive information, both in transit and at rest. Implement encryption and redaction where it’s feasible.

Not sure where to start? TrueVault helps businesses of all sizes comply with the CCPA, as well as privacy laws from many other jurisdictions. Contact our team to learn more.

‍