While the California Consumer Privacy Act (CCPA) is most known for its extensive privacy compliance obligations, the law also provides for a limited private right of action for certain security-related breaches. Section 1798.150(a)(1) of the CCPA provides for a private right of action for consumers if their “nonencrypted and nonredacted personal information” is subject to unauthorized access and exfiltration, theft, or disclosure caused by a business’s failure to “implement and maintain security procedures and practices.” Cal. Civ. Code. § 1798.150(a)(1). Damages available to consumers under this private right of action provision can be as high as $750 per violation. Courts can also provide consumers with injunctive or declaratory relief and “any other relief the court deems proper.” Cal. Civ. Code. § 1798.150(a)(1)(B) and (C).

Plaintiffs have been testing this provision since the law went into effect in 2020, and 2024 was no different. In this article, we look at some notable litigation trends in cases brought under the CCPA last year. Here are our key takeaways from 2024: 

1. Courts continue to interpret “unauthorized access” broadly to include data intentionally disclosed to third parties by a business.
2. Data sharing and third-party tracking cases, which previously would have fallen outside the § 1798.150 private right of action, are increasingly being brought as claims under the California Invasion of Privacy Act (CIPA).
3. The definition of “reasonable measures” continues to emphasize Federal Trade Commission (FTC) recommendations, industry best practices, and frameworks from expert organizations like the National Institute of Standards and Technology or other regulators such as the Consumer Financial Protection Bureau.
4. Some defendants have secured motions to dismiss by arguing that they do not meet the definition of a “business” under the CCPA.

In addition to the law’s private right of action, companies should also be aware of CCPA enforcement by the California attorney general (California AG) and the California Privacy Protection Agency (CPPA). Both agencies have continued to signal their commitment to enforcing all provisions of the CCPA. The California AG’s office recently settled an enforcement action, while the CPPA issued advisories on data minimization and dark patterns. It is likely that both the California AG and CPPA will significantly expand their enforcement actions under the law in the coming months.

To stay up to date on any of these developments, please subscribe to the WilmerHale Privacy and Cybersecurity Blog.

2024 CCPA Litigation Trends:

1. Cases broadly interpreting “unauthorized access” continue to be filed.

This year, two major cases involving unauthorized, non-breach disclosures of data survived motions to dismiss. Both involved online mental health platforms that disclosed user information to third-party advertisers. 

In In re BetterHelp Data Disclosure Cases, 2024 WL 4219992 (N.D. Cal. Jul. 15, 2024), the court ruled that the plaintiffs, who are customers and potential customers who used BetterHelp’s website, sufficiently pleaded a violation of § 1798.150(a) by alleging that BetterHelp both disclosed plaintiffs’ email addresses and gave a recent college graduate “carte blanche to decide which Visitors’ and Users’ health information to upload.” The court held that sharing the information was a “disclosure” and that BetterHelp’s affirmative decision to allow tracking software was not a reasonable security procedure or practice “given the nature of the information” that it collected. The court’s dictum suggests that “unauthorized disclosure” claims may be limited only to disclosures of the most sensitive information going forward.

M.G. v. Therapymatch, Inc., 2024 WL 4219992 (N.D. Cal. Sep. 16, 2024), also involved the disclosure of mental health care inquiries. Therapymatch embedded code associated with an analytics provider on its website, which collected information that users were providing to Therapymatch, including the conditions for which they were seeking treatment. Plaintiffs additionally allege that Therapymatch failed to enable a data anonymization feature offered by the provider. The court held that the plaintiffs sufficiently alleged unreasonable security practices and did not need to allege a data breach, but merely needed to allege disclosure without consent. 

Plaintiffs have continued to file cases under this theory. Guzman v. The Western Union Co., 5:24-cv-404 (C.D. Cal.), alleges that Western Union’s “dragnet” provision of data related to the plaintiff class’s money transfers to anti-money laundering analytics groups constitutes an unauthorized disclosure. We will be keeping an eye on this and other similar cases as they progress.

2. Cases under CIPA have surged.

Plaintiffs alleging privacy violations due to use of third-party tracking code, such as embedded analytics or tracking pixels, are increasingly relying on CIPA rather than the CCPA. CIPA’s private right of action provision was recently affirmed in Moody v. C2 Education Systems, 2024 U.S. Dist. LEXIS 132614 (C.D. Cal. July 25, 2024), despite its origins as a penal statute. The right is substantially broader than that of the CCPA, requiring only that a plaintiff be “injured by a violation.” Cal. Penal Code § 637.2. The statutory damages are also higher, reaching the greater of $5,000 or triple the actual damages suffered by the plaintiff. Id. In Mirmalek v. LA Times Communications LLC, 2024 WL 5102709 (N.D. Cal. Dec. 12, 2024), a court held that CCPA claims did not preempt CIPA claims, so future attempts to sue for privacy violations under the CCPA are likely to be accompanied by CIPA claims. 

3. Cases primarily emphasize institutional recommendations and industry best practices to define “reasonable security measures.”

Throughout the year, the array of actions (or lack thereof) that demonstrated businesses’ “failure to implement and maintain reasonable security procedures and practices” increasingly coalesced around a few major standards. See Cal. Civ. Code. § 1798.150(a)(1). The FTC’s guidelines are among the most frequently cited standards in defining “reasonable security measures.” For example, in In re Eureka Casino Breach Litigation, 2024 WL 4253198 (D. Nev. Sep. 19, 2024), the court ruled that Eureka’s alleged failure to follow specific FTC guidelines such as requiring complex passwords and limiting access to personally identifiable information (PII) is enough to survive a motion to dismiss. The court also pointed to allegations that Eureka failed to follow institutional standards, such as the Center for Internet Security’s Critical Security Control framework, as sufficient to make out a failure to apply reasonable security measures. 

Additionally, a failure to apply specific industry standard measures can constitute a failure to implement reasonable security measures. For example, in In re LastPass Data Security Incident Litigation, 2024 U.S. Dist. LEXIS 134178 (D. Mass. Jul. 30, 2024), the plaintiff class survived a motion to dismiss by alleging that LastPass’s encryption algorithm fell below industry standards.

4. Cases have been dismissed for defendants that don’t meet the definition of “business.”

Under the CCPA, a business is defined as a “legal entity organized for … profit or financial benefit” that not only collects personal information but also “determines the purposes and means of the processing” of that information. Cal. Civ. Code § 1798.140(d)(1). Where a defendant merely executes the requests of another party, it doesn’t “determine” the use or processing of the data. For example, in In re Accellion, Inc. Data Breach Litigation, 713 F.Supp.3d 623 (N.D. Cal. Jan. 29, 2024), the court found that Accellion, a provider of a file hosting and sharing service, did not make determinations relating to the processing of PII. Because plaintiffs pleaded that Accellion “enabled” its customers in their business decisions rather than providing consulting or otherwise working with the client, it was not considered a business. By contrast, in Miller v. NextGen, 2024 U.S. Dist. LEXIS 131254 (N.D. Ga. Jul. 25, 2024), the court held that allegations that NextGen used personal data to “develop, improve, and test” its services were sufficient to consider NextGen a business at the motion to dismiss stage. 

Certain defendants may also avoid CCPA liability based on the nature of their organization. For example, in Keown v. International Association of Sheet Metal Air Rail Transportation Workers, 2024 U.S. Dist. LEXIS 168789 (D.D.C. Sep. 19, 2024), the court found that because the defendant union was a voluntary members association, and the claim didn’t arise from a sale of goods, the union could not be considered a business.