In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.

For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.

Although consumers have a limited private right of action under the CCPA, the law expressly limits other causes of action based on a violation of the CCPA. Section 1798.150(c) specifically states that a violation of any provision of the CCPA shall not “be interpreted to serve as the basis for a private right of action under any law.” On the face of the statute then, consumers should be precluded from using a violation of the CCPA to sue under other consumer protection laws. For instance, a consumer should be precluded from using a business’ violation of the CCPA to support a claim under California’s Unfair Competition Law (UCL), California Business and Professions Code §§ 17200 et seq., which permits a private right of action for claims based on unlawful, unfair, or fraudulent business acts or practices.

Nevertheless, businesses will face two hurdles in fending off state law claims predicated on violations of the CCPA. First, many consumer protection laws, including the UCL, allow for cumulative remedies or penalties under state law unless expressly provided otherwise. See, e.g., Cal. Bus. & Prof. Code § 17205. While businesses are on strong footing on this issue, they will nonetheless need to persuade a court that the California legislature expressly intended to prohibit consumers from using a CCPA violation as a predicate for a violation of other consumer protection laws. Second, plaintiffs may still sue for alleged violations of state consumer protection laws independent from the CCPA. Section 1798.150(c) states that the CCPA does not “relieve any party from any duties or obligations imposed under other law[s] of the United States or California Constitution.” Under this provision, for instance, nothing stops a plaintiff from asserting unfair or deceptive practices by a business in connection with a privacy policy it has implemented or a data security procedure it follows without referencing the CCPA specifically.

In sum, while businesses should seek dismissal of consumer protection law claims directly based on a violation of the CCPA, businesses should also prepare to vigorously defend consumer protection claims that are independently and concurrently alleged from a CCPA violation.

Tags: CCPA, Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Alicia A. Baiardo Alicia A. Baiardo

Ali, a partner in the San Francisco office of McGuireWoods, is a commanding commercial litigator trusted by three of the largest U.S. banks and numerous Fortune Global 500 companies to defend high-stakes, multimillion-dollar class actions and other complex litigation. Her practice spans nationwide…

Ali, a partner in the San Francisco office of McGuireWoods, is a commanding commercial litigator trusted by three of the largest U.S. banks and numerous Fortune Global 500 companies to defend high-stakes, multimillion-dollar class actions and other complex litigation. Her practice spans nationwide consumer class actions involving millions of class members, California-wide cases alleging unfair competition, fraud, violation of various consumer protection statutes, complex Ponzi-scheme matters brought against financial institutions, and the rapidly evolving landscape of mass arbitrations. She has a strong track record of successfully representing clients through trial, including defending major national banks in multidistrict class action litigation and individual class actions, skillfully navigating the regulatory implications that often accompany such matters.

Read more about Alicia A. Baiardo
Show more Show less
Photo of Anthony Q. Le Anthony Q. Le

Anthony has a broad array of experiences assisting with compliance issues, regulatory and enforcement matters, internal investigations, and individual and class litigation. His diverse practice helps him achieve the most efficient and practical results for his clients spanning the financial services, technology, automobile…

Anthony has a broad array of experiences assisting with compliance issues, regulatory and enforcement matters, internal investigations, and individual and class litigation. His diverse practice helps him achieve the most efficient and practical results for his clients spanning the financial services, technology, automobile, and retail sectors.

Read more about Anthony Q. Le
Show more Show less
Related Posts
Halloween Reminder – Don’t Get Haunted by Hacks
October 29, 2025
California’s CIPA Jurisprudence Is Unworkable: The Legislature Should Fix It—Starting With SB 690
October 24, 2025
New CCPA Rules Are Here: Is Your Business Ready for What’s Next?
October 8, 2025