In less than one month, the California Consumer Privacy Act of 2018 (CCPA) will go into effect and begin a new era of data breach litigation. While the California Attorney General is charged with generally enforcing the state’s landmark privacy law, consumers’ ability to rely on a violation of the CCPA as a basis for violations of other state law statutes will be a concern.

For background, Section 1798.150(a)(1) of the CCPA gives consumers a limited private right of action. The provision allows consumers to sue businesses that fail to maintain reasonable security procedures and practices to protect “nonencrypted or nonredacted personal information” of a consumer and further fail to cure the breach within 30 days. A violation of this data security provision allows recovery of statutory damages of $100 to $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive relief. To determine the appropriate amount of statutory damages, courts must analyze the circumstances of the case, including the number of violations, the nature, seriousness, willfulness, pattern, and length of the misconduct, and the defendant’s assets, liabilities, and net worth.

Although consumers have a limited private right of action under the CCPA, the law expressly limits other causes of action based on a violation of the CCPA. Section 1798.150(c) specifically states that a violation of any provision of the CCPA shall not “be interpreted to serve as the basis for a private right of action under any law.” On the face of the statute then, consumers should be precluded from using a violation of the CCPA to sue under other consumer protection laws. For instance, a consumer should be precluded from using a business’ violation of the CCPA to support a claim under California’s Unfair Competition Law (UCL), California Business and Professions Code §§ 17200 et seq., which permits a private right of action for claims based on unlawful, unfair, or fraudulent business acts or practices.

Nevertheless, businesses will face two hurdles in fending off state law claims predicated on violations of the CCPA. First, many consumer protection laws, including the UCL, allow for cumulative remedies or penalties under state law unless expressly provided otherwise. See, e.g., Cal. Bus. & Prof. Code § 17205. While businesses are on strong footing on this issue, they will nonetheless need to persuade a court that the California legislature expressly intended to prohibit consumers from using a CCPA violation as a predicate for a violation of other consumer protection laws. Second, plaintiffs may still sue for alleged violations of state consumer protection laws independent from the CCPA. Section 1798.150(c) states that the CCPA does not “relieve any party from any duties or obligations imposed under other law[s] of the United States or California Constitution.” Under this provision, for instance, nothing stops a plaintiff from asserting unfair or deceptive practices by a business in connection with a privacy policy it has implemented or a data security procedure it follows without referencing the CCPA specifically.

In sum, while businesses should seek dismissal of consumer protection law claims directly based on a violation of the CCPA, businesses should also prepare to vigorously defend consumer protection claims that are independently and concurrently alleged from a CCPA violation.