In a recent decision, the U.S. District Court for the Northern District of California has construed the private right of action provision under the California Consumer Privacy Act (CCPA) broadly, which increases business risk to tracking technologies lawsuits that are already rampant.

As background, the CCPA (Civil Code §1798.150) limits private rights of action to data security breaches.  Specifically, that section allows a private right of action for any consumer whose nonencrypted and nonredacted personal information, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal.

The Court construed this provision broadly to include a business’s use of tracking technologies on its website without consent.  Specifically, the Court held that disclosure of personal information to third-party vendors plausibly constitutes an unauthorized disclosure. 

This ruling has a significant impact on businesses by increasing their potential risk for use of third-party vendors that place tracking, marketing and analytics technologies on the business’s website.

While this area is further developed, businesses should review their privacy policies to ensure full, accurate and complete disclosure of their data governance practices, including the use of tracking technologies on their websites, and review or install cookie consent management banners to obtain affirmative consent to the business’s data governance practices.