The Inside Scoop on CCPA: Top Data Privacy Trends
What do surfing, filmmaking, and rigorous data privacy law enforcement have in common?
They’re all happening in California.
We’re talking, of course, about the California Consumer Privacy Act (CCPA), which was passed in 2018 and amended in 2022. With the law taking effect in January 2020, we’re now in our third year of CCPA-related litigation and enforcement.
Recently, the law firm Akin Gump Strauss Hauer & Feld LLP released its third annual CCPA Litigation and Enforcement Report. The report reviews trends in data privacy litigation from 2022, and it predicts emerging patterns for 2023.
Today, we’ll look at the report’s key findings. We’ll also suggest a way for companies to strengthen their data privacy for compliance with the CCPA and other regulations.
Background on the CCPA
First enforced in 2020, the CCPA provides California consumers with the right to sue companies if their personal data is breached as a result of poor security practices. The law was amended by the California Privacy Rights Act of 2020 to further strengthen privacy protections for Californians, with most of the new requirements taking effect in January 2023.
Both acts were passed in response to growing concerns over the collection, use, and sharing of personal data by businesses. They govern all companies that conduct business in California, regardless of where those companies are headquartered. And they cover a wide range of personal information, including things like a person’s name and browsing history.
Under the CCPA, businesses are required to provide California residents with certain disclosures about their data collection and sharing practices, including a privacy notice. Companies also have to implement reasonable data security and privacy measures to protect the personal information they collect.
What are the CCPA report’s key findings?
According to Akin Gump Strauss Hauer & Feld LLP, California has seen 320 CCPA-lawsuits from more than 200 law firms since its inception. Some of the major defendants include Bank of America, T-Mobile, Samsung, Sephora, and more.
Below, we’ll dive into some of these 2022 CCPA trends highlighted in the Akin report.
Data breaches continue to drive CCPA litigation
Under California’s data privacy act, companies must file notices of data breaches with the California attorney general. More than 80% of CCPA suits brought in 2022 corresponded to one of these breach notices. In fact, businesses that reported a data breach to the AG had about a 15% chance of subsequently facing consumer litigation.
A data breach can lead to a lawsuit in California (and has) even if only one consumer is affected. That said, the majority of recent lawsuits stemmed from very large incidents. According to the Akin report, 56% of CCPA lawsuits in 2022 came from data breaches involving the personal information of 100,000 or more people.
Financial services continue to face the most CCPA claims
For the third year in a row, businesses in the financial services industry are the most likely to face a CCPA claim. The Akin report indicates that over 34% of all CCPA lawsuits initiated in 2022 were brought against businesses operating in the financial services industry.
Why is this happening? It might be because consumer opt-out rights are more extensive under the CCPA than under the federal Gramm–Leach–Bliley Act and other financial privacy laws. Or it might be that CCPA consumer protections extend to not just financial information but rather all personal information. This requires a substantial mindset shift from financial institutions, and it’s likely that some are lagging.
Awareness of CCPA litigation grows
The Akin report notes a significant decrease — nearly 50% — in CCPA cases from 2021 to 2022, but they caution that interest in consumer-driven CCPA litigation is not cooling.
Rather, they suggest that the downward trend means that law firms are refining their strategies. Instead, it’s a reflection that CCPA litigation initially involved a higher quantity of cases to feel out the legal standards and “see what stuck.” Now, with more knowledge of the limitations of these suits, law firms are being choosier about their cases.
Companies face significant penalties under the CCPA
In cases brought by private citizens, the CCPA awards statutory damages ranging from $100 to $750 per consumer per incident. That said, additional settlement funds may be earmarked for consumers’ actual losses, including the cost of remediation.
In cases brought by the California AG directly, damages can be much higher. They can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation. Depending on the size of the incident, these penalties can add up very quickly, making compliance with the CCPA an absolute necessity for anyone doing business in California.
Strengthening data privacy for CCPA compliance
California's legislative and regulatory action on data privacy continues to grow, so businesses processing personal information of Californians must remain vigilant to avoid significant negative impacts on their bottom lines.
Most companies looking to meet CCPA compliance should start by conducting regular risk assessments to evaluate the potential impact of data breaches, theft, or unauthorized access. Once risks have been identified, businesses can implement appropriate controls, such as encryption, access controls, and intrusion detection systems, to mitigate those risks.
Companies can also implement privacy-by-design principles to embed data privacy into their operations from the outset. And they should consider adopting stronger data privacy software to protect themselves from the myriad of threats to personal data today.
Strengthening data privacy and compliance with ShardSecure
ShardSecure’s Data Control Platform offers a solution to protect data and support compliance. Our technology separates data access from unauthorized users, keeping it private from cloud storage providers and cyberattackers alike. Personal data is rendered unreadable to all third parties, significantly reducing the chance of reportable data breaches.