Latimer LeVay Fyock, LLCLatimer LeVay Fyock, LLC

The Implications of the California Privacy Rights Act to Non-California Companies Part 2

Colin T.J. O'Brien

My prior blog post discussed the triggers that will determine which companies will be obligated to abide by the terms of the California Consumer Privacy Act (“CCPA”) even if California is not a significant source of sales. This post can be found here.

Given the complexity of the CCPA, a rational business owner may wonder if it is even necessary to spend the money to comply with the California law, particularly if their company does not have many sales in that state. As outlined below, business owners should make compliance with the CCPA a priority as there can be both state and private causes of action available against a company deemed to have violated the CCPA. This post will focus on the private causes of action.

Data Breach Actions

Companies have been sued as a result of data breaches with plaintiffs relying on Section 1798.150 of the CCPA as excerpted below:

(a) (1) Any consumer whose nonencrypted and nonredacted personal information… or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

Section 1798.150 does allow for a 30-day cure period upon notice received from a plaintiff, but it appears that lawsuits are being filed before the 30-day cure period with plaintiffs petitioning to submit amended complaints after the cure period.

Notice and Opt-out Violations

Compliance with the CCPA can be complex but not adhering to the requirements of the law can lead to significant litigation. Since 2020 there have been numerous lawsuits filed against companies that plaintiffs claim did not adhere to sections of the CCPA such as the following:

1798.100(b): A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

1798.120(b): A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.

1798.135(a): A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:

(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:

(A) Its online privacy policy or policies if the business has an online privacy policy or policies.


Since the inception of the CCPA in 2020, there have been numerous class-action lawsuits citing sections of the CCPA as a basis for the actions. In addition to the CCPA claims, plaintiffs are also including unfair competition claims against companies. While the initial lawsuits are winding their way through the courts, companies should be proactive in making sure they are in compliance with the CCPA. In future blogs we will discuss in more detail the enforcement regime which will be implemented by the state of California  under the CCPA and what policies and procedures companies should implement to comply with the CCPA.

Let Us Help

If you are a business owner who needs assistance ensuring that your business complies with the CCPA or other data privacy regulations we welcome the opportunity to help. Please contact one of our data protection attorneys Colin O’Brien at, John Ambrogi at Brian LeVay or Avery Buffa if you have any questions or comments.