One of the most significant consumer rights offered by the new California Consumer Privacy Act (CCPA) is what we call the “private right of action” afforded by the law. A private right of action under a law basically means that if someone violates the law and a person is damaged, the person can assert a specific claim against the offender by citing the specific law. If the person damaged can prove that s/he was damaged and that the damage was caused by the one who violated the law, that person can potentially get past a Motion to Dismiss.

It is significant that CCPA provides a private right of action, and there has been much speculation about whether the CCPA will open the floodgates of litigation.

One of the first cases that specifically alleges a violation of CCPA was filed on March 10, 2020 in California federal court against Sunshine Behavioral Health Group, LLC (Sunshine). The suit alleges that Sunshine, a drug and alcohol rehabilitation facility, violated CCPA when it suffered a data breach in September of 2019 and did not have appropriate security measures in place. The Plaintiff, a resident of Pennsylvania, alleges that following the data breach (which affected 3,500 patients’ protected health information), someone tried to open a credit card account in his name and that he has received magazine subscriptions he did not order.

The plaintiff is attempting to represent a class of individuals affected by the data breach, and is seeking an order requiring Sunshine to implement “reasonable” security measures. It is unknown whether the plaintiff provided 30 days’ notice to Sunshine to implement security measures before the suit was filed, which is required under CCPA.

Nonetheless, we predict that there will be many more suits alleging a private right of action following a data breach under CCPA, and this case is a good reminder of the CCPA statutory requirement for companies to have appropriate security measures in place to protect personal information in its possession relating to California residents.