Law News, Briefings, Reports, & Legal Intelligence Resources
Class Action

California Consumer Privacy Act (CCPA) And Future Class Actions

The California Consumer Privacy Act (CCPA) law is considered among the most comprehensive data privacy mandates in America. It requires covered companies to respect consumers’ privacy and to make sure that any data collection they practice are legal, transparent and necessary to perform the business purpose. A fertile ground for future class actions.
By Simpluris Research Team
  • Share

Humans now exist both physically and digitally. As in the physical universe, one misstep online can potentially destroy private lives in an instant. Everyone has reason to be hyper-vigilant closely guarding their personal information. In The Age of Surveillance Capitalism, Shoshana Zuboff’s groundbreaking new book, examines thriving business models geared towards collecting metadata from individuals at nearly every instant --- of every hour every day, cataloging our “every move, emotion, utterance and desire”. Powerful corporations seeking to predict and control our behavior in the long term is disturbing to many on a personal level. Many consider threats to their online security as a highest priority. Indeed, businesses are constantly under attack by trolls and other unscrupulous hackers and digital criminals. Some of the deleterious effects of inadequate data protection are identity theft, financial fraud, destruction of property, damage to reputation, harassment, with its associated emotional physical stress.

And the landscape is now changing. The state of California has a well-documented history as a legislative policy trailblazer, and long recognized as a global center for high technology, innovation, social media and related industries. With this history and environment, the state legislature passed the California Consumer Privacy Act (CCPA) taking effect on January 1, 2020. Modeled after Europe’s General Data Protection Regulation, this law is considered among the most comprehensive data privacy mandates in America. It requires covered companies to respect consumers’ privacy and to make sure that any data collection they practice are legal, transparent and necessary to perform the business purpose. A fertile ground for future class actions.

How does it all work?

California Consumer Privacy Act (CCPA) Nuts and Bolts

New notices are, and will be, springing up on webpages and telephone screens. ‘Privacy Policy’ on first screens, right to access your personal information kept by the web page, (including the categories and specific pieces of personal information that have been collected) and to have it deleted (subject to reasonable exemptions). And the consumer can now ‘opt out’ of the sale of their personal data. And no discrimination please when a consumer is asserting their privacy rights under the statute.

Once a California resident believes personal information is or has been collected about them, sold or disclosed to entities without their knowledge, or that any of their privacy rights outlined in the CCPA are being denied, prior to brining a lawsuit they are required to provide the allegedly offending business 30 days written notice identifying the specific provisions of the statute believed to been violated. The suspected violator must act within the 30-day period. They must also provide the consumer an express written statement that the violations have been cured and that no further violations shall occur. 

But if no cure, the consumer can initiate legal actions for statutory damages (discussed below) on an individual or class action basis. But no notice is required if pecuniary damages are suffered from violations of privacy requirements.


The law is focused on larger business interests, those with gross revenues exceeding $25 million, or annually buying, receiving for a commercial purpose, selling or sharing the ‘personal information’ of 50,000 or more consumers, households or devices; or businesses focusing 50 percent or more of their annual revenues from selling consumers’ personal information.

But in appreciation of the jurisdictional challenges that would follow, the California legislature exempts business if “every aspect” of their commercial conduct “takes place wholly outside of California”. But if the business is collecting personal information of California consumers the law applies to them. California has 40 million people. So if your doing business on the internet good chance you are dealing with a Californian.

And compliance entails a ‘conspicuous’ link to the sites privacy policy that must be updated at least every 12 months. Additionally, each web site needs to contain a “Do Not Sell My Information” page allowing consumers a chance to ‘opt out’ from having their personal information sold. The link to this page must appear on the homepage of the web site.


‘Personal information’ is broadly defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

The statutory list is long. Examples include:

Personal identifiers

Real name and known aliases, postal address, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers

Personal identifiers

Financial, medical or health insurance information

Financial, medical or health insurance information

This category includes insurance policy, bank account, and credit card numbers

Commercial information

which includes personal property records, along with products or services bought

Commercial information

Biometric information

Biometric information

Can be a scary category. An individual’s physiological, biological or behavioral characteristics, including their DNA, eye imagery, fingerprints, voice recordings, and even sleep, health or exercise data that contain identifying information

Internet or other electronic network activity information

including search and browsing history, records of interaction with internet websites, applications or advertisements

Internet or other electronic

And let’s add in … geolocation data; audio, electronic, visual, thermal, olfactory or similar information; professional, employment-related and education information. That’s a lot of potential exposure! $750 per violation, times the number of users, and each ‘violation’ is for each piece of data!

One item on the list is enough to be in violation of the CCPA. And the list is not exhaustive. Any consumer profile indicating the consumer’s commercial and personal characteristics, buying behavior and preferences can exposes a business.


The above categories are quite expansive. A far question is ‘is any information not covered’. Answer, yes, but limited. Information obtained from public governmental records, data that has been ‘deidentified’, which mean it is no longer specifically associated with a person, as long as the company does not ‘reidentify’ it back; and “aggregate consumer information” meaning related to a group or category of consumers, but not linked, or reasonably linkable, to any consumer or household.


If the California Attorney General becomes involved fines of up to $7500 per intentional violation are mandated. Consumer litigants are provided a private right of action and up to $750 per violation. That can add up to lots of money for each time someone accesses a non-compliant application or website. Consider a business that failed to put a right to ‘opt-out’, a right to disclosure statement or a ‘Do Not Sell My Personal Information’ warning on their webpage, multiplied by the amounts of clicks. Each ‘cookie’ can be a violation. The statute directs a court that

In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

Hence, lots of avenues for plaintiffs’ discovery plan, and the larger the internet or web company possibilities for large damage awards will always loom. Numerous consulting companies are focused on protecting users, and ultimately webpages, in their usage of cookies. And all these users are identifiable --- the exact reason the California legislature passed the Act. With these possibilities class actions exposure to data companies can be extensive.

And of course, each of these possibilities will be tested in the courts as creative lawyers seek to expand, or narrow, the meaning and scope of the new law. Simpluris intends to keep you informed of these developments.

Additionally, California’s Unfair Competition Law, Business & Professions Code Section 17200, empowers plaintiffs, and their attorneys, with additional hammers of attorney fee awards and injunctive relief.

And while Simpluris’ is ready to handle any onslaught of a large scale technological class action administration, digitally and physically, attorneys on both sides must prepare for a whole new class action battleground as the internet and privacy issues has proven to be an expansive ground for these large litigation encounters.

Get Unlimited Access To Simpluris Insights—FREE
We won't ever sell your information. We'll only send a brief summary of legal industry news once in a while.
Schedule a free, expert consultation with a Simpluris Project Manager
So that we may best serve you, please let us know the following:
Ascertainability Numerosity
Federal-Rule-of-Civil-Procedure-23 Class-action-certification
We're excited to learn about your business.
First, a bit about you.
Something went wrong. Please try again
Class members may visit our case lookup screen to locate information related to your case.
Hi , do any of the following times work for you?
Hi , Please call us at 714-640-5606
All times are . Please allow for 30 minutes.
All available appointment slots are booked for the next few days.
  • Today

  • Tomorrow

  • Day After Tomorrow

  • Day 4

  • Day 5

  • Day 6

Please select at least one time slot.
Something went wrong. Please try again
Thanks , we look forward to meeting you !
Check your email for more info and a calendar invitation.