Insights

Craig Cardon, a leader of the Privacy and Cybersecurity practice group, comments on the California Consumer Privacy Act (CCPA), and recent cases brought against retailers for sharing data with a software firm without consumer notice or consent. Under the CCPA consumers can file claims when their personal data has been “subject to an unauthorized access and exfiltration, theft, or disclosure” when a business has failed “to implement and maintain reasonable security procedures and practices.” Regarding whether private claims are only allowed when data breaches or cyber-attacks uncover sensitive information such as “Social Security numbers, payment card data or medical information,” Cardon notes, “The question is: Is there a private right of action based on data use allegations when there are no allegations consistent with what we could call a 'traditional' data breach?”