Corporate Counsel Quotes Natasha Kohne, Michelle Reed, Features Akin Gump’s New CCPA Report
Contact:
Akin Gump cybersecurity, privacy and data protection practice co-heads Natasha Kohne and Michelle Reed were quoted by Corporate Counsel for its article “Plaintiffs Are Filing More Cases Under California's Influential Consumer Privacy Law,” which spotlighted the practice’s new report “CCPA Litigation Report – 2021 Trends and Developments” (get it here).
The article spotlights some of the salient findings from the report, including the fact that lawsuits filed under California’s Consumer Privacy Act (CCPA) rose 60 percent in 2021 to 145 cases over the previous year’s 91.
The article notes that the law applies to companies doing business in California whether or not their primary place of business is in that state. Said Reed, “The CCPA doesn’t define what doing business in California means” and added that states nationwide are considering comparable consumer privacy legislation allowing private plaintiffs to sue.
She added, “The frequency with which plaintiffs bring action, the implications of having a private right of action, the implications of having statutory damages that are more easily calculated than more uncertain damages—all of those things come into play as the different states consider what their options are for enforcement, and whether it’s private enforcement or whether it’s regulatory enforcement by the state.”
The article characterizes as a notable question whether data service providers can be held liable under the CCPA. Kohne said that service provider potential liability is the most interesting case law development coming out of 2021.
Kohne noted that what she found interesting is that service providers are arguing that they are not liable under the CCPA’s private right of action, which only applies to businesses and not data service providers. She added, “One court says you’re a service provider and a business at the same time … and then another court says you’re a service provider or you’re a business, depending on the hat you wear, and so therefore, because you’re a business, you can be sued under the CCPA. It’s interesting to see how the courts are bringing in these service providers and not dismissing them yet from the case.”
Reed said that there are conflicting decisions on how the private right of action provision is being interpreted, adding, “There’s nothing that’s controlling, so I think this is going to be an area where we see a lot of action. But it’s certainly going to have ripple effects across business negotiations [between data service providers and their clients].”
Both Reed and Kohne noted that the California Privacy Rights Act, which takes effect in 2023 and expands the CCPA’s protections, will not change the CCPA’s private right of action provision.