The Privacy Class Action Review - 2023 - Report - Page 15
On the heels of California’s enactment of the California Consumer Privacy Act (CCPA)
in 2020, California businesses will need to comply with all requirements of the California
Privacy Rights Act (CPRA) effective January 1, 2023. The CPRA expands the current
CCPA private right of action by authorizing consumers to bring lawsuits arising from
data breaches involving additional categories of personal information and is arguably
the strictest data privacy law in the United States, which places California privacy law
closer, in many respects, to Europe’s GDPR. With potential statutory damages ranging
from $100 to $750 per consumer per incident, and breaches often involving hundreds of
thousands or even millions of users, these types of claims will almost certainly lead to a
sharp rise in class action litigation.
Virginia, Colorado, Connecticut, and Utah likewise enacted sweeping data privacy laws
that will roll out in 2023. These laws are all similar in structure, but unlike California’s
statute, which allows an individual to sue a company for alleged violations, enforcement
will be left to the respective state attorneys general.
Each of these laws provides for expanded consumer rights related to their data,
including: (i) Right of access (i.e., allows for a consumer to access from a business/data
controller the information or categories of information collected about a consumer); (ii)
Right of deletion (i.e., right for a consumer to request deletion of personal information
14
© Duane Morris LLP 2023
Duane Morris Privacy Class Action Review – 2023
