Recent Rulings Could Signal Expansion of California Consumer Privacy Right of Action
Judges in two separate cases in the U.S. Northern District of California ("N.D. Cal.") recently ruled that class actions brought by private plaintiffs under the California Consumer Privacy Act ("CCPA") could proceed without an allegation of a data breach, signifying a departure from the traditional understanding of the CCPA's private right of action.
The CCPA maintains a private right of action if consumers' personal information is subject to unauthorized access and exfiltration, theft, or disclosure caused by a business's failure to implement and maintain security procedures and practices. While this provision has often been used in the context of data breaches, the recent decisions allowed cases dealing with the disclosure of personal information through third-party cookies and other tracking technologies to move forward under the private action provision.
In March 2025, the N.D. Cal. (in Shah v. Capital One Financial Corp.) rejected Defendant Capital One's motion to dismiss the private Plaintiffs' CCPA claims based on the Plaintiffs' failure to allege a data breach. Rather, the Plaintiffs argued that Capital One violated the CCPA by allowing third parties to embed online trackers in Capital One's website. Similarly, in M.G. v. Therapymatch, Defendant Therapymatch filed a motion to dismiss based on the Plaintiff's failure to allege a data breach under the CCPA—rather, the Plaintiff argued that the Defendant's online tracking tools collected and shared their personal information in violation of the CCPA. Again, the N.D. Cal. found for the Plaintiff on this issue, ruling that a data breach is not required for the CCPA's private right of action provision to apply.
Takeaway: These two rulings, if upheld, signal a significant expansion of the CCPA's private right of action. As a result, businesses may expect in the near (and potentially long) term a sizeable uptick in private CCPA litigation. With this would come the potential for Plaintiffs to seek statutory damages, which allows plaintiffs to obtain money damages ranging from $100 to $750 per individual per violation. statutory damages, which allows plaintiffs to obtain money damages ranging from $100 to $750 per individual per violation.
Hands Off My Data: Virginia Approves Health Data Protections
Virginia Governor Glenn Youngkin, on March 24, signed amendments to the Virginia Consumer Protection Act ("VCPA") to strengthen protections for residents' reproductive or sexual health data. The amendments take inspiration from legislation passed in other states aiming to limit the disclosure of people's healthcare data.
Taking effect on July 1, 2025, the VCPA will prohibit the obtaining, disclosing, selling, or disseminating of any personally identifiable reproductive or sexual health information without the consent of the consumer. Here, "reproductive or sexual health information" is defined broadly, as information relating to reproductive or sexual health conditions or status, efforts to obtain reproductive or sexual health information services, information about treatment or medication, and information that is derived or extrapolated from non-health related information (such as purchase history).
This amendment to the VCPA is also notable for including a private right of action. Individuals who suffer loss due to a violation will be entitled to pursue the greater of actual damages or $500 under the VCPA's private right of action, with treble damages or $1,000, whichever is greater, available for willful violations. Additionally, the laws' inclusion within the VCPA instead of the Virginia Consumer Data Protection Act ("VCDPA") means that it may apply in circumstances that are outside the scope of the VCDPA.
Takeaway: A growing number of states are taking initiative to address consumer concerns regarding the privacy of health data. Bills restricting the disclosure of health data are increasing in number, and with more states choosing to protect residents' health data, companies should review their own data practices for compliance with such laws.
European Data Protection Board Publishes Guidelines on Processing Personal Data Through Blockchain Technologies
The European Data Protection Board ("EDPB") has published guidelines on processing personal data through blockchain technologies (the "Guidelines") designed to help organizations using (or considering using) blockchain technologies to navigate the data protection rules in the GDPR. The Guidelines are subject to public consultation until June 9, 2025.
Noting that the complex nature of blockchain technology leads to specific challenges for stakeholders with respect to the processing of personal data, the Guidelines: (i) provide a framework for organizations considering the use of blockchain technology; (ii) outline key GDPR compliance considerations; (iii) provide an overview of the fundamental principles of blockchain technology, including assessing different architectures and the implications for personal data processing; and (iv) clarify that the roles and responsibilities of different actors are fact-specific and should be assessed on a case-by-case basis. Specific recommendations are set out at Annex A to the Guidelines.
Seemingly stating the obvious, the Guidelines say that "as a general rule, storing personal data on a blockchain should be avoided, if this conflicts with data protection principles." Otherwise, organizations are encouraged to, inter alia, adopt privacy by design approaches including privacy enhancing technologies (PETs), carry out data protection impact assessments, implement appropriate security measures, and consider how they would address data subject rights requests such as the right to delete.
Takeaway: The Guidelines demonstrate that the EDPB expects organizations to use and adapt technologies in a way that complies with data protection law. For example, on the thorny issue of potential incompatibility of deletion rights with blockchain (i.e. in most cases there is no practical possibility of deletion), the EDPB emphasizes that "technical impossibility cannot be invoked to justify non-compliance with GDPR requirements." Organizations may instead need to look to anonymization techniques and minimizing or only storing pseudonymized data on the blockchain itself. Organizations using (or considering using) blockchain technologies will want to familiarize themselves with these Guidelines and consider any comments during the consultation period.
DOJ Issues Compliance Guide for New Data Security Program
On April 11, the U.S. Department of Justice ("DOJ") published a compliance guide to assist individuals and entities to comply with its relatively new Data Security Program ("DSP"), which prohibits (or otherwise restricts) certain data transactions, such as any access by a country of concern or covered person to any U.S. government-related data or bulk U.S. sensitive personal data involving data brokerage or a vendor, employment, or investment agreement.
The DSP, which implemented Executive Order 14117, went into effect on April 8, 2025. However, certain of the more burdensome provisions of the DSP, such as the due diligence, audit, and reporting requirements for restricted transactions, will take effect on October 6, 2025.
The compliance guide provides additional details regarding compliance with the DSP. For example, the guide includes sample language that would comply with the DSP's requirement to have contractual language prohibiting onward sale or transfer of data covered under the DSP. Likewise, the guidance provides examples on appropriate vendor due diligence procedures. For further clarification, the DOJ also published a list of frequently asked questions to shed light on concerns voiced during the rulemaking period.
Importantly, the compliance guide also recognizes that individuals and entities may need time to assess whether they fall within the scope of the DSP and, if needed, implement appropriate compliance processes. As a result, the guidance references documentation on the DOJ's enforcement posture regarding the DSP. Specifically, the DOJ will not prioritize civil enforcement actions for violations of the DSP that occur from April 8, 2025, through July 8, 2025, so long as there are good faith efforts to comply with the DSP.
Takeaway: While this guidance provides some additional clarity as to the applicability and implementation requirements of the DSP, individuals and entities are still having to muddle through the numerous gray areas within the DSP. While the DOJ has indicated that it will take a lighter enforcement touch until July, this also suggests that enforcement may uptick mid-summer. Given the potential difficulties with complying with the DSP, companies should start their applicability and compliance review now.
UK Government Publishes Policy Statement on proposed Cyber Security and Resilience Bill
On April 1, 2025, the UK Department for Science, Innovation and Technology ("DSIT") published a policy statement detailing its proposed Cyber Security and Resilience Bill. This bill aims to enhance the existing Network and Information Systems Regulations 2018, as well as to align with the new EU NIS 2 Directive. According to the statement, the bill will:
- Expand the scope of the existing Regulations to also bring managed service providers within its scope;
- Give the government the authority to pass additional legislation to impose supply chain duties on certain in-scope organizations. These duties may include contractual requirements, security checks and continuity plans;
- Introduce powers for regulators to designate certain suppliers to in-scope organizations as "designated critical suppliers," subjecting them to similar obligations;
- Grant powers to the government to update existing cybersecurity requirements stemming from the Regulations;
- Expand incident reporting requirements to include incidents that are capable of having a significant impact on the provision of a service or which significantly affect the confidentiality, availability or integrity of a system. A two-stage reporting structure will be implemented, requiring an "early warning" notification within 24 hours of incident awareness, followed by a detailed incident report within 72 hours; and
- Give the UK ICO (as a relevant regulator) enhanced information gathering powers to proactively supervise critical digital service providers.
In addition, the DSIT is considering additional measures, including bringing data centers meeting specific capacity thresholds within the bill's scope and a new power to allow the Secretary of State to issue directions to in-scope entities and regulators to address national security threats and incidents.
Takeaway: While the details on the bill are still very high level, the proposed bill does not seem to go far enough to meet the government's aim of aligning the UK's cybersecurity regulations with the EU's updated NIS 2 Directive. Organizations will want to keep an eye on the proposed bill's progress and, for those in scope of NIS 2, in the meantime, focus their efforts on NIS 2 compliance, which should set them in good stead to comply with the proposed bill.
ICO Publishes Fresh Guidance on Anonymization and Pseudonymization
The UK Information Commissioner's Office ("ICO") has published new guidance on anonymization and pseudonymization, highlighting the risks and benefits associated with sharing personal data, as well as the importance of anonymization as a privacy-friendly alternative. By providing an overview of various anonymization techniques, including their strengths, weaknesses, and suitability for different situations, the ICO aims to help organizations protect individuals' identities, enhance security, and reduce risks related to the disclosure or publication of personal data.
In addition to anonymization, the ICO's guidance delves into pseudonymization, which involves replacing information that directly identifies individuals with alternative identifiers, such as numbers. The ICO emphasizes that pseudonymization should not be mistaken for anonymization, as it merely reduces risk and improves security without transforming personal data to the extent that data protection laws no longer apply. This distinction is crucial for organizations to understand in order to implement effective data protection measures.
Takeaway: Complementing the ICO's data sharing code of practice (which gives practical advice on sharing personal data in compliance with data protection laws) this guidance provides helpful advice on how anonymization can be used as an alternative way to share data. While the guidance is not statutory and there are no direct penalties for non-compliance, the ICO will take it into account when looking into any anonymization issues. Organizations will therefore want to be familiar with the guidance and its recommendations and, if they choose not to follow it, be comfortable that they are nevertheless complying with the law.
Dechert Tidbits
Republican Commissioner Confirmed Following FTC Shakeup
Mark Meador, a former partner at Kressin Meador Powers LLC, was recently confirmed by the U.S. Senate to fill the U.S. Federal Trade Commission's ("FTC") third Republican seat. Previously, Meador was on Utah Senator Mike Lee's staff as the Deputy Chief Counsel for Antitrust and Competition Policy, with a specific focus on online consumer protection. Meador's confirmation comes at a time when the FTC's makeup is undergoing a political shakeup as the two Democratic positions remain unfilled following President Trump's removal of FTC Commissioners Bedoya and Slaughter.
Congressional Democrats Indicate Support for Fired FTC Commissioners
Democrats in Congress have indicated their support for a lawsuit brought by two FTC Commissioners who were removed from their posts by President Trump. Commissioners Bedoya and Slaughter (both Democrats) were removed as FTC Commissioners by President Trump in March but have recently brought a lawsuit challenging their removal on the basis that such action was against established caselaw and statutory guidance. A group of 41 U.S. senators and 210 House members filed an amicus brief challenging the removal of Commissioners Bedoya and Slaughter, asserting that their removal cripples the independence of the FTC and is unconstitutional.
NIST Issues Draft Update to Privacy Framework
The U.S. National Institute of Standards and Technology ("NIST") has released a draft updated version of the NIST Privacy Framework, aimed at helping organizations manage privacy risks associated with personal data in complex information technology systems while maintaining alignment with the recently updated NIST Cybersecurity Framework. This draft update introduces targeted revisions to the "Core" section, a new section on AI and privacy risk management and relocates the guidelines to an interactive online FAQ page. These changes are designed to enhance usability and keep the framework relevant to current privacy risk management needs. NIST is accepting public comments on the draft until June 13, 2025, with a final version expected later this year.
ICO Fines Software Provider Over £3 million Following Ransomware Attack
The UK Information Commissioner's Office ("ICO") has fined Advanced Computer Software Group Ltd ("Advanced") £3.07 million for alleged security failings that exposed the personal information of 79,404 individuals during a ransomware attack in August 2022. The ICO found that Advanced's health and care subsidiary lacked the necessary technical and organizational measures to fully secure its systems, including incomplete deployment of MFA, insufficient vulnerability scanning, and inadequate patch management. Despite initially proposing a £6.09 million fine, the ICO reduced the penalty after considering Advanced's proactive engagement with cybersecurity authorities and mitigation efforts. The fine amount is part of a voluntary settlement between the ICO and Advanced.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
