Insights & Events
Filter your search:
Filter your search:
Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
Updates
July 25, 2025

The Intersection of Privacy-Focused Litigation and Consumer Protection Claims

Pushing the Boundaries of Privacy Litigation in California

Download
Authors: Kaylee A. Racs , Paul A. Rosenthal , Justin O. Kay

At a Glance

  • When plaintiffs rely on California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) violations as the basis for Unfair Competition Law (UCL) claims, they typically do so under the UCL’s fraudulent or unfair prongs by alleging that public-facing privacy statements were deceptive or misleading. These claims often work in conjunction with independent violations of law, like constitutional privacy rights or negligence, rather than relying on the CCPA/CPRA alone.
  • To minimize risk and potential litigation exposure, businesses should ensure that privacy-related representations match both legal obligations and operational realities. That includes, but goes beyond, CCPA/CPRA compliance. Companies that do not implement necessary diligence procedures for publication of public-facing material and do not make efforts to properly handle consumer data beyond compliance with the CCPA/CPRA may increase their legal exposure.

California courts have seen a dramatic rise in privacy-focused litigation during the past few years due to the implementation of privacy laws such as the California Consumer Privacy Act (CCPA). The CCPA, as amended and expanded by the California Privacy Rights Act (CPRA), introduced new protections for consumers and increased the obligations of businesses that handle personal data, such as allowing consumers to correct personal information, limiting the use of sensitive data, and requiring reasonable security procedures and practices.1

However, the CCPA/CPRA provides only a limited private right of action for issues related to data breaches2; thus, companies may assume that litigation risks arising from the CCPA/CPRA are confined to compromised data. But companies must be alert to the fact that consumers can and have tried to use CCPA/CPRA obligations — like alleged failures to deliver on privacy-related promises — as factual predicates for broader consumer protection claims triggering exposure far beyond the scope of current privacy laws. This strategy has increased litigation exposure for businesses as consumers seek to reframe privacy-related issues under more flexible consumer protection statutes not constrained by CCPA/CPRA’s limited private right of action.

An Alleged CCPA/CPRA Violation Cannot Be Used on Its Own to Predicate UCL Claims

When the California legislature was considering passing the original version of CCPA, businesses were (rightly) concerned about a private right of action. Those concerns resulted in a narrowly defined private right of action: “Nothing in this act shall be interpreted to serve as the basis for a private right of action under any other law.” Businesses generally viewed this as a win because it expressly foreclosed the plaintiffs’ bar from filing a lawsuit under California’s Unfair Competition law (UCL).

The UCL’s “unlawful” prong allows plaintiffs to “borrow” other laws and make claims independently actionable under the UCL. Courts have found that violations of the CCPA/CPRA cannot be used as the sole basis for a private right of action under the UCL.3 But that does not mean a UCL claim and a CCPA/CPRA or data privacy claim are mutually exclusive. For a UCL claim to proceed, the alleged misconduct must independently violate other laws or constitute unfair, unlawful, or deceptive practices beyond violating the CCPA/CPRA. The UCL also requires plaintiffs to show they suffered an “injury in fact” and lost money or property because of unfair business practices, which can be a limiting factor in asserting a claim related to CCPA/CPRA allegations.4

What Types of Other Claims Have Been Filed?

When plaintiffs rely on CCPA/CPRA violations as the basis for UCL claims, they typically do so under the UCL’s fraudulent or unfair prongs by alleging that public-facing privacy statements were deceptive or misleading. These claims often work in conjunction with independent violations of law, like constitutional privacy rights or negligence, rather than relying on the CCPA/CPRA alone. Recent cases illustrate how courts may deny motions to dismiss based on alleged privacy misrepresentation theories framed under the UCL or Consumer Legal Remedies Act (CLRA). These rulings highlight the importance of aligning external privacy statements with internal practices to reduce litigation risk.

For example, in Mehta v. Robinhood Financial, the plaintiffs claimed that their personal information was shared with third parties and that the defendant failed to maintain proper industry-standard security measures.5 The Northern District of California denied a motion to dismiss the UCL claim, under the unfair prong, based on alleged misrepresentations regarding defendant’s compliance with CCPA/CPRA, the California Constitution’s right to privacy and the CLRA. In addition, the court found that whether benefits from defendant’s allegedly unfair business practices, including “emphasizing growth and profit over protecting their customers’ personal and financial information and failing to implement industry-standard security measures,” outweighed the resulting harm was a “factual determination that cannot be made at this stage of the proceedings.6 The plaintiffs’ UCL claim under the unlawful prong also survived because the court held they sufficiently alleged that the defendant concurrently and independently violated the CCPA/CPRA, the right to privacy established in the California Constitution, the CLRA and negligence standards.7

Similarly, in McCoy v. Alphabet, Inc., the plaintiff’s allegations that the defendant’s privacy policy only partially disclosed the extent of the data being collected, while actually monitoring and collecting sensitive personal data to gain an advantage over competitors, were deemed sufficient at the pleading stage to state a valid claim for relief.8 The plaintiff’s UCL claim, brought under the fraudulent prong, survived the pleading stage because the court found that (i) the defendant’s public-facing privacy claims did not align with its actual data practices and (ii) the plaintiff sufficiently “alleged that he reasonably relied upon these representations and if he had known that his information would be monitored, disclosed and misused for the defendants’ sole benefit, he would not have used the defendants’ service”.9

Risk Areas and Guidance for Avoiding Unnecessary Litigation

Accuracy and completeness are important when it comes to talking about your company’s privacy practices. To minimize risk and potential litigation exposure, businesses should ensure that privacy-related representations match both legal obligations and operational realities. That includes, but goes beyond, CCPA/CPRA compliance. Companies that do not implement necessary diligence procedures regarding the publication of public-facing material and do not make efforts to properly handle consumer data beyond compliance with the CCPA/CPRA may increase their legal exposure. To mitigate such risks, companies should involve their compliance and privacy counsel in relevant disclosure decisions and should consider some or all of the following:

  • Requiring that all statements, marketing materials, and public representations referencing data privacy and legal compliance are reviewed by appropriate legal and technical subject matter experts
  • Ensuring that public-facing material accurately and consistently reflects the data privacy policies of the company — even if both are compliant, plaintiffs may try to leverage discrepancies to argue deceptive or unfair practices
  • Developing a streamlined process for publishing data privacy material by putting together a committee with members from relevant departments and creating a publication development policy and procedure
  • Being cautious of absolutes and guarantees, such as “always,” “never” and “100% guarantee” in statements about privacy practices
  • Ensuring that terminology accurately reflects the procedures and policies of the company
  • Minimizing the inclusion of information about technical details in public-facing material, to the extent permissible by law
  • Ensuring that consent is received from consumers for data collection, where appropriate and/or necessary
  • Monitoring and updating data security practices, policies, and disclosures regularly to ensure consumer data is protected, processes are not outdated and public statements remain in line with existing practices
  • Coordinating with vendors and technical/IT assets to ensure that promises and representations about data handling are carried out

Compliance with the CCPA/CPRA alone does not shield companies from consumer protection claims, as data privacy policies and practices can trigger potential exposure beyond the reach of privacy laws. Failure to comply with obligations under the full suite of privacy laws will continue to have serious consequences for businesses and individuals, particularly with plaintiffs’ strengthened focus on data privacy and increasingly creative allegations.

The authors wish to thank Victoria Turner (2025 summer associate and law student at University of Southern California’s Gould School of Law) for her invaluable assistance in drafting this article.

  1. Cal. Civ. Code § 1798.100; Proposition 24, Sec. 4
  2. Cal. Civ. Code § 1798.150.
  3. See, e.g., In re Sequoia Benefits and Insurance Data Breach Litigation, No. 22-cv-08217-RFL, 2024 WL 1091195 at *8 (N.D. Cal. Feb. 22, 2024) (UCL claim predicated solely on CCPA claim dismissed because the CCPA specifically states consumers may not use it as a basis for a private right of action under any statute).
  4. See, e.g., Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK, 2021 WL 6882377 at *11 (N.D. Cal. May 6, 2021) (plaintiffs sufficiently alleged a UCL injury where they claimed that if they had been aware of privacy misrepresentations by defendant they would not have made above-rate payments); Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 330 (Cal. 2011) (finding that assertion that plaintiff “would not have bought the product but for” the unfair business practice is sufficient to establish UCL standing).
  5. Mehta v. Robinhood Financial LLC, No. 21-cv-01013-SVK, 2021 WL 6882377, at *12 (N.D. Cal. May 6, 2021).
  6. Id.
  7. Id.
  8. McCoy v. Alphabet, Inc., No. 20-cv-05427-SVK, 2021 WL 405816, at *10 (N.D. Cal. Feb. 2, 2021).
  9. Id.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Meet the Authors

Kaylee Racs
Kaylee A. Racs

Associate

+1 310 203 4029
Los Angeles
Photo of Paul Rosenthal
Paul A. Rosenthal

Partner

+1 973 549 7030
Florham Park
Photo of Justin O'Neill Kay
Justin O. Kay

Partner

+1 303 607 3581
Denver

Related Legal Services

Government & Regulatory Litigation Privacy, Cybersecurity, Data Ethics & Strategy Privacy Litigation

Related Industries

Consumer Products & Retail