In order to protect privacy rights and provide consumer protection to the residents of California, the State Legislature passed the California Consumer Privacy Act (CCPA) in 2018. The Act came into effect on January 1, 2020, post which a number of class action suits came in. The CCPA gives consumers several new privacy rights such as the right to know how their personal information is collected, used and shared, the right to request deletion of their personal information, and the right to opt-out of “sales” of their personal information.

However, it has been criticized that the Act limits the private right of action by not giving consumers the right to sue for a violation of privacy rights and provides reasonable protection against only a few types of data breaches, which does not include privacy rights that the act is best known for. The private right of action is limited to the security right, which is only violated if sensitive categories of personal information are subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices. Also, defendants can file for dismissal of claims based on the explicit limitations provided under the Act, making it difficult for the plaintiffs.

Recently, in Arifur Rahman v. Marriott International, Inc. et al., No.: 8:20-cv-00654, the the U.S. District Court Judge David O. Carter dismissed the complaint on January 12, 2021, alleging that he, along with other customers, was a victim of a cybersecurity breach at Marriott. The suit that was filed on April 03, 2020[1] was dismissed even before it was sent for the defendant’s argument.

Plaintiff alleged that the employees of the Marriott in Russia had accessed his and other members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without having authorization. Marriott accepted that there was a data breach and in furtherance of the same, sent letters to the individuals whose data had been accessed. However, it was confirmed that no sensitive information including social security numbers, credit card information or passwords was accessed.

The court held that it lacked the subject matter jurisdiction to deal with the suit and also that the Plaintiff lacked standing to sue as required under Article III of the U.S. Constitution. This was because no sensitive personal information or theft of the same was done by the defendant. The prerequisites of filing a claim under the CCPA is that the data breach must have been of sensitive information without authorization. Since the suit of the plaintiff lacked these essential prerequisites, the court had to dismiss the suit. In this case, the data breach had affected approximately around 5.2 million Marriott customers. However, the information accessed by hackers did not come under the ambit of sensitive information, which was a required element to be able to continue the lawsuit.

It can be thus seen that while the CCPA provides privacy rights and consumer protection, the plaintiffs are facing challenges to avail protection for data breaches due to the restraints caused by the constitutional requirements unique to federal courts.

[1] See Complaint at

Leave a Reply