Companies Face Steep Litigation Risks Under California's New Privacy Law

Jones Day

Jones Day

The California Consumer Privacy Act has put businesses at substantial risk of data breach litigation and litigation from technical noncompliance.

On January 1, 2020, the California Consumer Privacy Act ("CCPA") went into effect. The new law provides consumers with new rights over how businesses collect and handle their personal information. The CCPA also has created substantial litigation risk for businesses.

Data Breach Litigation

The CCPA has a private right of action for data breaches, without any express causation requirement. If a business had inadequate data security, plaintiffs can recover statutory damages between $100 and $750 "per consumer per incident or actual damages, whichever is greater." Thus, a data breach affecting 50,000 California residents has a potential exposure of $37.5 million.

Litigation From Technical Noncompliance

Businesses also face litigation risk from technical noncompliance with the CCPA. Although the CCPA does not have a private right of action for noncompliance claims, plaintiffs will likely enforce noncompliance through class actions under the "unlawful" prong of California's Unfair Competition Law (Business & Professions Code, Section 17200) ("UCL"). The UCL law "borrows" technical violations of other laws and treats them as unfair business practices. It also allows for restitution and injunctive relief. Courts also have awarded prevailing plaintiff attorney's fees in UCL class actions.

Additionally, businesses face class action risk for violations of the CCPA under common law theories, such as negligence or invasion of privacy. For example, the CCPA has provisions governing the sale of consumer data (the "do not sell" provisions). A violation of that provision could trigger class litigation under the theory that the breach of this statutory duty gives rise to a cause of action for negligence per se, with economic damages based upon the loss of value of that personal data.

Insurance for Litigation Risk

Given the anticipated litigation arising out of the CCPA, it is critical that companies review their cyber insurance policies to determine whether they adequately cover CCPA claims.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day

Jones Day on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.