Staking a claim
Businesses can take four steps to mitigate their risk of being the target of a CCPA class action and statutory damages:
1. Minimize data. If you don’t need the data and are not required to keep it, get rid of it. It can’t be breached if it is not on your system. (Remember, though, that California and other states have data disposal laws requiring that records containing personal information be disposed of in a secure fashion).
2 Encrypt sensitive data. The CCPA’s private right of action for data breaches and statutory damages apply only to the breach of nonencrypted and nonredacted sensitive personal information.
3. Implement and maintain reasonable security procedures. The CCPA requires the breach to have occurred “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Although the CCPA does not define “reasonable security procedures,” there are many recognized security frameworks.
4. Cure the problem. The CCPA requires that a plaintiff seeking statutory damages give the business 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been violated. If the business cures the violation within 30 days and provides the consumer with a written statement that the violations have been cured and that no further violations shall occur, the consumer cannot initiate an action for statutory damages. Of course, that the CCPA does not define what it means to “cure” a violation.
Whatever “cure” means, “curing” may get more difficult if a new California privacy rights law —the California Privacy Rights Act— is approved by California voters in November 2020. The CPRA was written by the author of the CCPA and often is referred to as “CCPA 2.0.” But the CPRA would make it tougher for businesses to “cure” a data breach because the CPRA expressly states that the implementation and maintenance of reasonable security procedures and practices after a breach does not constitute a cure with respect to that breach. If voters approve the CPRA (and early polling shows a 90% approval rating), the CPRA will take effect on January 1, 2023.
Only the start
Consumer class actions are just the first shoe to drop in the CCPA enforcement framework. In addition, starting on July 1, 2020, the California Attorney General can initiate enforcement actions, and the AG’s office has made it clear that enforcement proceedings will include events that occurred as early as January 2020.
The AG’s office can seek civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation of the CCPA. To get a sense of the magnitude of those figures, if the $7,500 penalty were applied per consumer per incident for the breaches reported on the AG’s data breach for 2014 – 2016, the result would be $375 billion in total AG enforcement risk.²
It’s going to be a wild ride.