While many breathed a sigh of relief when the California legislature provided only a limited private right of action for data breaches under its sweeping new privacy law—the California Consumer Privacy Act (CCPA)—companies that collect the personal information of California residents are nonetheless facing a potential storm of litigation starting January 1, 2020.
This alert discusses the new litigation risks under the CCPA, other avenues that plaintiffs can use to sue companies for alleged privacy violations under the CCPA, and what companies can do to reduce their risk.
a. The Private Right of Action Under the CCPA
In its current form, the CCPA provides a limited private right of action for certain data breaches, putting a premium on ensuring “reasonable” security measures. In particular, under California Civil Code § 1798.150(a)(1), any consumer may bring suit if their “nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure” as a result of the business’s violation of the duty to “implement and maintain reasonable security procedures and practices.”
Therefore, it is critical for businesses to maintain—and be able to readily demonstrate through written security plans and policies—reasonable security standards to protect a California resident’s personal information from unauthorized use, access and disclosure. Consistent with other cybersecurity and privacy standards like the New York Department of Financial Services Cybersecurity Regulation or Europe’s General Data Protection Regulation (GDPR), the CCPA does not define what “reasonable” means. Instead, reasonable security procedures and practices are those that are “appropriate to the nature of the information.” In other words, California—like New York and the EU—requires companies to undertake risk-based assessments of its own cybersecurity needs, to take care not to fall below what other similarly situated companies are doing, and to monitor regulatory guidance and enforcement actions to ensure they live up to what regulators expect.1
i. CCPA Statutory Damages
Importantly, the law’s provision of statutory damages not only could result in substantial fines for noncompliance, but it also better ensures that plaintiffs have standing to bring suit. Under US Supreme Court jurisprudence, victims of data breaches have often found it very difficult to establish standing. According to the seminal case, Spokeo v. Robins, 136 S. Ct. 1540 (2016), an injury-in-fact must not only be particularized, i.e., affecting the plaintiff in a personal and individual way, but it also must be concrete. 2
The CCPA’s private right of action, however, potentially removes the hurdle by providing for statutory damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” Cal. Civ. Code § 1798.150(a)(1)(A) (emphasis added).
In addition, in assessing the amount of statutory damages, courts are directed to assess the state of a company’s compliance posture and, in essence, evaluate how seriously it takes consumer privacy. Specifically, courts must look to: the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth. Id. at 1798.150(a)(2).
Given that data breaches can often implicate the records of tens of millions of customers, the potential for statutory damages of up to $750 “per customer per incident” raises the specter of substantial exposure for large-scale breaches. Assuming, for instance, one million California consumers were affected by a breach, the law could allow up to $750 million to be assessed against the offending business in statutory damages.
ii. CCPA Cure Provision
As much as the statutory damages lowers the standing bar and elevates the risks of a huge payout, the CCPA’s private right of action does contain a statutory cure provision, which provides that before filing suit on an individual or class-wide basis, a plaintiff must provide “a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Id. at 1798.150(b).
But a cure might not be possible in certain breach situations. For example, when addressing statutory “cure” provisions in connection with other statutes, California courts have held that future compliance is an insufficient “cure” if the defendant cannot undo the harm to the plaintiff that its alleged violation already caused. Romero v. Dep’t Stores Nat’l Bank, 725 F. App’x 537, 540 (9th Cir. 2018) (collecting cases).
b. Private Right of Action Under California’s Unfair Competition Law?
Because the private right of action provided by the CCPA is narrow, Plaintiffs are likely to look to other California laws to bring suit for CCPA violations that do not fall within the scope of § 1798.150(a)(1), even those unrelated to a data breach. California’s Unfair Competition Law (UCL), for example, broadly prohibits, and provides civil remedies for, unfair competition, which it defines as “any unlawful, unfair or fraudulent business act or practice.” Bus. & Prof. Code § 17200 et seq. Violating the requirements in the CCPA—whether the disclosure requirements, the requirements to afford certain rights, or the obligation to maintain reasonable security measures—could constitute an unlawful, unfair or fraudulent business act or practice.3
Defendants, however, have a strong defense to such claims. California Civil Code § 1798.150(c) explicitly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” Legislative history, the CCPA’s vesting of enforcement authority with the California Attorney General, and subsequent statements from the Attorney General, also support the California legislature’s intent to narrowly circumscribe the private right of action to the CCPA only. Defendants faced with class action litigation can therefore argue that the reference to “any other law” applies to the UCL and forbids reliance on the privacy provisions of the CCPA as a basis for UCL liability under the “unlawful” prong.
Absent legislative amendment or further development in the case law, plaintiffs are nonetheless likely to argue that any limited nature of the private right of action would apply only to data breaches. In other words, § 1798.150 at most bars UCL liability predicated on violation of § 1798.150 and does not bar UCL actions predicated on violations of other sections of the CCPA. In addition, plaintiffs may argue that California law permits plaintiffs to bring UCL claims based on violations of laws that do not explicitly provide for private rights of action, which is the case for the CCPA’s non-breach and privacy protections.
One way to defend against CCPA litigation is to proactively keep those disputes out of court. Civil Code § 1798.192 would invalidate waivers of rights under the CCPA; but it does not expressly prohibit arbitration. Therefore, defendants facing class action litigation arising from data breaches will have a reasonable argument, in light of recent US Supreme Court authority, that the Federal Arbitration Act authorizes mandatory arbitration of CCPA disputes and allows waiver of class action treatment.4
Ultimately, the best defense is compliance. Having CCPA-compliant policies, being able to respond to consumer exercises of rights, and having holistic, risk-based and well-practiced security measures effective no later than January 1, 2020, are the most effective ways to avoid or weather the incoming storm of privacy litigation in California.
3The “unlawful” prong of the UCL “borrows” violations of other laws and makes them independently actionable under the UCL. Smith v. State Farm Mutual Automobile Ins. Co., 93 Cal.App.4th 700, 718 (2001). This raises the possibility that plaintiffs’ lawyers might attempt to enforce the privacy provisions of the CCPA by using the UCL.
4AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011); DirecTV Inc. v. Imburgia, 36 S. Ct. 463 (2015); Kindred Nursing Centers LP v. Clark, 137 S. Ct. 1421 (2017).