Privacy remains a hotly debated subject in the U.S. and many states are taking steps to protect customer’s personal information. The newest legislation with the most teeth belongs to California, who in February 2019 passed the California Consumers Protection Act (CCPA) which goes into effect January 1, 2020. The CCPA is a consumer directed law that empowers individuals to determine how a business can store, retain, and use their personal information. The CCPA gives consumers a set of rights covering the personal information that businesses collect about them, and then specifies what those business can or must do with that information. With these new requirements, and the possibility businesses may not comply, many are predicting this will bring about a new wave of class action claims.
These are the first set of laws that give consumers the ability to sue companies for data breaches. As currently written, the statute provides a private right of action under certain circumstances to California consumers whose "nonencrypted and nonredacted" personal information is "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the information . . . ." Cal. Civ. Code § 1798.150. Essentially, this private right of action is available only if the data breach involves both "unauthorized access" and "unauthorized acquisition theft, or disclosure," and it results from the business' violation of the duty to have reasonable security in place in light of the sensitivity of the data that it holds.
Most important, the CCPA provides consumers the ability to obtain relief in the form of either actual damages or statutory damages between $100 and $750 per violation, whichever is greater. In setting the statutory damages amount, courts are instructed to consider, among other factors, "the nature, seriousness . . . and persistence of the misconduct," the number of violations, "the length of time over which the misconduct occurred," willfulness, and the ability to pay. In addition to damages, the Act provides for injunctive or declaratory relief and "any other relief the court deems proper." Id. § 1798.150(a)(1)(B)-(C).
The CCPA's provision for statutory damages is significant because it very likely will trigger an increase in data breach class action activity. First and foremost, this provision allows plaintiffs to pursue a claim for relief even if they do not have any actual injury from the breach. Next, while previously plaintiffs’ attorneys were reluctant to bring an action against organizations experiencing smaller scale incidents, now (at $100 minimum per individual incident) a small data breach of 5,000 people equates to at least $500,000 in damages. Third, plaintiffs now have the ability to ask for damages in cases that are extremely difficult to establish and/or quantify what the damages should be, and it allows for much easier class certification as it eliminates many arguments typically raised by defendants in opposition, such as the argument that damages cannot be determined on a class-wide basis. Finally, these actions are likely to be more successful due to the shifting societal view on privacy - a great deal of attention has been brought to privacy with the recent enactment of the GDPR and recent key Supreme Court rulings such as Spokeo v. Robins.