Coping with the California Class Action Gold Rush
The California Consumer Privacy Act (CCPA) has been in effect since January 1, 2020, and it’s packed a punch.
Like prospectors who were drawn to California in 1948 with the hope of striking it rich, in the first five months of 2020, lawyers have filed at least 19 class actions alleging violations of the CCPA.
The mother lode
Why have so many class actions been filed so soon? Because the CCPA has significantly increased the potential consequences of a data breach by permitting California consumers to seek statutory damages of between $100 and $750 per consumer per incident or actual damages, whichever is greater.
The availability of statutory damages is a powerful incentive. Although consumers already had the right to bring a lawsuit under California’s data breach law, consumers often found it difficult to prove actual damages caused by the data breach. Statutory damages eliminate this obstacle.
Statutory damages can add up fast. If, for example, the CCPA’s statutory damages were applied to the data breaches reported on the California Attorney General’s data breach website for the years 2014 – 2016, the defendants could have been looking at aggregate statutory damages of $37.5 billion (calculated at $750 per consumer per violation).¹ Now that’s a lot of incentive.
Trying to strike it rich
The claims asserted in the CCPA class actions also are something out of the Wild West. Although the CCPA technically limits private lawsuits to claims arising out of the breach of sensitive personal information as a result of the business’s failure to implement and maintain reasonable security practices, the early CCPA lawsuits filed so far go beyond that, reflecting that plaintiffs’ lawyers are prepared to test the limits of the CCPA. Consumer lawsuits invoking the CCPA generally fall into two categories:
- Cases alleging data breaches (unauthorized access and exfiltration, theft or disclosure of sensitive personal information as a result of the business’s failure to implement and maintain reasonable security practices). These claims are expressly authorized by the CCPA.
- Cases alleging violations of the CCPA’s procedures relating to data privacy. In these cases, the plaintiffs allege that the business failed to comply with a procedural requirement of the CCPA (such as the failure to give notice of the personal information being collected and the third parties with whom the information is being shared, or failure to give consumers the right to opt out of the sale of the information), and use this as a basis for asserting claims alleging violations of the CCPA and other laws, such as California’s unfair competition laws, other consumer protection statutes and common law claims. These types of claims generally seek actual damages and injunctive relief. It remains to be seen whether these types of claims will survive a motion to dismiss, given that the CCPA expressly states that nothing in it shall be interpreted to serve as the basis for a private right of action under any other law.
Staking a claim
Businesses can take four steps to mitigate their risk of being the target of a CCPA class action and statutory damages:
1. Minimize data. If you don’t need the data and are not required to keep it, get rid of it. It can’t be breached if it is not on your system. (Remember, though, that California and other states have data disposal laws requiring that records containing personal information be disposed of in a secure fashion).
2 Encrypt sensitive data. The CCPA’s private right of action for data breaches and statutory damages apply only to the breach of nonencrypted and nonredacted sensitive personal information.
3. Implement and maintain reasonable security procedures. The CCPA requires the breach to have occurred “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Although the CCPA does not define “reasonable security procedures,” there are many recognized security frameworks.
4. Cure the problem. The CCPA requires that a plaintiff seeking statutory damages give the business 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been violated. If the business cures the violation within 30 days and provides the consumer with a written statement that the violations have been cured and that no further violations shall occur, the consumer cannot initiate an action for statutory damages. Of course, that the CCPA does not define what it means to “cure” a violation.
Whatever “cure” means, “curing” may get more difficult if a new California privacy rights law —the California Privacy Rights Act— is approved by California voters in November 2020. The CPRA was written by the author of the CCPA and often is referred to as “CCPA 2.0.” But the CPRA would make it tougher for businesses to “cure” a data breach because the CPRA expressly states that the implementation and maintenance of reasonable security procedures and practices after a breach does not constitute a cure with respect to that breach. If voters approve the CPRA (and early polling shows a 90% approval rating), the CPRA will take effect on January 1, 2023.
Only the start
Consumer class actions are just the first shoe to drop in the CCPA enforcement framework. In addition, starting on July 1, 2020, the California Attorney General can initiate enforcement actions, and the AG’s office has made it clear that enforcement proceedings will include events that occurred as early as January 2020.
The AG’s office can seek civil penalties of up to $2,500 for each violation and up to $7,500 for each intentional violation of the CCPA. To get a sense of the magnitude of those figures, if the $7,500 penalty were applied per consumer per incident for the breaches reported on the AG’s data breach for 2014 – 2016, the result would be $375 billion in total AG enforcement risk.²
It’s going to be a wild ride.
¹Source: Estimated by Dominique Shelton Leipzig, partner, Privacy & Security and co-chair, Ad Tech Privacy & Data management, Perkins Coie, LLP in 7-minute video posted on Data Breach Today (March 11, 2020).