While the California Consumer Privacy Act (CCPA) went into effect on January 1st of this year, the California Attorney General submitted the final draft of proposed regulations only last month. With the CCPA’s inclusion of a private right of action for California residents to seek actual or statutory damages if their personal information has been “subject to an unauthorized access and exfiltration, theft or disclosure” due to a business’s failure to “implement and maintain reasonable security procedures,” there is added exposure in California consumer class actions if a business suffers a data breach, especially because the CCPA allows for statutory damages without having to prove actual harm. The CCPA sets the statutory limit between $100 and $750 per consumer per incident. The amount awarded is based on “any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.”
Now, with the Attorney General’s enforcement in effect as of July 1, the second half of 2020 could reveal much more about the Attorney General’s CCPA enforcement strategy. Additionally, the strategy of private litigants, who have been able to file CCPA claims since January 1, may also be instructive on what to expect for enforcement by the state.
While COVID-19 has certainly halted much litigation (or perhaps moved it to the digital world), the migration to remote work has actually led to several CCPA actions, as threat actors have exploited this unsteady transition and immense strain on information technology departments, which, for the first time, are dealing with a large group of employees working from home. So far this year, April was the most active month for new CCPA litigation, with over a dozen complaints being filed in both state and federal courts, mostly in California (no surprise), but also in Florida, New York, and Washington.
To date, the CCPA has yet to be interpreted in court. However, some of the recent case filings indicate that plaintiffs are attempting to interpret the CCPA’s private right of action very broadly.
It would seem that the limitations on the CCPA’s private right of action are clear. Section 1798.150(a)(1) of the CCPA states: “Any [California resident] consumer whose nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Civil actions maybe be instituted for actual or statutory damages, injunctive relief and other relief the court deems proper.
The civil private right of action applies only if personal information has been the subject of a data breach and the statute makes clear that the “cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.” Nonetheless, many litigants are attempting to bring actions for statutory damages related to a violation (i.e., failure to comply) of the CCPA without including any allegations related to the limited private right of action for a loss related to a data breach.
Furthermore, the CCPA expressly precludes consumers from using it as “the basis for a private right of action under any other law.” Section 1798.155 of the CCPA provides the Attorney General with broad enforcement authority over all CCPA violations, which means that there is no need for enforcement via any other consumer protection law. However, plaintiffs in many of the recent pleadings filed attempt to use the CCPA as a means of indicating violation of other consumer protection laws.
Overall, there have been 50 consumer class actions alleging some type of CCPA violation filed in the first six months of the year. And in the second half of 2020? Well, there is no indication of it slowing down. Because the Attorney General’s enforcement powers just took effect, the next six months will likely see more private litigant activity and state enforcement, even though the CCPA regulations are not yet effective; the Attorney General may bring an action under the CCPA for CCPA violations that occurred any time after January 1 by relying on the statute rather than the regulations. Therefore, if a business has been hit with a consumer class action, it could see an enforcement action down the road as well.
Currently, with the CCPA’s onerous requirements and the heightened possibility of email compromises and data security incidents due to the remote work situation, the liability risk for failing to comply with the CCPA could be very significant for businesses. Businesses that are vigilant in their CCPA compliance may be in a position to avoid the ominous threat of CCPA enforcement.