January 1, 2020 will mark a new era for consumer privacy with the passage of the California Consumer Protection Act (CCPA). The law is similar to Europe’s General Data Protection Regulation, as it applies to all companies conducting business in the Golden State and will be enforced by the Attorney General.
This hotly debated law empowers individuals to seek restitution if businesses store, retain, use, and share their personal information in ways that are “unreasonable.” Consumers will have the right to know what information corporations are collecting about them in their electronic files; the right to tell a business not to share or sell personal information; and the right to sue if enterprises do not abide by the consumer privacy law.
The CCPA arrives on the heels of 8,804 data breaches made public since 2005. So far this year, there have been 58 public data breaches affecting over 1.3 million records, according to The American Bee Journal. Major data breaches exposed customers, leaving them uncertain as to what information had been breached, by whom, and to what effect. Now it’s America’s businesses who wonder what effect this legislation will have on their bottom lines.
Notification Will Be Widespread and Likely Lead to More Class Action Filings
As written in Cal. Civ. Code § 1798.150, consumers are granted a private right of action when their “nonencrypted and nonredacted” personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Prior to initiating any action for statutory damages on an individual or class-wide basis, a consumer must provide 30 days written notice to a business identifying the specific provisions of this law being violated. If the business cures the violation within 30 days and provides written notice to the consumer, no action for statutory damages may be initiated. No notice is required prior to a consumer initiating an action for actual pecuniary damages suffered as a result of violations of this law.
This heightened notification standard makes it more likely for plaintiffs and counsel to learn of compromised data which could prompt an increase in class action filings.
Class Action Lawsuits for Statutory Damages Will Be Easier to Certify and Approve
In the past, cases of consumer privacy violations were often challenging to certify as a class due to issues concerning the amount or concreteness of damages. With the passage of this new law, damages can be statutorily determined on a class-wide basis. As the Supreme Court ruling in Spokeo v. Robins made clear: plaintiffs can suffer injury-in-fact when false information is published about them online. The recent spotlight on consumer privacy on the world stage created a public demand for action likely leading to claims being filed under this law after the law is enacted.
Small Individual Claims May Now Result in Big Settlements
Under CCPA provisions, consumers may be able to obtain relief for either actual damages or statutory damages ranging from $100 to $750 per person per incident. Courts will examine the nature, seriousness, willfulness, and persistence of misconduct in setting the damage threshold. Attaching these specific dollar amounts to the CCPA gives consumers greater incentive to pursue claims for relief.
In addition to damages, the Act allows for injunctive or declaratory relief and “any other relief the court deems proper.” The Attorney General will be given authority to bring enforcement actions and to level a punitive civil fine of $2,500 per negligent violation and $7,500 per intentional violation.
Much has been written about what proactive steps companies can take to avoid class actions following the passage of CCPA. Recommended precautions have included:
- Making end-to-end encryption and redaction part of standard protocol.
- Creating a company incident response plan.
- Developing a fully comprehensive, advanced cybersecurity program.
- Purchasing additional cyber insurance to offset potential statutory damages.
There is Room for Interpretation
As CNBC put it, “The rest of the country is watching closely. No other state has attempted such an ambitious privacy law, and since before the dawn of the internet, Congress hasn’t either.” However, there is room for interpretation and revision. The National Law Review explains: “The CCPA remains a work in progress: parts of the law remain ambiguous; key regulatory guidance is still missing, and the law itself is likely to be amended in the near future.”
Remaining questions that the courts will likely have to consider include:
- What are “reasonable” security measures to prevent a data breach?
- What is considered an effective “cure” in ending a breach, blocking hacker access, or ceasing exfiltration of personal data?
As parties become affected by the enactment of the CCPA, it is wise to engage the services of an experienced class action settlement administrator to deal with these complex, first-impression matters. Kroll Settlement Administration, has been a leader in this evolving landscape for over 50 years. We are closely monitoring the passage of this landmark legislation and are prepared to oversee administration from class action notice requirements to website development, to settlement distribution.