Morgan Lewis Practical Advice on Privacy: Guide to the CCPA
The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, grants consumers a limited private right of action against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. This new cause of action is among the many new statutory rights established by the CCPA, which represents a major turning point for privacy and cybersecurity standards and will significantly impact enforcement in California and beyond. This article highlights the key features of the private right of action and discusses how companies can prepare. Enforcement actions by the California attorney general are discussed in a subsequent article.
The CCPA represents a broad restructuring of privacy and cybersecurity laws. It establishes new statutory privacy rights, including the right for a consumer to know what personal data is being collected and how it is used, to know whether it is being sold or disclosed, to data portability, to opt out of the sale of personal information to third parties, and to request that a business delete personal information that has been collected.
The CCPA was passed on June 28, 2018 (AB 375), and was amended several times since then. On October 10, 2019, the California attorney general proposed regulations implementing the CCPA, public comment closed on these regulations on December 6, 2019, and final regulations are pending. The CCPA went into effect on January 1, 2020.
Private Right of Action Under the CCPA
One major change in the CCPA is its establishment of a limited but potentially significant private right of action for California consumers. Under the law, California consumers have a private right of action when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” This private right of action includes the availability of statutory damages and is unlike most data breach and privacy laws, which require proof of actual harm and do not allow for statutory damages. The CCPA private right of action on its face differs from the federal court standard applied to data breaches where constitutional or Article III standing is required to establish a concrete injury. Under the CCPA as written, it may be possible to have statutory damages imposed without proof of actual damages from the unauthorized access, although it is likely that such a result would be subject to court challenges.
There are three key elements for the limited private right of action under the CCPA:
- Nonencrypted and nonredacted personal information
- Subject to an unauthorized access and exfiltration, theft, or disclosure
- As a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information
Personal information under the CCPA’s limited private right of action includes “(i) Social security number; (ii) Driver’s license number or California identification card number; (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (iv) Medical information; or (v) Health insurance information.” As discussed below, this definition is much narrower than the definition of “personal information” for the rest of the CCPA.
If a business experiences a data incident that meets the above requirements, California consumers may file a lawsuit alleging a private right of action under the CCPA, and can seek a number of remedies.
Remedies Under the CCPA
With respect to damages, under the CCPA consumers can seek the greater of actual damages or statutory damages for each violation. Actual damages are a factual question, but statutory damages under the CCPA are set to be not less than $100 and not greater than $750 per consumer per incident. This can lead to huge statutory damage awards since data incidents often include hundreds or thousands or millions of consumers.
In determining the amount of statutory damages, courts are directed to weigh a number of factors, including:
- Nature and seriousness of the misconduct
- Number of violations
- Persistence of the misconduct
- Length of time over which the misconduct occurred
- Willfulness of the defendant’s misconduct
- Defendant’s assets, liabilities, and net worth
- Other “relevant circumstances presented by any of the parties”
Additionally, the CCPA authorizes injunctive or declaratory relief and “[a]ny other relief the court deems proper.”
While the scope and size of statutory damages under the CCPA can be substantial, there are some limiting provisions in the CCPA worth highlighting.
First is the 30-day written notice and cure provision. Under this CCPA provision, before any individual or class action for statutory damages can proceed, a consumer must provide written notice “identifying the specific provisions” of the law that the consumer alleges were violated. If the violation can be cured and is cured within 30 days, and the business “provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” no action for statutory damages or class-wide statutory damages may be initiated.
For any continuing CCPA violation “in breach of the express written statement”, a consumer may “enforce the written statement and may pursue statutory damages for each breach of the express written statement” along with any other CCPA violation after the written statement. This 30-day written notice provides companies a chance to respond to alleged claims and avoid potential litigation for statutory damages. Note the notice and cure provisions apply only to statutory damages; there is no comparable requirement if actual damages are being sought.
Second, the private right of action applies to “[n]onencrypted and nonredacted personal information.” Companies can protect themselves by encrypting or redacting personal information using industry standards and best practices for encryption and redaction.
Third, the scope of personal information for the private right of action is limited to the specific data elements noted above. The limited private right of action does not apply to the broader definition of “personal information” under the CCPA, which includes, for example, commercial information, biometric information, geolocation data, Internet or other electronic network activity, audio, electronic, visual, thermal, olfactory, or similar information, among many other types of information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
Fourth, the violation and private right of action are only triggered when a company violates the duty to implement and maintain reasonable security procedures and practices. As a result, California’s Reasonable Cybersecurity Statute provides a line of defense. While “reasonable security procedures” are not defined, and are factual and based on the circumstances, the law states that:
“A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure”
Thus, if a company can establish that it has maintained “reasonable security procedures and practices,” it can use that as a defense to CCPA private right of action claims.
Finally, the CCPA expressly provides that the private right of action only applies to the security violations defined in Civil Code section 1798.150(a), and that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”
The CCPA commences a new chapter in privacy and cybersecurity litigation and enforcement. Companies should look closely at their data collection and storage practices and consider whether they can reduce their risk by collecting less data and/or storing it in encrypted or redacted formats. Companies also should evaluate their data security compliance efforts and develop a strategy to respond quickly to data security breaches and to the risk of private rights of action. Counsel can assist in the development of a strategy tailored to the security issues confronting the company.
The California attorney general issued proposed regulations for the CCPA on October 10, 2019. As part of the rulemaking process, the California attorney general is deciding whether any modifications should be made to the proposed regulations before they become final based on public comments, which were due December 6. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which took effect on January 1, 2020.