The California legislature made headlines on June 28 when it passed—and the Governor signed—AB 375, a sweeping new data privacy bill known as the “California Consumer Privacy Act.” As further described in our colleagues’ report, the Act grants broad new privacy rights to customers of certain companies doing business in California. In addition, the Act both provides for enforcement by the California Attorney General and creates a private right of action for some violations. Because of the latter feature, this new legislation may pave a new road to court for class actions in the wake of data breaches affecting California consumers.
AB 375’s Private Right of Action
AB 375 provides individuals in California with a private right of action against companies whose failure “to implement and maintain reasonable security procedures and practices” allegedly resulted in the “unauthorized access and exfiltration, theft, or disclosure” of “nonencrypted or nonredacted personal information.” (Notably, the Act defines “personal information” broadly to reach data including “biometric information,” internet browsing history, and purchase history.) The Act does not expressly condition liability on this data being misused in a way that harms consumers. Instead, in such instances, the Act provides for statutory damages of between $100 to $750 “per consumer per incident or actual damages,” an injunction, or other remedies a court deems appropriate. To help courts choose where in the range of statutory damages a particular case falls, the statute directs courts to consider the nature, seriousness, persistence and willfulness of the defendant’s misconduct, the number of violations, the length of time over which the misconduct occurred, and the defendant’s assets, liabilities and net worth.
The availability of statutory damages is likely to spur the plaintiffs’ bar to file putative class actions under the Act in the event of any disclosed data breach. Indeed, the statute appears designed to facilitate the filing of these class actions because it offers the plaintiffs’ bar a vehicle for trying to circumvent a hurdle facing many privacy lawsuits brought in federal courts—the Article III requirement of injury-in-fact. Following the Supreme Court’s landmark decision in Spokeo v. Robbins, federal courts have seen substantial litigation over whether plaintiffs bringing claims for data breaches and other privacy claims can allege that they suffered any actual harm. Any suits brought in federal court under the Act’s statutory damages provision thus are very likely to be challenged on Spokeo grounds. For that reason, some plaintiffs may seek to pursue statutory damages claims under the Act in California state court, hoping to take advantage of standing requirements under California law that potentially are looser than the federal Article III standard.
In either forum, defendants should consider arguing that any attempt to use this statute to aggregate claims for statutory damages into a massive amount that is disproportionate to any actual harm to putative class members violates due process. (See our report about this constitutional defense to aggregated statutory damages.)
Statutory Right to Opportunity to Cure
Another potential defense to actions under the Act arises from the statutory requirement that plaintiffs provide the defendant with notice and an opportunity to cure any unauthorized disclosure before bringing an action for statutory damages. Specifically, the consumer must provide the potential defendant with written notice of the provisions of the Act that have been (or are being) violated. If the business cures the deficiency within 30 days and provides written notice to that effect, the consumer may not initiate the action. As a result, a key line of defense against litigation under the Act may well be to attempt to cure any issue identified by a plaintiff. To that end, companies are likely to be well-served by ensuring that their cyber incident response processes are capable of curing issues identified by plaintiffs in a timely fashion wherever possible. Importantly, however, this notice requirement does not apply to suits for actual pecuniary damages that result from a violation. Whether this exception from the notice requirement will encourage plaintiffs to attempt to allege actual pecuniary harm remains to be seen.
Governmental Enforcement Actions
In addition to providing notice to the company before bringing suit, the plaintiff also must notify the California Attorney General’s office within 30 days after bringing suit. The Attorney General then has 30 days either to block or prosecute the action itself. If the office does not respond within 30 days or does respond but then fails to act within six months, the plaintiff may proceed. The Act does not specify the standard that the Attorney General will apply in deciding whether to block an action, but merely states that it may “[n]otify the consumer bringing the action that the consumer shall not proceed with the action.” However, the Act does give the Attorney General rulemaking authority to implement the statute. It thus seems likely that the standard for the Attorney General to block a private lawsuit will be one area that receives attention in any rulemaking process.
The Act creates a variety of other new legal requirements beyond its focus on data breaches, including consumers’ new rights to transparency, to opt-out of having personal data sold, and to have data deleted upon request. But those provisions can be enforced only by the California Attorney General—not a private litigant. The Act is explicit that civil penalties (as opposed to statutory damages) for violating its consumer protections “shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.”
The Bottom Line
All told, the Act seems very likely to give rise to a substantial amount of class action litigation following data breaches—indeed, the Act appears to have been drafted with an eye toward allowing plaintiffs to bypass the obstacles facing inappropriate data-breach class actions under extant law.
It is possible, however, that this new wave of litigation will be halted before it crests. The effective date of the Act is January 1, 2020. That leaves time for the Act to be amended before it goes into effect. The Act was introduced and rushed through the California legislature in under one week in order to head off a privacy-related ballot initiative by the same name. The tech industry and other key stakeholders already have expressed their concern about the Act, and it appears likely that significant technical and substantive revisions will be considered by the state legislature. These forthcoming debates may well have significant implications for the future of data security litigation under California law—and may cause other state legislatures to follow suit.