As readers of this blog know, the California Consumer Privacy Act (“CCPA”) recently went into effect on January 1, 2020. While the California Attorney General will not bring enforcement actions prior to July 1, 2020, the CCPA’s private right of action is now in full effect. This private right of action provides California consumers with a powerful tool to seek redress if their personal information is accessed as a result of a data breach. Of course, this also means that companies that do business in California may face massive civil liability if their systems are the subject of a breach.
Who can sue under the CCPA Law, and when?
CCPA Law Private Right of Action
Section 1798.150(a)(1) of the CCPA provides that “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to unauthorized access and exfiltration, theft, or disclosure” due to a business’s failure to “implement and maintain reasonable security procedures” may commence a civil action to recover either: 1) actual damages; or 2) statutory damages between $100 and $750 per consumer per incident (whichever is greater).
By creating a right to statutory damages for each violation, this provision of the CCPA law makes it much easier for a consumer to bring a civil action following a data breach. Proving actual damages as a result of a data breach can be difficult, if not impossible. Following passage of the CCPA, however, California consumers no longer need to prove such damages to recover. Given the foregoing, many observers predict that the CCPA will be a boon to the plaintiff’s bar, who will bring class actions on behalf of California data breach plaintiffs.
How companies can protect themselves
The CCPA only creates a private right of action against businesses that fail to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Unfortunately, the CCPA does not define any of these key terms. However, another new CCPA law provision does afford businesses some protection from consumer suits seeking statutory damages. Specifically, under CCPA Section 1758.150(b), a consumer must provide a business with 30 days’ written notice of the alleged CCPA violation that leads to the “unauthorized access and exfiltration, theft, or disclosure” of the consumer’s personal information. The business then has 30 days to cure the violation and notify the consumer that: 1) the violation has been cured; and 2) no further violations will occur. If the business is able to act quickly to cure the violation and inform the subject consumer of such, then the consumer may not bring suit for individual or class-wide statutory damages. Critically, consumers are not required to provide advance notice prior to bringing actions for actual damages.
Please note that the CCPA’s private right of action is only several days old, and it has not yet been analyzed by the courts. While much remains unclear, it is certain that this private right of action will create significant costs for businesses that fail to maintain the proper standard of care for customers’ personal information. Accordingly, businesses should work with knowledgeable counsel to ensure CCPA compliance.