The California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, and applies to all companies that do business in the Golden State. The new act is California’s rejoinder to Europe’s General Data Protection Regulation, which went into effect on May 25, 2018. Most businesses are taking steps in 2019 to comply with the CCPA’s data privacy and transparency mandates. In doing so, they also should prepare for the potential onslaught of CCPA class action litigation for data breaches and carefully review the CCPA’s novel “cure” provision.
Like other California consumer protection statutes, the CCPA gives companies an opportunity to remedy the effects of a breach before an affected consumer brings a lawsuit. If the cure is effective, that consumer can only pursue actual damages, not statutory damages. Unlike similar statutes, however, the CCPA’s cure provision prevents the consumer from bringing a class action for those statutory damages. This is important because the CCPA requires courts to award successful plaintiffs between $100 and $750 “per consumer per incident.” That amount would add up quickly for a class action. Thus, if utilized effectively by businesses, the CCPA cure provision could protect against costly and risky class actions and, collaterally, shareholder derivative litigation against directors and officers that will piggyback CCPA litigation.
The Private Right of Action
The CCPA creates a private right of action for California residents to sue companies when their personal information is subject to “unauthorized access and exfiltration, theft, or disclosure.” A defendant company is liable only if it violates a duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” in the company’s possession. The CCPA does not explain or further define this “duty,” so it will be resolved by judicial interpretation. (The California attorney general has co-sponsored Senate Bill 561, which would broaden the private right of action to cover all violations of rights under the CCPA, among other changes, but would leave the cure provision discussed below unaltered.)
The lawsuit proceeds like any other lawsuit if the complaining consumer seeks only actual damages — i.e., the provable amount of money actually lost because of a breach. A consumer who seeks the statutory “per consumer per incident damages,” however, must give the defendant 30 days written notice identifying the precise CCPA provisions allegedly violated. The consumer cannot sue until that 30-day period expires.
Many class action plaintiffs will proceed under the statutory damages provision, which opens the door to a substantially large potential recovery without the burden of proving actual out-of-pocket losses to class members. Companies that have suffered a breach should therefore expect to receive CCPA 30-day notices and prepare strategies for processing and responding to them. Those that do not will be unable to capitalize on the most useful defense mechanism designed by the California Legislature.
The purpose of the 30-day notice provision is to give companies an opportunity to cure the alleged breach and avoid litigation. The law states that individual or classwide action for statutory damages cannot be brought if a business takes two measures: (1) cures a violation within 30 days and (2) notifies the consumer in writing that it has addressed the issue and that there will be no further violations.
This class action bar distinguishes the CCPA from other similar consumer protection laws. For example, California’s Consumers Legal Remedies Act (CLRA), a commonly invoked consumer fraud law, requires a 30-day notice and cure period. However, that cure does not prevent the plaintiff from bringing a class action unless the company affirmatively identifies all other similarly situated consumers and notifies them in a reasonable time that the company will take corrective action upon request and will stop engaging in the challenged conduct. Under California Supreme Court case law, curing an individual’s claim under the CLRA also does not prevent that person from acting as a representative plaintiff on behalf of a class of other consumers. Unsurprisingly, the CLRA’s laborious classwide cure is not often attempted.
The CCPA, however, requires no such complicated or extensive notice. If the cure to the complaining consumer is sufficient, the CCPA directs that “no action for individual statutory damages or class-wide statutory damages may be initiated against the business.” Thus, the best plain-language reading of the CCPA is that an individual cure is a class cure. Of course, other affected consumers may follow with additional notices, restarting the process. Working to cure these individual claims serially still probably makes good sense for businesses, insofar as a series of individual claims may present a smaller burden than a class action.
Although the benefits are attractive, the CCPA does not define the term “cure.” Judicial interpretations of similar California laws suggest that simply ending the breach, blocking access to hackers or stopping the “exfiltration” of personal information will not be sufficient. Rather, the “ill effects” of the violation will need to be remedied, likely by a payment to make the consumer whole. For example, in Romero v. Dep’t Stores Nat’l Bank, the U.S. Court of Appeals for the Ninth Circuit interpreted several California statutes and found that “future compliance is an insufficient ‘cure’ if the ill effects of a violation have not been or cannot be remedied.”
Ultimately, providing a legally adequate cure may prove challenging, particularly before courts have a chance to define standards of adequacy. Adequate cures likely will require companies to demonstrate ongoing compliance with the CCPA. Nevertheless, identifying a cure that the potential CCPA plaintiff will accept as adequate — or that stands a chance of persuading a court that the claimant is made whole — seems well worth the effort. The consumer would get a fair resolution, but class counsel is prevented from misusing the outsized statutory damages to seek settlements disproportionate to the actual loss caused by a data breach.
As businesses around the country that process California consumer data prepare to meet the new burdens under the CCPA, in-house legal, privacy and compliance teams should pay special attention to the law’s cure provision.