We have received multiple reports that plaintiffs' lawyers
and litigation funders are investigating class action lawsuits
against companies that have not fully complied with the California
Consumer Privacy Act (CCPA). In addition, the California
Attorney General is poised to sue companies for non-compliance once
the CCPA's enforcement and penalty provisions become effective
on July 1, 2020. The second half of 2020 promises to be an
active period of CCPA litigation and enforcement, and companies
need to act now to put themselves in full compliance with the
Act.
The CCPA imposes a wide range of requirements regarding data
privacy, access and security. Enforcement tools include
regulatory fines of $2,500 for each violation of the law and $7,500
for each intentional violation. The Act also provides
consumers with a private right of action. The CCPA grants
"[a]ny consumer whose nonencrypted and nonredacted personal
information . . . is subject to an unauthorized access and
exfiltration, theft, or disclosure as a result of the
business's violation of the duty to implement and maintain
reasonable security procedures and practices" the right to
bring a civil action to recover damages. CCPA §
1798.150. Under the Act, a consumer may seek statutory
damages of $100 to $750 per incident or actual damages, whichever
is greater. Id.
Plaintiffs' lawyers have already filed class actions on
behalf of consumers seeking monetary damages for alleged
noncompliance, bringing adverse publicity and regulatory scrutiny
to companies such as Zoom. While the statutory language may
lead companies to believe that private lawsuits must involve a data
breach, plaintiffs' lawyers are being far more creative.
Any data disclosure appears to be fair game, as long as the
consumer has not had notice and an opportunity to opt out of the
disclosure. In addition to creative theories that will have
to be tested in the notoriously unpredictable California courts,
plaintiffs' lawyers will be seeking to recover significant
damages and attorneys' fees. Because each consumer may
allege multiple incidents-for example, a separate incident each
time a consumer accesses an insecure website-potential damages in
class actions can quickly mount, serving as a powerful incentive
for plaintiffs' firms eager to capitalize on weaknesses in
companies' CCPA compliance.
The CCPA is the strongest data protection law in the United
States. It broadly expands the privacy rights of California
consumers, and requires companies to be significantly more
transparent about how they collect, use and disclose consumers'
personal information. The law applies to any company that
operates in California and either generates $25 million or more in
annual revenues; gathers data on more than 50,000 users; or earns
more than half its revenue from the use of that data. Because
the law provides users with rights of data access, they are
entitled to see what data companies have compiled about them and
how it is shared; they are also entitled to have that data deleted,
and, in most instances, to prevent companies from sharing it with
third parties. The CCPA requires various forms of notice to
consumers, and specifies the procedures for handling requests by
consumers regarding their data.
The Office of the California Attorney General has issued
proposed regulations; the most recent revisions to the proposed
regulations were issued on March 11. For the regulations to
become effective on July 1 (when the statutory enforcement and
penalty provisions will take effect), the proposed regulations must
be finalized and filed with the Secretary of State by May 29.
But regardless of the date when the regulations are finalized and
take effect, the Attorney General has stated publicly that
enforcement of the statute will begin on July 1. More to the
point: private litigation has already begun, and is expected to
increase substantially in volume. The availability of
statutory damages in class action litigation-completely without
regard to whether plaintiffs incurred significant damages, or any
damages at all-can present enormous financial risk for any company
whose CCPA compliance is called into question. In order to
minimize the risk of expensive and potentially high profile
litigation, companies subject to the CCPA should take every step to
ensure that they have implemented a sound compliance policy and
defensible procedures; that their policy and procedures are
carefully documented; and that they are vigilant in staying in
compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.