United States: CCPA FAQs Part 3: Litigation, Regulatory Actions And Liability

Last Updated: October 7 2019
Article by Cooley LLP

As we approach the January 1, 2020 effective date of the California Consumer Privacy Act ("CCPA" or "Act") it is a good time to consider what is at stake for businesses that fail to comply with the Act. With this in mind, we focus this FAQ installment on litigation and regulatory enforcement issues arising from the Act, including:

You can click on the links above to jump to one of these sections.

Authority to enforce the CCPA

Who can bring actions against businesses under the Act?

As we discussed briefly in part 1 of this series, the CCPA authorizes two types of enforcement actions:

  • First, the California Attorney General can bring actions against non-compliant businesses under Section 17206 of the California Business and Professions Code.
  • Second, "consumers" have a limited private right of action in the event of a data breach involving "nonencrypted or nonredacted personal information." An overview of who qualifies as a "consumer" is provided in part 1 of this series.

The Act also requires the Attorney General to seek input from the public and establish rules and procedures "to further the purposes" of the sections of the Act providing for these causes of action by July 1, 2020. We are expecting the first draft of these regulations in October 2019.

Enforcement of the Act by the California Attorney General

When can the Attorney General bring an action against a business?

The Attorney General can bring an action against a business for any violation of the Act. This includes both intentional and unintentional violations. Before the Attorney General's office can bring an action for a violation of the Act, it must give a business 30 days' notice to cure the alleged violation. We explore what it means to cure a violation below.

It is currently unclear how aggressive the Attorney General's office will be in enforcing the CCPA, especially during the period immediately after the Act goes into effect. One commentator has speculated that politics may play a role in enforcement, while another has noted that, in the past, the Attorney General's office has targeted only the most serious offenders with the most potential liability.

What penalties could businesses face if the Attorney General brings an action against them for violating the CCPA?

The CCPA authorizes the Attorney General to recover penalties of up to $2,500 "for each violation," and – if the violation is intentional – be up to $7,500 "for each violation." While the meaning of the phrase "for each violation" may vary based on the facts of each case, these penalties could be substantial where multiple consumers are affected by a business practice or event.

Enforcement of the Act by "consumers"

When can consumers bring an action against a business?

The CCPA does not provide a private right of action for all violations of the Act. Rather, consumers can only sue if their nonencrypted or nonredacted personal information is subject to "unauthorized access and exfiltration, theft or disclosure" due to a business' failure to "implement and maintain reasonable security procedures appropriate to the nature of the information."

What kind of personal information must be breached to provide a private right of action under the CCPA?

Unlike the other provisions of the CCPA, which broadly define "personal information," the consumer private right of action is available only with respect to a limited set of information, defined in a separate California statute. The categories of information subject to the CCPA's consumer right of action are similar to the categories of information subject to California's data breach notification law, and includes first name/initial, last name in combination with various data elements such as social security number, financial account number, driver's license, medical information, etc.

However, in September 2019, the California legislature passed AB 1330, which expands the types of personal information that may serve as the basis for a consumer action under the CCPA to include:

  • Tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.

It is possible that California lawmakers will choose to add to this list in future legislative sessions.

What steps must a consumer take in order to bring an action under the CCPA?

The CCPA further limits the private right of action by setting forth a pre-lawsuit procedure that consumers must follow in order to assert a claim for statutory damages under the Act:

  • Prior to initiating an action for statutory damages, a consumer must first provide 30 days' written notice to the relevant business that identifies the specific provisions of the CCPA the consumer alleges have been or are being violated
  • If the business "actually" cures the identified violation within the 30 days specified in the notice, and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur, the consumer cannot initiate a lawsuit for individual statutory damages or class-wide statutory damages
  • However, if a business subsequently violates the CCPA in a manner inconsistent with its express written statement, the consumer may: (i) initiate an action against the business to enforce the written statement; and (ii) pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement

Is notice and the right to cure required when a consumer wants to bring an action for actual damages or harm he or she alleges to have suffered due to a personal information breach?

No. If a consumer sues solely for "actual pecuniary damages" incurred as a result of the data breach, they can go forward an action without providing prior notice or giving the business the opportunity to cure.

If consumers bring an action against a business, what statutory damages are available?

The CCPA provides statutory damages for consumer suits, including class action claims, for no less than $100 and up to $750. When assessing these damages, courts must consider the following:

  • Nature and seriousness of the misconduct;
  • Number of violations;
  • Persistence of the misconduct;
  • Time of misconduct;
  • Defendant's willfulness; and
  • Defendant's assets, liabilities, and net worth.

Won't these statutory damage claims, especially if alleged in a class action result in enormous awards?

Yes, probably. The CCPA is the first statute to provide individuals with a private right of action and statutory damages for data breaches. Prior to the CCPA plaintiff's often had difficulties alleging or proving that they suffered any harm as a result of a data breach affecting their personal information. While courts have split on the issue, in many cases courts have dismissed plaintiff's claims at the pleading stage or on a motion for summary judgment for failure to establish harm. On its face, the CCPA does not require consumers to plead or prove they were actually harmed by a data breach. In fact, the Act makes a distinction between "actual pecuniary damages" and statutory damages, which are available regardless of actual harm.

What does this mean on a practical level? It means that smaller data breaches that were previously not attractive targets for class action litigation are much more likely to be the subject of class action litigation under the CCPA. A breach of 1,000 or 10,000 or 100,000 California residents may not have previously presented enough potential liability (or monetary damages) to draw the attention of the plaintiff's bar, particularly in the absence of any evidence that individuals were harmed as a result of the breach. After January 1, 2020, these cases will present significant potential exposure, regardless of whether anyone was actually harmed by the breach. For example:

  • 10,000 affected California residents = $1 million to $7.5 million exposure
  • 100,000 affected California residents = $10 million to $75 million exposure
  • 1,000,000 affected California residents = $100 million to $750 million exposure
  • 10,000,000 affected California residents = $1 billion to $7.5 billion exposure

As you can surmise, statutory damage penalties have the potential to put businesses of all sizes (but especially small and medium-sized companies) out of business.

Are there any defenses or Constitutional arguments to these outlandish damage claims?

It seems there should be fertile ground to challenge statutory damages available under the CCPA. For example, in BMW of North America, Inc. v. Gore, 517 U.S. 559 (1996), the U.S. Supreme Court limited the amount of punitive damages awarded against BMW on the grounds that the award violated the Due Process Clause of the Fourteenth Amendment. A similar argument has potential to succeed here, where businesses could face hundreds of millions or even billions of dollars in statutory damages for CCPA violations that did not result in any actual harm to consumers.

Can I require consumers to waive the right to file a class action or submit CCPA claims to arbitration?

Due to the significant statutory damages available in a successful data breach class action, some businesses might be tempted to restrict consumers' right to pursue class relief or to bring a suit in court. But the CCPA anticipated this and specifically states it is against public policy to waive or limit consumer's rights under the Act, including any right to a remedy or means of enforcement. However, many believe that these limitations on arbitration will be preempted by the Federal Arbitration Act.

Liability based on the actions of business partners

Can I be liable for what my business partners or other third parties do with the information I give them?

While the CCPA is far from explicit on this point, a business that shares personal information with a third party could be liable for the third party's violations of the Act. The definition of "third party" indicates that an entity is not a third party if a business enters into a written agreement with the entity prohibiting:

  • the sale of personal information;
  • retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract; or
  • retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

The ability to cure violations of the CCPA

What does it mean to "cure" a violation of the Act?

As discussed above, in most cases the Attorney General or the consumer(s) seeking to bring an action under the Act must give a business the opportunity to cure the alleged violation. If a business can cure the violation, it is not liable for statutory damages. But the Act does not define what it means to "cure" an alleged violation.

The notion of "cure" could be interpreted narrowly or broadly. On the one hand, businesses will want to interpret "cure" narrowly to mean that the specific incident has been cured to the extent possible at the time the business receives the notice of the violation. For example, businesses could argue that a cure for a data breach would be remedying the specific reason data was released in that instance (e.g., re-training the employee who fell victim to a phishing attack) and providing identity theft protection services to consumers known to be affected by the breach (which is already required in some instances by California law).

On the other hand, plaintiffs will want to interpret "cure" broadly to mean that the business' "reasonable security procedures and practices" have been remedied as a whole. For example, in the event of a data breach, plaintiffs may take the position that, amongst other measures a business must take to cure the breach, the requirement that a business certify that "no further violations shall occur" means that the business must state in writing that it has implemented new security measures such that no future data breaches shall ever occur.

Commentators have expressed skepticism about the ability of a business to actually cure a violation, especially for an action brought by a consumer related to a data breach. For example, how does a business cure a data breach involving the personal information of thousands of customers? Others have wondered if it possible for a business to cure a past breach, or will it suffice to prospectively cure security deficiencies. The answers to these questions remain to be determined.

Notably, even if a business can cure the violation, it could still be liable for actual damages/harm (as opposed to statutory damages) suffered by a consumer. However, plaintiffs in data breach cases often have not suffered any actual damages—the simple disclosure of their information typically is insufficient, particularly where the information by its nature cannot be used for any malicious or injurious purpose—so eliminating the possibility of statutory damages by curing a violation may effectively end a claim against a business.

How long does my business have to cure a violation of the CCPA?

A business has 30 days after receiving notice from the Attorney General or consumer(s) in order to cure the violation. The Act does not specify what a business must do to certify that it has cured a violation when it has received notice from the Attorney General.

When consumers give written notice to a business of a potential action, there is an extra requirement for completing the "cure." A business must, within 30 days, provide a written statement to the consumer that the violation has been cured and that "no further violations shall occur." Again, what this actually means is unclear.

The Act does not require the business to say how it cured the violation or how it can certify that "no further violations shall occur." Businesses will have to consider carefully whether they can certify that "no further violations shall occur." If a business fails to live up to a certification made to a consumer and continues to violate the CCPA, the consumer can bring an action "to enforce the written statement" and for statutory damages "for each breach of the express written statement" and for "any other violation . . . that postdates the written statement."

If my business receives a notice that we have allegedly violated the CCPA, how do we start trying to cure the violation?

While the meaning of "cure" is unclear, prompt action will be key. Businesses have just 30 days to cure the breach after receiving notice of a CCPA violation. Depending on the facts of the case and how broadly "cure" is interpreted, a cure could require significant changes to a business' security practices. Such changes could involve bringing in technical experts or outside consultants, updating IT systems or taking other time-consuming steps.

We recommend contacting outside counsel as soon as your business receives notice of an alleged violation of the Act. Your outside counsel should be able to provide advice on potential ways to cure the violation, as well as offer updates on guidance from the Attorney General and any developments in CCPA litigation involving the meaning of "cure."

Cooley has a Data Breach hotline, which provides 24×7 incident response services from experienced cybersecurity lawyers. You can reach the Data Breach Hotline at incident.response@cooley.com, or by calling +1 (844) 476-1248 or +1 (415) 693-2888.

How will my business know if we have successfully cured the violation? Will our attempt to "cure" just lead to more litigation?

Whether a business has cured a violation likely will depend heavily on the facts of each case and how "cure" is interpreted by the California Attorney General or case law. Because of that, it is possible that the Attorney General or a consumer may decide to proceed with an action for statutory damages even if a business has attempted to cure.

An analogous notice and cure provision exists in California's Consumer Legal Remedies Act ("CLRA"), which allows individuals who purchase or lease goods or services to sue for certain unfair business practices. That statute offers a bit more guidance as to what constitutes a cure, saying that a business must provide an "appropriate correction, repair, replacement, or other remedy." Even so, the cure provision has led to litigation both over whether a plaintiff satisfied the notice requirement and whether the defendant properly cured the alleged violation. In fact, one court dealing with a CLRA claim said that it could not determine whether a business cured the violation "at the pleading stage," which means the case could have proceeded into discovery despite the business' attempt to cure.

Assuming courts approach the CCPA's cure provision in a similar manner, they may be reluctant to dismiss cases early in litigation based on businesses' claims that they cured violations. This means that the CCPA's cure provision may fail to provide a means of avoiding litigation, and instead may merely add to the issues to be litigated.

One additional, practical consideration is that if a business attempts to cure a violation and the plaintiffs opt to proceed with a lawsuit, the business could use the cure as a bargaining chip in settlement negotiations. This is because not only could the business contest whether it is liable for the alleged violation in the first place, but it also could argue that the cure was sufficient, meaning plaintiffs would be unable to recover statutory damages.

The bottom line is that it is not currently clear whether the cure will actually help businesses avoid litigation or whether it will become another issue to argue about in court. The value of the cure provision will not become clearer until more guidance is provided, either by the Attorney General or the courts.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions