29 June 2020
In the short time since the California Consumer Privacy Act (CCPA) came into effect, there have been several high-profile lawsuits against businesses that have allegedly failed to properly secure consumers' personal information.
California has the most data breaches of any state, so we can expect to see many more CCPA claims. However, the CCPA's private right of action is relatively narrow and will only apply in quite specific situations.
In this article, we'll take a detailed look at how the CCPA's private right of action works, and how to avoid being taken to court by California consumers.
The CCPA's private right of action allows consumers to bring a private legal case against a business that will be heard before the California courts.
The CCPA protects "consumers," meaning California residents. As such, only consumers can exercise the CCPA's private right of action, and can do so as individual plaintiffs or in a class action.
Consumers can only bring a private legal claim under the CCPA's private right of action against businesses, not service providers or other parties.
Under the CCPA, a "business" is a legal entity that:
Meets one or more of the following thresholds:
Businesses may be relieved to learn that only certain types of personal information are relevant to the CCPA's private right of action provision.
As such, only businesses that collect these relevant types of personal information are likely to be subject to a successful private action.
For the most part, the CCPA has an extremely broad definition of personal information:
"Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
However, with regard to the private right of action, the definition of personal information only includes those types of data identified in Section 1798.81.5 (D) (1) (A) of the California Civil Code, also known as California's Data Breach Notification Law (available here).
This means that "personal information," for our purposes, refers to a data set including both elements 1 and 2 below, where at least one of the elements is not encrypted and is not redacted:
One or more of the following elements:
Any unique ID number that is "issued on a government document commonly used to verify the identity of a specific individual," such as:
Account number or credit/debit card number, in combination with any required information that would permit access to the account, such as:
Biometric information, not including a physical or digital photo (unless used for identification purposes), such as:
The above types of personal information are particularly sensitive, and you should take extra steps to secure them to avoid a claim under the CCPA.
Unlike the CCPA's civil penalties provision, whereby the California Attorney-General can take legal action against a business that violates any part of the CCPA, the private right of action applies only in the event of a data breach.
The nature of an actionable data breach is also quite specific and will not apply in all cases.
The type of data breach that can give rise to private legal action under the CCPA is set out in section 1789.150 (a) (1):
Note that there are four interlinked elements here, all of which must be present for a claim to succeed:
For the purposes of the CCPA, the fundamental definition of a data breach is the unauthorized access and exfiltration, theft, or disclosure of personal information.
Note that the breached personal information must be both accessed and exfiltrated, stolen, or disclosed.
Therefore, the mere loss of personal information (e.g. if an employee leaves a USB drive on a train) should not give rise to private action unless the information is also subject to unauthorized access.
This would appear to be a high threshold for consumers, but the courts may interpret this provision more narrowly.
Remember that "unauthorized access" may arise from inside your business as well as from outside actors.
An actionable breach occurs when a business fails "to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."
The CCPA doesn't define "reasonable security procedures and practices." The best starting point for understanding what this means is the California Data Breach Report from February 2016 (available here).
The key takeaway from this report is below:
Here, the California Attorney-General's defines a reasonable standard of security as the implements of all 20 of the Center for Internet Security (CIS) Critical Security Controls (insofar as they relate to your business).
We'll be examining the CIS Controls below.
Damages resulting from a private action under the CCPA can be calculated in two ways:
The greater of these two will be awarded to the consumer(s) (not both).
"Actual damages" means losses that resulted directly from the business's failure to properly secure user data.
For example, if a consumer's credit card details are breached, actual damages will equate to the money that is stolen from them.
Many data breaches involve other types of personal information, and actual damages can be difficult to prove. Therefore, claims for actual damages are likely to be less common than those for statutory damages.
The extent of statutory damages will be decided by the court, and this amount is not directly related to any actual losses incurred by the consumer bringing the case against the business.
Statutory damages will be calculated as an amount between $100 and $750, per consumer, per incident.
One "incident" occurs each time a consumer's data is breached. Most data breaches involve large numbers of consumers and so the volume of "incidents" will typically be very high.
The court will consider several factors when assessing the amount of statutory damages to be awarded to a consumer:
Before a consumer can pursue statutory damages from a business, the CCPA requires them to give the business an opportunity to fix the problem.
This is known as the "notice and cure" provision.
A consumer (or group of consumers) must give a business thirty days' written notice before bringing a private legal claim.
The consumer must specify which provisions of the CCPA they allege the business is violating.
A consumer pursuing "actual pecuniary damages" (pecuniary meaning monetary) is not required to give this notice period.
Within 30 days of receiving notice, the business must:
Provide the consumer with an express written statement that:
The CCPA does not provide a definition of "actual cure." There are several possible interpretations of this term.
A "cure" could be the effective stemming of a data leak, together with the rectification of whatever security flaws gave rise to the leak.
Note, however, that the statute acknowledges that a cure may not be possible. Previous California cases suggest that the prevention of possible future violations does not serve to cure the original violation/strong> with respect to a consumer.
It may be that once a data breach has occurred, and a consumer's personal information is lost, "the damage is done" and an actual cure will be impossible in most cases.
However, businesses "on notice" of a CCPA violation should be making every effort to reassure consumers by improving the security of their systems, re-training employees, etc. Even if this is not deemed to be an "actual cure," it may lead to a lower liability in statutory damages.
The CCPA gives businesses the opportunity to avoid private legal action for statutory damages even where a data breach has occurred.
But with sufficiently good data protection practices, it is unlikely that your business will encounter any threats of legal action under the CCPA.
As noted, the CCPA is not specific about how to implement reasonable security controls.
However, the California Attorney-General has indicated that implementing the Center for Internet Security (CIS) Controls represents a minimum standard of reasonable security in similar contexts (more information about the CIS Controls is available here).
Here's an overview of the 20 controls:
Read more about the steps you can take to implement data security in your business in our articles: NY Shield: How to Implement a Data Security Program and IT Security Policy.
Remember that the private right of action is relevant only to personal information that has not been encrypted or redacted. Therefore, you should encrypt personal information wherever possible.
The first wave of class actions under the CCPA has begun, and some of these cases make various claims about businesses violating CCPA provisions other than the obligation to secure consumers' personal information.
For example, in the class action against Zoom, the plaintiffs accuse video conferencing software company Zoom Inc. of failing to provide proper notice of the collection and disclosure of their personal information.
The plaintiffs in the Zoom case may have reasonable grounds to argue that Zoom failed to give proper notice under the CCPA. However, it is unclear how their case will succeed, given that failing to give notice is not a violation that should give rise to the private cause of action.
According to the CCPA, it is for the Attorney-General to bring a case for a civil penalty against a business that has violated the CCPA's other provisions.
That being said, it is clear that the violation of other CCPA provisions is leading to class action cases being brought against businesses. Regardless of the merits of such cases, this is something every business will want to avoid.
Therefore, proactive compliance with all obligations under the CCPA is essential for any business falling under its jurisdiction.
Some key ways in which you can ensure your business complies with the CCPA include:
Here's what you need to know about the CCPA's private right of action:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.