The CCPA's Private Right of Action

The CCPA's Private Right of Action

In the short time since the California Consumer Privacy Act (CCPA) came into effect, there have been several high-profile lawsuits against businesses that have allegedly failed to properly secure consumers' personal information.

California has the most data breaches of any state, so we can expect to see many more CCPA claims. However, the CCPA's private right of action is relatively narrow and will only apply in quite specific situations.

In this article, we'll take a detailed look at how the CCPA's private right of action works, and how to avoid being taken to court by California consumers.


Who is Covered by the CCPA Private Right of Action

The CCPA's private right of action allows consumers to bring a private legal case against a business that will be heard before the California courts.

Businesses, Consumers, Personal information

The CCPA protects "consumers," meaning California residents. As such, only consumers can exercise the CCPA's private right of action, and can do so as individual plaintiffs or in a class action.

Consumers can only bring a private legal claim under the CCPA's private right of action against businesses, not service providers or other parties.

Under the CCPA, a "business" is a legal entity that:

  • Operates for profit in California
  • Decides why and how to process personal information
  • Meets one or more of the following thresholds:

    • It has annual gross revenues of at least $25 million
    • It buys, sells, and/or receives or shares for commercial purposes the personal information of at least 50,000 consumers, devices, or households
    • It derives at least 50 percent of its annual revenues from the sale of consumers' personal information

Relevant Types of Personal Information

Relevant Types of Personal Information

Businesses may be relieved to learn that only certain types of personal information are relevant to the CCPA's private right of action provision.

As such, only businesses that collect these relevant types of personal information are likely to be subject to a successful private action.

For the most part, the CCPA has an extremely broad definition of personal information:

"Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

However, with regard to the private right of action, the definition of personal information only includes those types of data identified in Section 1798.81.5 (D) (1) (A) of the California Civil Code, also known as California's Data Breach Notification Law (available here).

This means that "personal information," for our purposes, refers to a data set including both elements 1 and 2 below, where at least one of the elements is not encrypted and is not redacted:

  1. A person's first name or first initial, AND their last name
  2. One or more of the following elements:

    1. Social security number
    2. Any unique ID number that is "issued on a government document commonly used to verify the identity of a specific individual," such as:

      1. Driver's license number
      2. California ID card number
      3. Tax ID number
      4. Passport number
      5. Military ID number
    3. Account number or credit/debit card number, in combination with any required information that would permit access to the account, such as:

      1. Security code
      2. Access code
      3. Password
    4. Medical information
    5. Health insurance information
    6. Biometric information, not including a physical or digital photo (unless used for identification purposes), such as:

      1. Fingerprint
      2. Retina image
      3. Iris image

The above types of personal information are particularly sensitive, and you should take extra steps to secure them to avoid a claim under the CCPA.

Violations That Can Give Rise to Private Legal Action

Unlike the CCPA's civil penalties provision, whereby the California Attorney-General can take legal action against a business that violates any part of the CCPA, the private right of action applies only in the event of a data breach.

The nature of an actionable data breach is also quite specific and will not apply in all cases.

Elements of a Data Breach

The type of data breach that can give rise to private legal action under the CCPA is set out in section 1789.150 (a) (1):

California Legislative Info CCPA: 1798 150 a 1: Data breach civil action section

Note that there are four interlinked elements here, all of which must be present for a claim to succeed:

  1. Unauthorized access, AND
  2. Exfiltration, theft, or disclosure, AS A RESULT OF
  3. Failure to implement and maintain reasonable security procedures and practices to protect the personal information, THAT ARE
  4. Appropriate to the nature of the information

Unauthorized Access and Exfiltration, Theft, or Disclosure

Unauthorized Access and Exfiltration, Theft, or Disclosure

For the purposes of the CCPA, the fundamental definition of a data breach is the unauthorized access and exfiltration, theft, or disclosure of personal information.

Note that the breached personal information must be both accessed and exfiltrated, stolen, or disclosed.

Therefore, the mere loss of personal information (e.g. if an employee leaves a USB drive on a train) should not give rise to private action unless the information is also subject to unauthorized access.

This would appear to be a high threshold for consumers, but the courts may interpret this provision more narrowly.

Remember that "unauthorized access" may arise from inside your business as well as from outside actors.

Reasonable Security Procedures and Practices

An actionable breach occurs when a business fails "to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

The CCPA doesn't define "reasonable security procedures and practices." The best starting point for understanding what this means is the California Data Breach Report from February 2016 (available here).

The key takeaway from this report is below:

California Data Breach Report: Recommendation 1 - Information security

Here, the California Attorney-General's defines a reasonable standard of security as the implements of all 20 of the Center for Internet Security (CIS) Critical Security Controls (insofar as they relate to your business).

We'll be examining the CIS Controls below.

Amount of Damages

Amount of Damages

Damages resulting from a private action under the CCPA can be calculated in two ways:

  • Actual damages
  • Statutory damages

The greater of these two will be awarded to the consumer(s) (not both).

Actual Damages

"Actual damages" means losses that resulted directly from the business's failure to properly secure user data.

For example, if a consumer's credit card details are breached, actual damages will equate to the money that is stolen from them.

Many data breaches involve other types of personal information, and actual damages can be difficult to prove. Therefore, claims for actual damages are likely to be less common than those for statutory damages.

Statutory Damages

The extent of statutory damages will be decided by the court, and this amount is not directly related to any actual losses incurred by the consumer bringing the case against the business.

Statutory damages will be calculated as an amount between $100 and $750, per consumer, per incident.

One "incident" occurs each time a consumer's data is breached. Most data breaches involve large numbers of consumers and so the volume of "incidents" will typically be very high.

The court will consider several factors when assessing the amount of statutory damages to be awarded to a consumer:

  • The nature and seriousness of the business's misconduct
  • The persistence of the misconduct
  • The duration of the misconduct
  • The willfulness of the business's misconduct
  • The business's:

    • Assets
    • Liabilities
    • Net worth

Notice and Cure Provision

Notice and Cure Provision

Before a consumer can pursue statutory damages from a business, the CCPA requires them to give the business an opportunity to fix the problem.

This is known as the "notice and cure" provision.

Thirty Days' Notice for Statutory Damages

A consumer (or group of consumers) must give a business thirty days' written notice before bringing a private legal claim.

The consumer must specify which provisions of the CCPA they allege the business is violating.

A consumer pursuing "actual pecuniary damages" (pecuniary meaning monetary) is not required to give this notice period.

Curing a Violation

Within 30 days of receiving notice, the business must:

  • "Actually cure" the violation, and
  • Provide the consumer with an express written statement that:

    • The violation has been cured
    • No further violations will occur

The CCPA does not provide a definition of "actual cure." There are several possible interpretations of this term.

A "cure" could be the effective stemming of a data leak, together with the rectification of whatever security flaws gave rise to the leak.

Note, however, that the statute acknowledges that a cure may not be possible. Previous California cases suggest that the prevention of possible future violations does not serve to cure the original violation/strong> with respect to a consumer.

It may be that once a data breach has occurred, and a consumer's personal information is lost, "the damage is done" and an actual cure will be impossible in most cases.

However, businesses "on notice" of a CCPA violation should be making every effort to reassure consumers by improving the security of their systems, re-training employees, etc. Even if this is not deemed to be an "actual cure," it may lead to a lower liability in statutory damages.

Avoiding Private Claims Under the CCPA

Avoiding Private Claims Under the CCPA

The CCPA gives businesses the opportunity to avoid private legal action for statutory damages even where a data breach has occurred.

But with sufficiently good data protection practices, it is unlikely that your business will encounter any threats of legal action under the CCPA.

Secure Consumers' Personal Information

As noted, the CCPA is not specific about how to implement reasonable security controls.

However, the California Attorney-General has indicated that implementing the Center for Internet Security (CIS) Controls represents a minimum standard of reasonable security in similar contexts (more information about the CIS Controls is available here).

Here's an overview of the 20 controls:

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
  4. Continuous vulnerability assessment and remediation
  5. Controlled use of administrative privileges
  6. Maintenance, monitoring, and analysis of audit logs
  7. Email and web browser protection
  8. Malware defenses
  9. Limitation and control of network ports, protocols, and services
  10. Data recovery capability
  11. Secure configurations for network devices such as firewalls, routers, and switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on the need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Security skills assessment and appropriate training to fill gaps
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises

Read more about the steps you can take to implement data security in your business in our articles: NY Shield: How to Implement a Data Security Program and IT Security Policy.

Remember that the private right of action is relevant only to personal information that has not been encrypted or redacted. Therefore, you should encrypt personal information wherever possible.

Comply With All Other CCPA Provisions

Comply With All Other CCPA Provisions

The first wave of class actions under the CCPA has begun, and some of these cases make various claims about businesses violating CCPA provisions other than the obligation to secure consumers' personal information.

For example, in the class action against Zoom, the plaintiffs accuse video conferencing software company Zoom Inc. of failing to provide proper notice of the collection and disclosure of their personal information.

The plaintiffs in the Zoom case may have reasonable grounds to argue that Zoom failed to give proper notice under the CCPA. However, it is unclear how their case will succeed, given that failing to give notice is not a violation that should give rise to the private cause of action.

According to the CCPA, it is for the Attorney-General to bring a case for a civil penalty against a business that has violated the CCPA's other provisions.

That being said, it is clear that the violation of other CCPA provisions is leading to class action cases being brought against businesses. Regardless of the merits of such cases, this is something every business will want to avoid.

Therefore, proactive compliance with all obligations under the CCPA is essential for any business falling under its jurisdiction.

Some key ways in which you can ensure your business complies with the CCPA include:

Summary

Here's what you need to know about the CCPA's private right of action:

Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.