Let the Litigation Begin! California Residents Already Filing Enforcement Actions Under the CCPA
March 19, 2020
The ink is still wet, and the dust has hardly settled after the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Yet starting in February, two class actions were filed by California residents pursuant to the CCPA. For more information on these two cases and some background on the CCPA, see below.
Enacted on the heels of the European Union’s General Data Protection Regulation (GDPR), the CCPA is the first, but certainly not the last, stateside data privacy law of its kind. The CCPA’s focus is three-fold: (1) provides consumers greater control over their personal information; (2) promotes transparency in businesses’ data practices; and (3) prevents misuse of consumer data. To accomplish these goals, the CCPA provides the California Attorney General and individual consumers the ability to enforce their data privacy rights through civil action.
CCPA Enforcement – Who Can Bring a Lawsuit Alleging Violations?
With a private right of action available as of January 1, 2020 (the date of enactment), California residents are already seeking judicial intervention for alleged violations of the CCPA. There are two ways that CCPA violations can be prosecuted: 1) by civil action commenced by the California Attorney General, and 2) by civil action commenced by individual consumers.
Having general enforcement authority, the Attorney General may prosecute CCPA violations on behalf of the people of California by commencing civil litigation against noncompliant businesses. Both injunctive and monetary remedies are available. Civil penalties range anywhere from up to $2,500 per violation and up to $7,500 for each intentional violation. Though enforcement actions may not be brought by the Attorney General until July 1, 2020, businesses’ compliance as of January 1, 2020 may be assessed for purposes of determining penalties.
In limited circumstances, consumers—meaning California residents—also have a private right of action under the CCPA. The private right of action under CPPA is limited to circumstances in which consumers’ personal information is subject to a data breach caused by the failure to maintain adequate security. Unfortunately, the CCPA fails to clarify what constitutes reasonable security procedures which complicates compliance efforts for even the most sophisticated and diligent businesses.
Before a consumer may bring a private action under the CCPA seeking statutory damages, covered businesses must be given 30-days' written notice identifying alleged violations. During this 30-day window, the business has an opportunity to cure the noticed violations. The cure provisions relate to a business’s failure to maintain reasonable security. Thus, upon notice, a business has 30 days to implement appropriate security mechanisms in order to avoid statutory damages under CCPA. These notice and cure provisions do not apply to individual consumers seeking actual damages or injunctive relief. If notice is given and violations are not cured, a private civil action may be filed. Within 30 days of filing, the consumer must also notify the Attorney General.
Consumers whose personal information is the subject of a data breach may file a civil action seeking damages, injunctive relief, and/or any other relief that a court deems proper. Consumers’ damages are limited to the greater of $100-750 per violation, or the actual damages resulting from the breach. While the per violation statutory penalty appears de minimis, potential liability for the actual damages resulting from the breach could be in the millions. Indeed, the average cost of a data breach is around $3.5 million. Therefore, the cost of non-compliance could be devastating, and in some instances, could lead to insolvency.
Recent Lawsuits Raising CCPA Violations
Despite these limitations, consumers are already pushing the boundaries of the CCPA’s private right of action. At least two proposed class actions alleging CCPA violations have been commenced in federal court in California.
Burke v. Clearview AI, Inc., was filed in the Southern District of California on February 27, 2020. The complaint alleges that the CCPA was violated when Clearview collected and sold consumers’ personal information [list examples of personal information] without first notifying consumers or obtaining their consent. As opposed to alleging injuries related to a data breach, the complaint raises allegations of general noncompliance with the CCPA. It is, therefore, unclear whether this action has stated a viable claim under the CCPA. In an attempt to avoid this problem, the complaint frames the CCPA violations as violations of California’s Unfair Competition Law (“UCL”), which prohibits business practices that violate other laws. The complaint does not plead a standalone CCPA violation. The UCL borrows violations from other laws, treats them as unlawful practices under the UCL and makes them independently actionable. Despite its far reach, the UCL is not unlimited in scope. No action lies under the UCL for violations of other laws where the legislature has concluded that no action should lie. But, the CCPA itself precludes a claim under UCL in stating, “nothing in the act shall be interpreted to serve as the basis for a private right of action under any other law.” Thus, while the Burke complaint is creative in recasting the alleged CCPA violations as unlawful practices under the UCL, it too is likely to fail.
Barnes v. Hanna Andersson, LLC, another class action raising CCPA violations, was filed in the Northern District of California on February 3, 2020. In contrast to Burke, the allegations in the Barnes complaint relate to a data breach involving consumer data. Although the complaint pleads facts which form the basis of a permissible private action under the CCPA, the facts giving rise to this complaint occurred in 2019, before the CCPA became effective. The CCPA is silent as to whether it applies retroactively to data breaches predating its effective date. However, the general rule followed by California courts is that a statute does not apply retroactively absent a clear expression to the contrary. Though California courts have sometimes deviated from this rule, neither the legislative history nor the text of the CCPA indicate an intent that it apply retroactively. A determination allowing retroactive application of the CCPA would drastically expand the potential liability of covered businesses.
As both cases are in the very early stages of litigation, it remains to be seen how either will be resolved.
Though the exact contours of the private right of action under the CCPA are largely unknown at this time, the mere threat of costly and time-consuming litigation emphasizes the importance of beginning compliance efforts before the need for litigation arises. Covered businesses should also note that the California Attorney General, Xavier Becerra, has proposed an amendment that would allow a more expansive private right of action. In a letter sent to members of Congress on February 25, 2020, Becerra also urged federal law makers to follow the precedent set by California and use the “CCPA as a working model for data privacy.” This focus on expanding the CCPA and encouraging similar federal legislation suggests Becerra will not hesitate to enforce consumers’ data privacy rights come July.