This post does not reflect amendments to the California Consumer Privacy Act (CCPA) enacted on October 11, 2019. Check back for updates or follow this blog.
As we approach the January 1, 2020 effective date of the California Consumer Privacy Act (“CCPA” or “Act”) it is a good time to consider what is at stake for businesses that fail to comply with the Act. With this in mind, we focus this FAQ installment on litigation and regulatory enforcement issues arising from the Act, including:
- enforcement of the CCPA by the California Attorney General, including statutory penalties
- enforcement of the CCPA by consumers, including statutory damages, class action risk and limitations on waiving rights under the Act;
- potential liability for businesses arising out of their business partners’ processing of personal information; and
- the ability and impact of curing violations of the CCPA, including the potential impact on how businesses respond to an incident.
You can click on the links above to jump to one of these sections.
Authority to enforce the CCPA
Who can bring actions against businesses under the Act?
As we discussed briefly in part 1 of this series, the CCPA authorizes two types of enforcement actions:
- First, the California Attorney General can bring actions against non-compliant businesses under Section 17206 of the California Business and Professions Code.
- Second, “consumers” have a limited private right of action in the event of a data breach involving “nonencrypted or nonredacted personal information.” An overview of who qualifies as a “consumer” is provided in part 1 of this series.
The Act also requires the Attorney General to seek input from the public and establish rules and procedures “to further the purposes” of the sections of the Act providing for these causes of action by July 1, 2020. We are expecting the first draft of these regulations in October 2019.
Enforcement of the Act by the California Attorney General
When can the Attorney General bring an action against a business?
The Attorney General can bring an action against a business for any violation of the Act. This includes both intentional and unintentional violations. Before the Attorney General’s office can bring an action for a violation of the Act, it must give a business 30 days’ notice to cure the alleged violation. We explore what it means to cure a violation below.
It is currently unclear how aggressive the Attorney General’s office will be in enforcing the CCPA, especially during the period immediately after the Act goes into effect. One commentator has speculated that politics may play a role in enforcement, while another has noted that, in the past, the Attorney General’s office has targeted only the most serious offenders with the most potential liability.
What penalties could businesses face if the Attorney General brings an action against them for violating the CCPA?
The CCPA authorizes the Attorney General to recover penalties of up to $2,500 “for each violation,” and – if the violation is intentional – be up to $7,500 “for each violation.” While the meaning of the phrase “for each violation” may vary based on the facts of each case, these penalties could be substantial where multiple consumers are affected by a business practice or event.
Enforcement of the Act by “consumers”
When can consumers bring an action against a business?
The CCPA does not provide a private right of action for all violations of the Act. Rather, consumers can only sue if their nonencrypted or nonredacted personal information is subject to “unauthorized access and exfiltration, theft or disclosure” due to a business’ failure to “implement and maintain reasonable security procedures appropriate to the nature of the information.”
What kind of personal information must be breached to provide a private right of action under the CCPA?
Unlike the other provisions of the CCPA, which broadly define “personal information,” the consumer private right of action is available only with respect to a limited set of information, defined in a separate California statute. The categories of information subject to the CCPA’s consumer right of action are similar to the categories of information subject to California’s data breach notification law, and includes first name/initial, last name in combination with various data elements such as social security number, financial account number, driver’s license, medical information, etc.
However, in September 2019, the California legislature passed AB 1330, which expands the types of personal information that may serve as the basis for a consumer action under the CCPA to include:
- Tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
- Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
It is possible that California lawmakers will choose to add to this list in future legislative sessions.
What steps must a consumer take in order to bring an action under the CCPA?
The CCPA further limits the private right of action by setting forth a pre-lawsuit procedure that consumers must follow in order to assert a claim for statutory damages under the Act:
- Prior to initiating an action for statutory damages, a consumer must first provide 30 days’ written notice to the relevant business that identifies the specific provisions of the CCPA the consumer alleges have been or are being violated
- If the business “actually” cures the identified violation within the 30 days specified in the notice, and provides the consumer an express written statement that the alleged violations have been cured and that no further violations shall occur, the consumer cannot initiate a lawsuit for individual statutory damages or class-wide statutory damages
- However, if a business subsequently violates the CCPA in a manner inconsistent with its express written statement, the consumer may: (i) initiate an action against the business to enforce the written statement; and (ii) pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement
Is notice and the right to cure required when a consumer wants to bring an action for actual damages or harm he or she alleges to have suffered due to a personal information breach?
No. If a consumer sues solely for “actual pecuniary damages” incurred as a result of the data breach, they can go forward an action without providing prior notice or giving the business the opportunity to cure.
If consumers bring an action against a business, what statutory damages are available?
The CCPA provides statutory damages for consumer suits, including class action claims, for no less than $100 and up to $750. When assessing these damages, courts must consider the following:
- Nature and seriousness of the misconduct;
- Number of violations;
- Persistence of the misconduct;
- Time of misconduct;
- Defendant’s willfulness; and
- Defendant’s assets, liabilities, and net worth.
Won’t these statutory damage claims, especially if alleged in a class action result in enormous awards?
Yes, probably. The CCPA is the first statute to provide individuals with a private right of action and statutory damages for data breaches. Prior to the CCPA plaintiff’s often had difficulties alleging or proving that they suffered any harm as a result of a data breach affecting their personal information. While courts have split on the issue, in many cases courts have dismissed plaintiff’s claims at the pleading stage or on a motion for summary judgment for failure to establish harm. On its face, the CCPA does not require consumers to plead or prove they were actually harmed by a data breach. In fact, the Act makes a distinction between “actual pecuniary damages” and statutory damages, which are available regardless of actual harm.
What does this mean on a practical level? It means that smaller data breaches that were previously not attractive targets for class action litigation are much more likely to be the subject of class action litigation under the CCPA. A breach of 1,000 or 10,000 or 100,000 California residents may not have previously presented enough potential liability (or monetary damages) to draw the attention of the plaintiff’s bar, particularly in the absence of any evidence that individuals were harmed as a result of the breach. After January 1, 2020, these cases will present significant potential exposure, regardless of whether anyone was actually harmed by the breach. For example:
- 10,000 affected California residents = $1 million to $7.5 million exposure
- 100,000 affected California residents = $10 million to $75 million exposure
- 1,000,000 affected California residents = $100 million to $750 million exposure
- 10,000,000 affected California residents = $1 billion to $7.5 billion exposure
As you can surmise, statutory damage penalties have the potential to put businesses of all sizes (but especially small and medium-sized companies) out of business.
Are there any defenses or Constitutional arguments to these outlandish damage claims?
It seems there should be fertile ground to challenge statutory damages available under the CCPA. For example, in BMW of North America, Inc. v. Gore, 517 U.S. 559 (1996), the U.S. Supreme Court limited the amount of punitive damages awarded against BMW on the grounds that the award violated the Due Process Clause of the Fourteenth Amendment. A similar argument has potential to succeed here, where businesses could face hundreds of millions or even billions of dollars in statutory damages for CCPA violations that did not result in any actual harm to consumers.
Can I require consumers to waive the right to file a class action or submit CCPA claims to arbitration?
Due to the significant statutory damages available in a successful data breach class action, some businesses might be tempted to restrict consumers’ right to pursue class relief or to bring a suit in court. But the CCPA anticipated this and specifically states it is against public policy to waive or limit consumer’s rights under the Act, including any right to a remedy or means of enforcement. However, many believe that these limitations on arbitration will be preempted by the Federal Arbitration Act.
Liability based on the actions of business partners
Can I be liable for what my business partners or other third parties do with the information I give them?
While the CCPA is far from explicit on this point, a business that shares personal information with a third party could be liable for the third party’s violations of the Act. The definition of “third party” indicates that an entity is not a third party if a business enters into a written agreement with the entity prohibiting:
- the sale of personal information;
- retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract; or
- retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
The ability to cure violations of the CCPA
What does it mean to “cure” a violation of the Act?
As discussed above, in most cases the Attorney General or the consumer(s) seeking to bring an action under the Act must give a business the opportunity to cure the alleged violation. If a business can cure the violation, it is not liable for statutory damages. But the Act does not define what it means to “cure” an alleged violation.
The notion of “cure” could be interpreted narrowly or broadly. On the one hand, businesses will want to interpret “cure” narrowly to mean that the specific incident has been cured to the extent possible at the time the business receives the notice of the violation. For example, businesses could argue that a cure for a data breach would be remedying the specific reason data was released in that instance (e.g., re-training the employee who fell victim to a phishing attack) and providing identity theft protection services to consumers known to be affected by the breach (which is already required in some instances by California law).
On the other hand, plaintiffs will want to interpret “cure” broadly to mean that the business’ “reasonable security procedures and practices” have been remedied as a whole. For example, in the event of a data breach, plaintiffs may take the position that, amongst other measures a business must take to cure the breach, the requirement that a business certify that “no further violations shall occur” means that the business must state in writing that it has implemented new security measures such that no future data breaches shall ever occur.
Commentators have expressed skepticism about the ability of a business to actually cure a violation, especially for an action brought by a consumer related to a data breach. For example, how does a business cure a data breach involving the personal information of thousands of customers? Others have wondered if it possible for a business to cure a past breach, or will it suffice to prospectively cure security deficiencies. The answers to these questions remain to be determined.
Notably, even if a business can cure the violation, it could still be liable for actual damages/harm (as opposed to statutory damages) suffered by a consumer. However, plaintiffs in data breach cases often have not suffered any actual damages—the simple disclosure of their information typically is insufficient, particularly where the information by its nature cannot be used for any malicious or injurious purpose—so eliminating the possibility of statutory damages by curing a violation may effectively end a claim against a business.
How long does my business have to cure a violation of the CCPA?
A business has 30 days after receiving notice from the Attorney General or consumer(s) in order to cure the violation. The Act does not specify what a business must do to certify that it has cured a violation when it has received notice from the Attorney General.
When consumers give written notice to a business of a potential action, there is an extra requirement for completing the “cure.” A business must, within 30 days, provide a written statement to the consumer that the violation has been cured and that “no further violations shall occur.” Again, what this actually means is unclear.
The Act does not require the business to say how it cured the violation or how it can certify that “no further violations shall occur.” Businesses will have to consider carefully whether they can certify that “no further violations shall occur.” If a business fails to live up to a certification made to a consumer and continues to violate the CCPA, the consumer can bring an action “to enforce the written statement” and for statutory damages “for each breach of the express written statement” and for “any other violation . . . that postdates the written statement.”
If my business receives a notice that we have allegedly violated the CCPA, how do we start trying to cure the violation?
While the meaning of “cure” is unclear, prompt action will be key. Businesses have just 30 days to cure the breach after receiving notice of a CCPA violation. Depending on the facts of the case and how broadly “cure” is interpreted, a cure could require significant changes to a business’ security practices. Such changes could involve bringing in technical experts or outside consultants, updating IT systems or taking other time-consuming steps.
We recommend contacting outside counsel as soon as your business receives notice of an alleged violation of the Act. Your outside counsel should be able to provide advice on potential ways to cure the violation, as well as offer updates on guidance from the Attorney General and any developments in CCPA litigation involving the meaning of “cure.”
Cooley has a Data Breach hotline, which provides 24×7 incident response services from experienced cybersecurity lawyers. You can reach the Data Breach Hotline at incident.response@cooley.com, or by calling +1 (844) 476-1248 or +1 (415) 693-2888.
How will my business know if we have successfully cured the violation? Will our attempt to “cure” just lead to more litigation?
Whether a business has cured a violation likely will depend heavily on the facts of each case and how “cure” is interpreted by the California Attorney General or case law. Because of that, it is possible that the Attorney General or a consumer may decide to proceed with an action for statutory damages even if a business has attempted to cure.
An analogous notice and cure provision exists in California’s Consumer Legal Remedies Act (“CLRA”), which allows individuals who purchase or lease goods or services to sue for certain unfair business practices. That statute offers a bit more guidance as to what constitutes a cure, saying that a business must provide an “appropriate correction, repair, replacement, or other remedy.” Even so, the cure provision has led to litigation both over whether a plaintiff satisfied the notice requirement and whether the defendant properly cured the alleged violation. In fact, one court dealing with a CLRA claim said that it could not determine whether a business cured the violation “at the pleading stage,” which means the case could have proceeded into discovery despite the business’ attempt to cure.
Assuming courts approach the CCPA’s cure provision in a similar manner, they may be reluctant to dismiss cases early in litigation based on businesses’ claims that they cured violations. This means that the CCPA’s cure provision may fail to provide a means of avoiding litigation, and instead may merely add to the issues to be litigated.
One additional, practical consideration is that if a business attempts to cure a violation and the plaintiffs opt to proceed with a lawsuit, the business could use the cure as a bargaining chip in settlement negotiations. This is because not only could the business contest whether it is liable for the alleged violation in the first place, but it also could argue that the cure was sufficient, meaning plaintiffs would be unable to recover statutory damages.
The bottom line is that it is not currently clear whether the cure will actually help businesses avoid litigation or whether it will become another issue to argue about in court. The value of the cure provision will not become clearer until more guidance is provided, either by the Attorney General or the courts.