As we approach the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA), many companies are feeling in the dark about how and when the CCPA will be enforced. Will the California Attorney General call on January 2nd? Will plaintiffs’ lawyers serve complaints on January 3rd? Will consumers push open the floodgates to privacy requests on January 4th?
While there are several deadlines at play, try not to panic. Last week, the California Attorney General, Xavier Becerra, told Reuters that his agency has “limited resources” and “will look kindly on those that . . . demonstrate an effort to comply.” Yet the AG represents only one of several CCPA enforcement mechanisms. Let’s take a look at what to expect in 2020.
Consumer Privacy Requests: Starting January 1, 2020
Starting January 1, 2020, California consumers will have more control over the personal information that covered businesses collect about them. Among other things, consumers will have the right to obtain a copy of the personal information collected about them in the last 12 months, opt out of the sale of their personal information and/or request the deletion of their personal information. Covered businesses will need to comply with these consumer requests in a timely manner. Businesses that “sell” personal information to third parties will need to honor consumers’ requests to stop such sales by providing a “Do Not Sell My Personal Information” link on their websites.
Data Breach Class Action Litigation: Starting January 1, 2020
The CCPA provides a private right of action and statutory damages against businesses that experience unauthorized disclosure of personal information, where the breach results from the business’s failure to implement and maintain reasonable security procedures and practices. The private right of action applies only to breaches that affect a limited set of personal information protected under California’s breach notification statute, which defines personal information much narrower than the CCPA. The statutory damages range from $100 to $750 per consumer per incident. Prior to initiating litigation, however, a consumer must give the business notice of the breach and 30 days to cure the alleged violation. Although the law does not articulate what such cure might entail, if the business cures the violation, the consumer cannot pursue statutory damages in the litigation.
CCPA Privacy Violation Litigation: Attempts May Start January 1, 2020
The CCPA does not provide a general private right of action for violations of the CCPA’s privacy requirements (for example, with respect to notice, choice or access requirements). Further, Section §1798.150(c) of the CCPA expressly states that the CCPA should not be interpreted as “a basis for a private right of action under any other law.” Thus, private plaintiffs’ attorneys will likely be foreclosed from bootstrapping CCPA violations into other causes of action such as claims under California’s Unfair Competition Law (UCL). Although, if the history of privacy litigation is any guide, this limit on the private right of action will not stop plaintiffs from trying to assert such claims by seeking to expand the limited private right of action the CCPA provides for security breaches.
Cities and Counties Privacy Violation Litigation: Likely to Start January 1, 2020
There is a growing trend nationwide for cities and counties to bring suits against businesses for privacy violations (see, for instance, the City of Chicago’s lawsuit against Marriott International in connection with Marriott’s 2018 data breach). Unlike private plaintiffs, cities and counties likely would not be barred from asserting claims under the UCL that are based on predicate violations of the CCPA. The UCL provides for penalties of up to $2500 per violation.
Larger municipalities such as the Los Angeles City Attorney’s Office, the San Francisco City Attorney’s Office, and the Santa Clara County Counsel’s Office view consumer privacy as a matter of public interest. Earlier this year, the Los Angeles City Attorney’s Office sued a subsidiary of IBM under the UCL on allegations of deceptive mining of location data of users of the Weather Channel app, and selling the data to advertising and marketing companies.
Although smaller cities and counties may lack the resources necessary to pursue such actions on their own, we expect them to partner with plaintiffs’ attorneys to start bringing claims under the UCL for violations of the CCPA’s privacy requirements. Such collaboration has become a common occurrence. For example, a plaintiffs’ law firm recently announced a $1 billion settlement with PG&E on behalf of 14 public entities in California for losses caused by wildfire claims.
California Attorney General CCPA Enforcement: Starting July 1, 2020
Finally, starting on or shortly before July 1, 2020, the California Attorney General will have the authority to bring enforcement actions against covered businesses for any violation of the CCPA (including retroactively, for violations dating back to January 1, 2020). Civil penalties under the CCPA range from up to $2500 per unintentional violation or up to $7500 per intentional violation assessed on a per consumer basis. We expect the Attorney General to first focus on egregious violations, consistent with the Attorney General’s commitment to give leeway to businesses that “demonstrate an effort to comply.”
There is no question that robust privacy and regulatory enforcement will accompany the CCPA, but the enforcement is likely to build over time.
Businesses should continue their efforts to bring their privacy practices into compliance with the CCPA, recognizing that the efforts will extend beyond the January 1, 2020 deadline. Businesses should also closely follow market developments as industries begin to take more defined positions on some of the CCPA’s pain points, such as whether the use of third-party cookies and tracking technologies is a “sale”, the extent to which businesses can leverage the CCPA’s business-to-business exemption, and many others.
As July 1, 2020 draws closer, businesses will want to align their privacy practices and CCPA compliance with mainstream (or more conservative) market positions (adjusted to the type and size of the business and the nature of data processing) to be in the middle of the pack from the perspective of private plaintiffs, the Attorney General, and cities and counties. When finalized, the Attorney General’s regulations will offer additional guidance that businesses will need to take into account.
Finally, in light of the powerful private right of action for security breaches, businesses should also continue to improve their cybersecurity practices, aligning them with California’s information security laws and with robust frameworks, such as the NIST Cybersecurity Framework.