May 28, 2020 - We have received multiple reports that plaintiffs’ lawyers and litigation funders are investigating class action lawsuits against companies that have not fully complied with the California Consumer Privacy Act (CCPA).  In addition, the California Attorney General is poised to sue companies for non-compliance once the CCPA’s enforcement and penalty provisions become effective on July 1, 2020.  The second half of 2020 promises to be an active period of CCPA litigation and enforcement, and companies need to act now to put themselves in full compliance with the Act. 

The CCPA imposes a wide range of requirements regarding data privacy, access and security.  Enforcement tools include regulatory fines of $2,500 for each violation of the law and $7,500 for each intentional violation.  The Act also provides consumers with a private right of action.  The CCPA grants “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” the right to bring a civil action to recover damages.  Cal. Civil Code § 1798.150.  Under the Act, a consumer may seek statutory damages of $100 to $750 per incident or actual damages, whichever is greater.  Id.

Plaintiffs’ lawyers have already filed class actions on behalf of consumers seeking monetary damages for alleged noncompliance, bringing adverse publicity and regulatory scrutiny to companies such as Zoom.  While the statutory language may lead companies to believe that private lawsuits must involve a data breach, plaintiffs’ lawyers are being far more creative.  Any data disclosure appears to be fair game, as long as the consumer has not had notice and an opportunity to opt out of the disclosure.  In addition to creative theories that will have to be tested in the notoriously unpredictable California courts, plaintiffs’ lawyers will be seeking to recover significant damages and attorneys’ fees.  Because each consumer may allege multiple incidents—for example, a separate incident each time a consumer accesses an insecure website—potential damages in class actions can quickly mount, serving as a powerful incentive for plaintiffs’ firms eager to capitalize on weaknesses in companies’ CCPA compliance. 

The CCPA is the strongest data protection law in the United States.  It broadly expands the privacy rights of California consumers, and requires companies to be significantly more transparent about how they collect, use and disclose consumers’ personal information.  The law applies to any company that operates in California and either generates $25 million or more in annual revenues; gathers data on more than 50,000 users; or earns more than half its revenue from the use of that data.  Because the law provides users with rights of data access, they are entitled to see what data companies have compiled about them and how it is shared; they are also entitled to have that data deleted, and, in most instances, to prevent companies from sharing it with third parties.  The CCPA requires various forms of notice to consumers, and specifies the procedures for handling requests by consumers regarding their data.

The Office of the California Attorney General has issued proposed regulations; the most recent revisions to the proposed regulations were issued on March 11.  For the regulations to become effective on July 1 (when the statutory enforcement and penalty provisions will take effect), the proposed regulations must be finalized and filed with the Secretary of State by May 29.  But regardless of the date when the regulations are finalized and take effect, the Attorney General has stated publicly that enforcement of the statute will begin on July 1.  More to the point: private litigation has already begun, and is expected to increase substantially in volume.  The availability of statutory damages in class action litigation–completely without regard to whether plaintiffs incurred significant damages, or any damages at all–can present enormous financial risk for any company whose CCPA compliance is called into question.  In order to minimize the risk of expensive and potentially high profile litigation, companies subject to the CCPA should take every step to ensure that they have implemented a sound compliance policy and defensible procedures; that their policy and procedures are carefully documented; and that they are vigilant in staying in compliance.