The California Consumer Privacy Act of 2018 (“CCPA”) is a California privacy law that gives consumers, defined as natural persons residing in California, affirmative rights with respect to their data privacy. Namely, the CCPA endows consumers with certain rights to access information about and control what a business does with their personal information. (For an in-depth review of the CCPA and further explanation of these rights, please view our previous Privacy Blog post.)
To effectuate these rights, the CCPA requires covered businesses to do the following:
- inform consumers about the categories of personal information collected and the purposes for which the information is being used,
- respond to verifiable consumer requests to access certain information,
- allow consumers to opt-out of the sale of their personal information, and
- enable consumers, subject to several carve-outs, to request that businesses delete their personal information.
Businesses are subject to the CCPA if they are for-profit businesses that collect and control California residents’ personal information, do business in the State of California, and satisfy one of the following:
- have annual gross revenues in excess of $25 million; or
- receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis; or
- derive 50 percent or more of their annual revenues from selling California residents’ personal information.
Businesses who violate the CCPA will be subject to civil enforcement actions by the Attorney General: violating businesses will be subject to an injunction and a civil penalty up to $2,500 for each unintentional violation and $7,500 for each intentional violation.
Although the CCPA becomes operative on January 1, 2020, the California Attorney General may not begin enforcing the CCPA until the earlier of July 1, 2020 or six months after the issuance of final implementing regulations.
Private Right of Action – Data Breaches
The CCPA is considered to be landmark legislation and in addition to the sweeping rights it endows, it gives consumers whose personal information is subject to a data breach the right to sue the business, provided the business failed to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” In the event of a data breach, California law requires businesses to notify California residents whose personal information was subject to the data breach.
To bring an action for statutory damages, the consumer must first notify the business of the alleged violation. The business then has thirty days to cure the violation and provide the consumer with “an express written statement that the violations have been cured and that no further violations shall occur.” In that case, the consumer may not pursue statutory damages. However, the CCPA also acknowledges that curing a violation of this nature may be impossible by providing that the opportunity to cure applies “[i]n the event a cure is possible.” Statutory damages are likely available to consumers even if the breach cannot be cured.
If the business violates the express written statement, then the consumer may sue to enforce the statement and pursue statutory damages for violations of the statement, as well as any post-statement violations of the law.
The statutory remedies available to consumers whose personal information is the subject of a data breach are:
- Damages in the amount of $100-$750 per consumer, per incident
- Injunctive or declaratory relief
- Any other relief the court deems proper
Even if a consumer is not entitled to statutory damages, consumers can bring actions for actual, pecuniary damages, and notice is not required for such actions.
Private Right of Action – Violation of Rights
Senate Bill 561 aimed to expand the CCPA’s private right of action by allowing consumers to sue businesses that violate any of their CCPA rights. SB 561, however, met an abrupt end in the California Senate a few weeks ago, leaving open the question of whether consumers are entitled to relief if their rights have been violated, but not as the result of a data breach.
Some speculate that consumers may bring actions under California’s Unfair Competition Law (“UCL”), which gives consumers the ability to sue businesses that have engaged in unlawful, unfair, or fraudulent acts. Traditionally, the UCL provides a means for Californians to enforce laws that do not provide private rights of actions.
But, the CCPA explicitly provides that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” And, although some argue that the language is not clear enough to demonstrate legislative intent to preclude actions under the UCL, Attorney General Becerra seems to think it is.
In an August 2018 letter to the California Senate, which perhaps precipitated SB 561, the Attorney General opined that the CCPA unlawfully cuts off the UCL’s civil penalty provisions and fails to provide consumers with a private right of action. Still, covered businesses should be prepared to defend against actions by plaintiffs who allege ambiguity in the statutory language and are undeterred by the Attorney General’s sentiments.
The Attorney General has until July 2020 to provide guidance and adopt implementing rules and regulations. Given that consumers appear to be unable to enforce violations of all of their rights under the CCPA, it remains to be seen how the Attorney General will propose to enforce them. We will continue to monitor and report on further developments.