Last year, the California legislature enacted the California Consumer Privacy Act (the “CCPA”), which imposes key data privacy requirements on businesses collecting or storing data about California residents. The CCPA provides for civil penalties imposed by the California Attorney General (“AG”) and creates a private right of action for those residents impacted by a data breach. While the CCPA does not go into effect until January 1, 2020, businesses that will likely be subject to the new law have been busy evaluating compliance measures, as the window between enactment and implementation is quickly closing.
Almost 30 years ago, the federal Telephone Consumer Protection Act (the “TCPA”) was likewise implemented to protect consumers when enacted in 1991, but the law was focused on public concern with telemarketing communications at the time. The amount of litigation, and the number of class actions, under the TCPA has grown exponentially since then, with the U.S. Chamber Institute for Legal Reform reporting a 1,272% increase in TCPA lawsuits from 2010 to 2016.
Now, with increased public focus on data privacy, both the defense and plaintiffs’ bars are preparing for an expected shift to data privacy litigation. The common consensus is that the CCPA, as the new kid on the block, is likely to create a wave of litigation and class actions, similar to the TCPA.
The current version of the CCPA provides a private cause of action only when a consumer’s “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” One safe harbor is that a consumer seeking only statutory damages must provide a business with 30 days’ written notice of alleged non-compliance, giving the business about a month to cure the violation if possible, before a consumer can bring a claim for individual or class action damages. The same safe harbor does not apply for those consumers seeking actual pecuniary damages, however.
The California legislature has considered proposed amendments to the CCPA attempting to expand the scope of a private claim under the statute even before January’s effective date. In particular, the amendments proposed in SB 561 would have created a private right of action for any consumers whose rights were violated under any provision of the CCPA, essentially allowing private litigation for any breach of the statute. The California AG expressed support for the bill, which also proposed removing a 30-day cure period for the AG’s enforcement and affording the AG the opportunity to publish guidance materials for compliance. The bill was set for hearing May 17, 2019, but the Senate Appropriations committee chose to hold the bill—meaning the bill will not pass through the Senate this session. Still, it may not be the last that we hear of SB 561 and other amendments intended to expand the scope of private claims under the CCPA.
Indeed, another pending data privacy bill, AB 1130, was introduced in February and recently amended May 16, 2019. AB 1130 proposes expanding the types of data sets that give rise to data breach litigation to include, inter alia, biometric data and additional identification documents such as passport number and tax identification number. Though the bill seeks to directly amend California Civil Code § 1798.81.5, the data covered in that statute, which predates the CCPA, serves as a guide for the data breaches that trigger a right to a private cause of action under the CCPA.
In its current form, there are several common threads underlying the CCPA and the TCPA that will motivate the plaintiffs’ bar to expand its interest from existing consumer protection laws to more nascent data privacy statutes like the CCPA—the first of its kind in the nation.
First, neither the CCPA nor the TCPA caps total damages, and both allow for statutory damages per incident or per violation. The CCPA providers for consumers to recover the greater of either actual damages or statutory damages of between $100 and $750 per consumer per incident. The TCPA similarly allows for plaintiffs to elect to recover the greater of either actual damages or statutory damages of $500 per violation, with a chance for treble damages up to $1,500 per violation. See 47 U.S.C. §§ 227(b)(3), (c)(5). The opportunity for uncapped statutory damages of hundreds of dollars not just per-plaintiff but per-violation made the TCPA a popular vehicle for class action litigation—and is likely to create the same buzz for plaintiffs and class actions under the CCPA. While data breach litigation has continued to percolate through the courts for several years, the statutory damages provision of the CCPA makes the statute a game-changer in the privacy realm because it does not require actual injury. Other privacy statutes, particularly California’s Confidentiality of Medical Information Act, California Civil Code § 56 et seq., and Illinois’s Biometric Information Privacy Act, 740 ILCS/14, also sparked waves of litigation following their enactments, largely because they allow private claims for statutory damages based on a mere violation—without requiring proof of actual harm or actual damages.
Second, there is ambiguity in the requirements of both the CCPA and the TCPA, which gives plaintiffs leeway to test the limits of potential liability. For instance, the current version of the CCPA allows a private right of action for a business’s failure to maintain “reasonable security procedures and practices appropriate to the nature of the information.” But the statute does not define what is “reasonable,” and the mention of measures based on “the nature of the information” suggests that determining reasonableness will involve fact-specific inquiries and will require investigation into the types of information a business maintains and that business’s particular practices. The California AG’s Data Breach Report dated February 2016 identified the Center for Information Security’s Critical Security Controls (formerly known as the SANS Top 20) as the standard for what is deemed “reasonable” for security procedures and practices. But without a clear standard stated in the statute, the threat of litigation under the CCPA could be costly for a business, with the question of reasonableness potentially requiring litigation to proceed beyond early dispositive motions and into the discovery phase.
Plaintiffs have similarly used ambiguities in undefined terms in the TCPA to spur litigation and to generate favorable settlements and judgments. The D.C. Circuit’s decision in ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018), was a culmination of parties’ uncertainty as to terms controlling liability under the TCPA, including what qualifies as an “automatic telephone dialing system” and who is deemed the “called party” that must provide prior express consent to calls. There have been splits across courts for years on these thresholds issues, even after ACA International. The undefined terms in the CCPA will similarly lend themselves to judicial interpretation, leaving plaintiffs free to make creative arguments and requiring courts to define statutory terms as new cases arise.
The countdown to the effective date of the CCPA is on. Given the similarities between the TCPA and the CCPA, companies would be wise to study the rise of TCPA class actions and successful defense tactics as an instructive harbinger before the enactment of the CCPA. Though some issues will be unique to the CCPA’s restrictions and requirements, plaintiffs will have similar motivation in bringing CCPA lawsuits, and plaintiffs’ tactics in initiating these suits will likely follow a framework similar to early TCPA litigation.