LET THE LAWSUITS BEGIN. ARE YOU READY FOR CCPA 2.0?

My last post discussed the California Consumer Privacy Act (CCPA), the importance of getting ready
for enforcement by the California Attorney General beginning last July 1, and the likelihood of lawsuits under the CCPA’s “first of its kind” private right of action.

We have not yet seen any government enforcement actions by the California Attorney General’s Office, but warning notices have apparently been sent to businesses alleging violations of the CCPA. While the content of these notices is confidential, Stacey Schesser, California’s supervising deputy AG, shared some information at an International Association of Privacy Professionals event in July. According to Schesser, the letters mainly targeted businesses that were missing key privacy disclosures (such as a “Do Not Sell” link) on their websites or weren’t properly responding to consumer rights requests, including those relating to the right of access or deletion. The CCPA allows a business 30 days to cure its violation before the AG takes any action.

While waiting for government enforcement actions, we have seen at least 34 class actions filed under the CCPA, including one against Walmart. The retail giant was allegedly hacked, resulting in credit card information of Walmart customers being sold on the dark web where criminals and fraudsters operate with relative impunity.

The CCPA has established California as the only state that allows California residents to file lawsuits against companies in the event of data breaches. The CCPA private right of action represents a new and powerful tool for plaintiffs. As predicted, this new private right of action, coupled with statutory damages, has opened the floodgates to litigation and potentially large settlements. 

No longer can a business be complacent about data privacy and security compliance, under the assumption that government enforcement actions are not likely to occur.

Under the CCPA private right of action, a company can be hit with a penalty of up to $750 “per consumer per incident” in the event of a data breach following the company’s failure to implement reasonable data security. With the CCPA’s statutorily set damages, there is no need to demonstrate harm to individuals (which has always been an impediment to data privacy litigation). Multiply $750 by the thousands of potential class action members whose data may have been compromised by a data breach and you can see why the CCPA is truly a game changer in data privacy and a security risk for businesses that collect and store personal data of California residents.

Here We Go Again

The folks responsible for CCPA are now bringing us a new ballot initiative that further expands the data privacy rights of California residents. This Nov. 3, Californians will likely pass the California Privacy Rights Act (CPRA) that includes:

• New data privacy rights for California consumers to be added to the CCPA, including the right to correct their data, to control the use of their sensitive personal information, and to opt out of precise geolocation targeting.
• A requirement that businesses minimize the amount of data they collect. 
• A new option for consumers to opt out of the sale of their data through their browsers. 
• A new agency (the California Privacy Protection Agency) vested with full administrative power, authority, and jurisdiction to implement and enforce the privacy law. This agency will have a $10 million annual budget and become the primary enforcer of privacy rights. It will have authority to investigate possible violations of the CPRA brought to its attention by any person’s sworn complaint or its own initiative and to issue fines of up to $2,500 per violation and up to $7,500 per intentional violation.

This new agency, whose sole purpose is to enforce privacy laws in California, will likely result in a dramatic increase in government enforcement actions. 

If passed on Nov. 3, the CPRA will become enforceable on July 1, 2023 with a lookback to Jan. 1, 2022.

Practical and Important Steps to Mitigate Risk under CCPA and CPRA 

• Review your website privacy policies and update as necessary to comply with CCPA and the CPRA.
• Operationalize your process for verification and response to data requests from individuals that are consistent with the CCPA regulations that were finalized Aug. 15.
• Reduce the large volume of data that may be stored on network servers and no longer necessary for any business purpose.
• Implement reasonable data security so you are prepared to defend against CCPA lawsuits. 
• Have a written information security program and a written incident response plan. Such written policies maybe demanded in any CCPA based litigation and, if followed, can help prevent your business from becoming the next big headline in a CCPA lawsuit. Plus, failure to have such written policies in place may serve as evidence of a failure to implement reasonable data security and result in significant monetary damages.

Finally, while the CCPA and CPRA have focused our attention on California, we may soon see other states, and possibly the federal government, adding similarly stringent data privacy laws. 

Be mindful of such legislative changes in this ever-evolving legal landscape.