As explained in detail in our initial advisory of July 3, 2018, the California Senate and Assembly unanimously approved the California Consumer Privacy Act (CCPA) on June 27, 2018 (AB 375), and Governor Jerry Brown signed it into law the next day. The California legislature moved quickly to enact the CCPA to avoid the passage of an even more stringent law that would appear on the November ballot.
The CCPA gives consumers the right to know what sort of information companies are collecting from them, what the purpose of collecting that information is, and with whom the companies are sharing that information. Consumers have the ability to tell companies to delete their personal information, and not to share or sell the information, and the companies are not obligated to treat the consumers any differently as a result of their decision to opt out. Under the CCPA as it currently reads, companies and employers who are subject to the law must be ready to comply by January 1, 2020.
The CCPA’s Private Right of Action
As drafted, the CCPA includes a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” A consumer who is subject to such a breach may institute a civil action to recover damages “in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater; injunctive relief or declaratory relief; [or] any other relief the court deems proper.” In assessing the statutory damages amount, the court “shall consider” any one or more of the relevant circumstances presented by any of the parties to the case, including: “the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.”
A consumer may bring a lawsuit under the Act’s private right of action if he or she is able to meet certain requirements. Before initiating any lawsuit against a business for statutory damages on either an individual or classwide basis, a consumer must provide that business with 30 days’ written notice identifying the specific provisions of the CCPA that the consumer alleges have been or are being violated. If the business is able to cure the alleged violation and provides the consumer with notice that it has done so and that it will not continue to violate the CCPA, the consumer cannot initiate a lawsuit against that business seeking statutory damages. If a business continues to violate the CCPA in breach of the express written statement provided to the consumer, however, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the Act that postdates the written statement. If the consumer intends to bring an action for actual pecuniary damages only, no notice is required.
Upon receiving notice from an individual consumer about their intent to bring a lawsuit under the CCPA’s private right of action, the attorney general can do one of three things, all within 30 days. The attorney general’s office can notify the consumer that the attorney general intends to prosecute the action instead, and if the attorney general fails to prosecute within six months, the consumer may proceed. Or the attorney general can simply do nothing within the 30-day deadline, allowing the consumer to proceed under the private right of action. The attorney general may also notify the consumer intending to bring the action that he or she shall not proceed with it.
Developments After Enactment
The proposed “cleanup” bill: Senate Bill 1121
On August 6, 2018, a proposed “cleanup” bill, Senate Bill 1121, was introduced by Senator Bill Dodd, with the goal of tackling various technical corrections to the CCPA. The proposed new language deletes the requirement that a consumer bringing a private right of action notify the attorney general, and the bill would limit the civil penalty to be assessed in an attorney general action to not more than $2,500 per violation or $7,500 per each intentional violation. The bill would also revise the timelines and requirements for the promulgation of regulations by the attorney general in connection with the Act.
Various business groups propose changes
Also on August 6, 2018, more than three dozen business groups from the tech, retail, health, banking, and other sectors drafted a letter to California lawmakers aimed at making various “technical” changes to the CCPA to address some of the more substantive aspects of the statute and to extend the compliance deadline. These proposed amendments go further than Senator Dodd’s proposed cleanup bill. In the letter, the groups asked for the compliance deadline to be extended and for the definition of “personal information” under the CCPA to be narrowed. Currently, the definition of personal information is information that is “associated with an individual,” but the business groups feel that this is too attenuated to have any meaning. Instead, the business groups suggest that the definition of “personal information” should be linked or reasonably linked to the individual and that the information “is obtained as a result of the consumer’s purchase or use of a product or service for personal, family, or household purposes.”
Consumer groups respond
On August 13, a coalition of approximately 20 various consumer advocacy groups sent a letter to the authors of AB 375, saying that they should stay the course with the technical cleanup proposed by Senator Dodd and that the “sky is not falling.” The crux of the consumer groups’ argument is that the business groups’ suggestions would water down the Act and would strip the CCPA of its intended safeguards. Instead, the California legislature should avoid making the “sweeping changes” proposed by the business groups.
Attorney General Xavier Becerra weighs in
On August 22, 2018, Attorney General Xavier Becerra chimed in with a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. In the letter, the Becerra sets out his five issues with the CCPA. Becerra takes issue with the provision limiting the right of consumers to sue when there has been a data breach that involved their personal information, arguing that this private right of action is too narrow. He proposes that the private right of action should allow consumers to seek legal remedies for themselves to protect their own privacy, instead of the “limited right to sue” they are afforded under the CCPA only if they become a victim of a data breach. Becerra cautions that this limited private right of action will increase his need for enforcement resources. Where the line is ultimately drawn will be informative as business and employers prepare to respond to the enactment of the CCPA and begin to understand the parameters of lawsuits brought by individuals.
Becerra also pushes lawmakers to remove the “unnecessary requirement” that private plaintiffs notify the attorney general before filing data-breach-related claims under the law because the requirement would foster “unnecessary personnel and administrative costs” for the attorney general’s office and “has no purpose as the courts not the Attorney General decide the merits of private lawsuits” and private litigation has no bearing on an attorney general’s enforcement authority.
Becerra’s third criticism was the section of the CCPA requiring the attorney general to provide opinions and warnings to “any business or third party” and to provide them with any opportunity to cure deficiencies before they could be held accountable for statutory violations. This requirement, according to the attorney general, would require his office to use public funds to provide “unlimited legal advice” to a private party that asked for it. He also argued this could create a conflict of interest by using taxpayer money to provide alleged violators of the CCPA with legal counsel but leaving the victims of the privacy violation on their own.
Finally, the letter proposed corrective language for the CCPA’s civil penalty provision and took issue with the provision providing the attorney general’s office with one year to conduct rulemaking for this newly established body of law, but failing to provide it with any resources to carry out the rulemaking, and thus must be provided with more time.
Can plaintiffs use California Bus. & Prof. Code Section 17200’s “unlawful” prong as an end-run around the narrow private right of action under the CCPA?
Subsection (c) of Section 1798.150 provides that nothing in the Act “shall be interpreted to serve as the basis for a private right of action under any other law.” The question then becomes whether the California legislature intended to prevent litigants from pursing redress for a business’s violation of the CCPA under California Business and Professions Code Section 17200, also known as California’s Unfair Competition Law (UCL). The UCL permits any person, acting for the interests of itself, its members, or the general public, to initiate an action for restitutionary and/or injunctive relief against a person or business entity who has engaged in “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.”
One could argue that the limiting language in the text of the CCPA itself, as well as the letter from the attorney general asking for a broader private right of action, means that the California legislature intended to prohibit private plaintiffs from seeking redress for alleged violations of the CCPA for which there is not a private right of action under the UCL, but at present, it is not explicitly clear based on the wording of the statute that that was the intention. If private plaintiffs are ultimately able to use the UCL’s unlawful prong in this manner, this will effectively serve to create a private right of action, and the industry can expect significantly more lawsuits as a result.
Passage of SB 1121
On Friday, August 31, the legislature passed SB 1121. Assuming Governor Jerry Brown signs the bill into law by September 30, the revised bill will delay enforcement of the CCPA by the attorney general and remove the requirements for individuals to notify the attorney general’s office before filing their lawsuits. SB 1121 also prevents the state regulator from enforcing the CCPA until the sooner of July 1, 2020, or six months after the publication of the regulations. This change now no longer allows the attorney general to prevent a private plaintiff’s case from going forward if the attorney general decides to prosecute instead. This change essentially streamlines a private plaintiff’s path to litigation without having to seek approval (or wait 30 days) from the attorney general’s office. Further, SB 1121 addresses the business groups’ concern about the definition of “personal information” by including that data must be “reasonably linked, directly or indirectly, with a particular consumer or household.”
What the CCPA will ultimately look like when it is ultimately enacted continues to be somewhat of a moving target, and the California legislature is expected to make more substantive changes to the law. As we continue to monitor the input from business and consumer groups as well as the attorney general’s office, it is becoming increasingly clear that the private right of action portends an onslaught of consumer privacy lawsuits, especially if the ultimate version adopts the attorney general’s proposed expansive revision of what falls under the private right of action.