Does the CCPA include a private right of action?

A private right of action allows individuals to file lawsuits against certain businesses.This enforcement mechanism under the law allows individuals and class actions to potentially collect a high amount of damages resulting from a business’s noncompliance. 

The CCPA: California Consumer Privacy Act is a privacy law focused on providing a number of fundamental privacy rights to individuals, including the right to opt-out of the sale of their personally identifiable information (PII), request the deletion of their collected PII, and request disclosures pertaining to what PII the business has collected. Additionally, the CCPA permits consumers, either individually or as a class action, to file civil suits against businesses under certain circumstances. In general, it is not unprecedented for privacy laws to provide private rights of actions to consumers: insofar as federal privacy legislation is concerned, laws such as the Fair Credit Reporting Act and the Electronic Communications Privacy Act permit consumers to sue noncompliant businesses. 

This article will discuss the following three topics: 

  • What may trigger a private right of action under the CCPA?; 
  • The obligations of both the consumer and business before a private right of action may be initiated; and 
  • Potential damages that may result from CCPA lawsuits. 

What may trigger a private right of action under the CCPA? 

Should a business fail to implement reasonable security procedures, and a consumer’s nonencrypted or nonredacted personal information is subsequently accessed without authorization, or subject to theft or unauthorized disclosure, the consumer may initiate a lawsuit against the business. Unauthorized disclosures could potentially include the sharing of PII with third parties who are not disclosed in the business’s Privacy Policy. Essentially, a breach of a consumer’s PII must occur for the consumer to bring a lawsuit under the CCPA. 

As specified, the breach must involve “nonencrypted” or “nonredacted” personal information, which is defined by California law as the following: 

  • An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: 
    • Social security number;
    • Driver’s license number or any unique state identification number
    • Account number, or a credit or debit card number, in combination with the credentials needed to access the account
    • Medical information
    • Health information 
    • Biometric data

Notably, the CCPA omits any explanation of what constitutes “reasonable security measures” that businesses may undertake to avoid lawsuits. This may be due to significant difficulties plaintiffs face in proving that they suffered actual harm as a result of the data breach, a requirement needed for plaintiffs to establish standing to sue. Asserting that a business failed to take reasonable security measures may be a significantly easier argument for plaintiffs to make. 

Although not explicitly defined in the CCPA, the California Attorney General’s Office has released some guidance pertaining to “reasonable security measures.” Specifically, when referencing reasonable security measures, relevant guidelines have mentioned federal security standards found in both the Health Insurance Portability and Accountability Act and the Gramm Leach Bliley Act as demonstrative. 

The obligations of both the consumer and business before a private right of action may be initiated

Prior to initiating a private right of action under the CCPA, a consumer must furnish 30 days’ written notice to the business. This notice must identify the business’s alleged violations of the CCPA. Within the 30 day period, the business must have the opportunity to “cure” the violation. Essentially, this means that the business has taken proactive steps to correct violations of the law while subsequently verifying that they are now compliant. 

If the violation is subsequently cured, the consumer may not initiate the lawsuit. Businesses that continue to violate the CCPA will be subject to statutory damages for any violations of the specified CCPA provisions within the original notice. 

With respect to these requirements, a number of questions arise. One, how does a consumer accurately identify the specific CCPA violations that have occurred? This may place a significantly high burden on the consumer, especially when considering the fact that the business itself may not be fully aware of the breach nor the security failures that caused the breach. Additionally, it is unclear how a business may sufficiently cure the breach to avoid damages and prove that reasonable security measures have been implemented. As enforcement regulations are released, businesses should expect (or at least hope) for much needed clarification regarding the curing process.  

Potential damages that may result from CCPA lawsuits

Consumers are entitled to either actual or statutory damages, whichever amount is greater. Essentially, “actual damages” can be defined as compensation for loss suffered by the aggrieved party that may be measured under certain circumstances, such as in cases of medical bills or monetary loss under a contract. 

For statutory damages, consumers may receive amounts no less than $100 and no greater than $750 per consumer per incident. For data breaches involving a high amount of customers, the total damages can potentially be quite high. Courts determining the amount of statutory damages to be provided may consider the following factors:

  • The nature and seriousness of the misconduct 
  • The number of violations 
  • The persistence of the busines’s misconduct 
  • How long the misconduct occurred 
  • The willfulness of the business’s misconduct 
  • The businesses assets, liabilities, and net worth 

For businesses required to comply with the CCPA, it is critical that they take steps to comprehensively assess their internal cybersecurity practices. Weaknesses and vulnerabilities with respect to the business’s storage and transfer of PII may result in potentially significant fines and lawsuits under the CCPA. With respect to risk mitigation, firms should consider implementing a data inventory. The risks posed by CCPA suing increase the need for businesses to keep detailed records of how PII is transferred from one point to another, where the PII is being stored, and what employees and/or third parties have access to the PII. 
Pursuant to complying with the CCPA and establishing effective internal security controls, businesses must ensure that their Privacy Policies are fully compliant with the law. Termageddon’s Privacy Policy generator helps keep your business compliant with privacy laws and helps ensure your business avoids significant fines and lawsuits.