The California Consumer Privacy Act (CCPA), as written, allows consumers to have a private right of action when their non-encrypted and nonredacted information is stolen (see Section 1798.150). What is one of the best ways to avoid litigation? Readiness.
According to a recent survey from the Carlton Fields Class Action Survey of corporate general counsel and senior legal officers, the next wave of class action lawsuits will be the result of massive data breaches. The survey also indicates that the CCPA is of particular concern. While privacy remains a hotly debated subject in the U.S., the survey results do show that corporate counsel predicts an increase in privacy class action filings. In its press release announcing the survey results, Carlton Fields said, “while most companies have not yet faced a data privacy class action, survey results show that they predict these cases as the next wave. The percentage of companies making such a prediction nearly doubled from last year’s survey, increasing from 28.9% to 54.3%.
What does “readiness” entail? Readiness includes but is not limited to, building a compliance program with action plans to address and limit the impact of a personal information incident/breach and preparing for the cost of litigation including class action exposure.
Additionally, organizations should begin to document steps taken to become CCPA compliant as this will demonstrate that a company was not negligent with data in the event of an incident/breach. Courts apply the “reasonable” standard to determine whether or not a company acted reasonably in terms of securing data, and acted reasonably upon discovery of the incident/breach.
Under the CCPA regulations as written, the Attorney General is obligated to answer questions regarding CCPA (see Rulemaking Activity). S.B. 561 would have changed this requirement authorizing the Attorney General to publish materials providing businesses with general guidance on how to comply with the law. However, since S.B. 561 is on hold in committee and likely will be blocked, the general guidance portended to be more robust than the obligation to answer questions from Rulemaking Activity has been stalled with the impact being increased risk exposure and litigation.
The CCPA will be the first significant privacy regulation in the U.S. that gives a large swath of consumers the ability to sue companies for data breaches. The statutory damage — between $100 and $750 per violation, whichever is greater (see Id. § 1798.150(a)(1)(B)-(C)) — is considerable because it will likely provoke an increase in class action litigation. In sum, companies should adopt “reasonable” practices now to be well-suited for an unreasonable suit or litigation.