Now that the California Consumer Privacy Act is in effect, it is imperative to consider the potential litigation risks that many companies are likely to face as a result of the new law. While many commentators have analyzed the CCPA’s express private right of action for data breaches that occur in the absence of reasonable security measures, it’s important to note that class litigation may be used in an attempt to privately enforce the other aspects of the law.
In particular, certain members of the plaintiffs’ bar have publicly disclosed that they may attempt to assert class action claims notwithstanding the CCPA’s efforts to limit new private rights of action. While these attempts should ultimately fail based on a fair reading of the CCPA and legislative intent, as well as other obstacles, the risk remains that some companies will find themselves forced to defend claims testing the law’s outer bounds until the courts have a chance to weigh in on how the law should be applied and interpreted.
The private right of action
CCPA Section 1798.150(a)(1) creates a private right of action for any unauthorized disclosure of “personal information” that results from a business’s “violation of the duty to implement and maintain reasonable security procedures and practices” for protecting such information. The CCPA states that its provisions cannot otherwise “serve as the basis for a private right of action under any other law.” Civ. Code § 1798.150(c).
And the legislative history supports a plain reading of this text.
Therefore, the language should bar a litigant from bringing a private suit under a law other than the CCPA against a business for allegedly failing to “implement and maintain reasonable security procedures and practices.” That said, other provisions, including sections 1798.145(l), 1798.175, and 1798.196, evidence a legislative intent to supplement, rather than to override or curtail, existing state law. These circumstances may lead plaintiffs to argue that so long as they assert private rights of action with an accepted common law or statutory “basis” (e.g., a claim for breach of contract or for violation of the Unfair Competition Law), they may rely on the CCPA’s substantive obligations to familiar class-action claims based on the alleged mishandling of consumer information.
The CCPA’s use of the phrase “reasonable security procedures and practices” reflects the law’s codification of a duty of care for a business’s handling of California consumer information. However, no definition has been provided for the reasonable standard. The question is therefore whether the compliance provisions in the law can be construed as California’s new standard of reasonable care such that a failure to comply with this statutory obligation can amount to negligent practices.
Ultimately, litigation may be necessary to define the reasonableness standard, which would allow experts in the industry to opine and potentially provide courts with a workable definition. Nevertheless, courts should reject an invitation to embrace a “negligence per se”-type argument, as such a theory would clearly be using the CCPA as the “basis” for a private right of action under a different law, which is contrary to section 1798.150(c). Moreover, from a practical standpoint, even if plaintiffs relied upon the CCPA to supply the “duty” and “breach” elements negligence claims, they would still face the substantial hurdles of proving proximate causation and damages, which are the primary bases on which courts tend to dismiss such causes of action.
A natural reading of Section 1798.150(c) suggests that it was intended to prevent plaintiffs from using the CCPA’s compliance provisions as the basis for an individual or class suit alleging “unlawful business practices” under California Unfair Competition Law. Instead, primary enforcement authority for the CCPA (other than data breach claims discussed above) lies with the California Attorney General.
However, plaintiffs have filed UCL claims using statutes with language similar (though not identical to) that found in the CCPA, arguing that the absence of an express reference to the UCL should be interpreted as an intent to preserve such private rights of action. Indeed, in some of those instances courts have declined to dismiss the claims outright. Lobbying efforts to amend the CCPA to specifically mention the UCL in section 1798.150(c) arguably imply an ambiguity in the existing language. Ultimately, however, because allowing UCL claims to proceed for substantive violations of the CCPA would undermine the California legislature’s balance of public versus private enforcement, courts should reject such claims. But that logic does not appear to have stopped plaintiff’s attorneys from trying – just this month, a data breach class action was filed (hps://www.complianceweek.com/download?ac=10703) in California’s Northern District asserting a UCL claim based on alleged failures to comply with the CCPA’s data protection and data breach disclosure requirements.
The CCPA requires that in some circumstances consumers must be given the option to restrict a business from selling their data to third parties. Consumers may argue that this “opting out” of data sales amounts to an express warranty or other legally binding promise which could supply the basis of a possible breach of contract claim.
Plaintiffs might then also argue that the breach could form a separate basis for an unfair, unlawful or fraudulent business practice under the UCL. But as with potential CCPA-based negligence claims, this theory of liability should be barred under 1798.150(c), and plaintiffs would likely encounter great difficulty proving that they suffered actual damages as a result of the sale of their data to third parties, which would be required in order to bring such a claim.
The CCPA permits companies to provide different services to consumers that consent to the sale of their personal information. Section 1798.125(a)(2) provides that “[nothing] … prevents a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to consumers, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.” This option forces the business to assign a value to the exchange of personal information for services if it adopts the distinction.
In addition, the regulations provide specific methods for assessing the value attributable to each individual’s personal information. These provisions directly undercut prior case law in which the courts have held that personal information has no property value for individuals, only for corporate entities or government bodies, because previously no marketplace existed to buy and sell general personal information. Thus, while plaintiffs may attempt to develop these valuation concepts into novel legal claims, they will face an uphill bale in asking courts to overrule existing precedent.
The CCPA contains a provision that on its face appears to prohibit the use of arbitration clauses with class-action waivers as a means to limit class-action claims. This may result in some additional challenges to consumer arbitration in the state. However, the U.S. Supreme Court has confirmed that similar state law prohibitions against arbitration clauses are superseded by the Federal Arbitration Act, where the FAA applies. We therefore believe that consumer arbitration clauses with class-action waivers will still be enforceable in this context, so long as drafted properly and with sufficient notice to the consumers. Given the uncertainty associated with the ultimate impact of these potential new legal theories, we recommend that in addition to ensuring that businesses make every effort to comply with the law – including updating privacy notices, posting the requisite opt-out button (or opt-in for minors) on the site, and setting up procedures and protocols for monitoring, collecting and responding to consumer requests and notices –they also closely monitor lawsuits filed in California (and elsewhere) asserting liability in connection with the CCPA.