Beginning on January 1, 2020, Californians will enter a new age of privacy rights with the enactment of the California Consumer Privacy Act (“CCPA” or “the Act”). Following the infamous Cambridge Analytica hack and subsequent public outrage, lawmakers in California moved quickly to protect consumers’ personal information and hold responsible businesses liable. The Act grants consumers the ability to request that a business disclose what, if any, personal information the business keeps about the consumer. Additionally, the CCPA requires a business to delete a consumer’s unique identifiers upon request and create a “do-not-sell-my-information” register on the homepage of its website. Finally, the Act requires affirmative consent from individuals 16 and younger if businesses wish to share their personal information, changing their standard to “opt-in.”
The CCPA broadly interprets the term “personal information” as any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” By establishing such an inclusive definition, the California legislature affords the Office of the Attorney General a large degree of freedom in prosecuting businesses in violation of the CCPA. The Attorney General will also be responsible for promulgating any additional administrative regulations by July 1, 2020. Under the Act, the Attorney General can levy a civil fine of $2,500 for each negligent violation and $7,500 for each intentional violation.
Another important provision of the CCPA is that, in addition to the powers it grants the Attorney General, the Act allows consumers to bring a private action. Specifically, consumers can initiate a lawsuit, on an individual or class-wide basis, in connection with a business’s failure to reasonably prevent the unauthorized access, theft, or disclosure of a consumer’s personal information. Consumers can pursue relief for actual damages suffered as a result of violations of the law, or statutory damages ranging from $100 to $750 per violation, whichever is greater. Moreover, the CCPA allows for injunctive or declaratory relief and any other relief the court deems proper. Importantly, the Act will nullify any previous waiver of a consumer’s rights, allowing these lawsuits to proceed in court.
Moving forward, a number of potential roadblocks have been raised with respect to the enforcement of the Act. The Attorney General of California, Xavier Becerra, explained in a September 2019 letter to lawmakers that he does not believe his office currently has the resources necessary to forcefully prosecute the number of legitimate claims it will likely receive. Furthermore, as the CCPA takes effect in January, questions about the Act’s specific language remain open to interpretation. The CCPA does not define what “reasonable” security measure a business must take in order to prevent against data breaches. The Act also does not explain what steps a business must take to correct a data breach once it has already occurred.
In that same vein, the Act has numerous detractors seeking to weaken it. For example, the airline industry has already foreshadowed a potential appellate battle, stating it only needs to comply with federal, not state, regulations determined by the FAA. Other corporate lawyers have argued for exemptions for their company’s own employees and contractors. Beyond California, advocates of the Act believe it will create a baseline of rights for all consumers, in that companies will likely find it too costly to differentiate between California residents and non-Californians. Other states have picked sides, with a handful of states introducing similar versions of the CCPA in their respective legislatures.
Updates to this blog will be provided as courts begin to interpret the CCPA and determine its consequences for California and, potentially, the rest of the country.
The legal team at Shepherd, Finkelman, Miller & Shah, LLP (“SFMS”) has significant experience litigating class action matters. If you have any questions regarding this subject or this posting, please contact John Roberts (email@example.com) or Alec Berin (firstname.lastname@example.org). We can also be reached toll-free at 866-540-5505.
SFMS is a law firm with offices in California, Connecticut, Florida, New Jersey, New York, and Pennsylvania. SFMS is an active member of Integrated Advisory Group (www.iag.global), which provides us with the ability to provide our clients with access to excellent legal and accounting resources throughout the globe. For more information about our firm, please visit us at www.sfmslaw.com.