Much ink has been spilled over this summer’s passage of the California Consumer Privacy Act (CCPA, or sometimes “CaCPA”), and for good reason: the CCPA bestows many complicated rights upon California consumers, to the chagrin of enterprises that are increasingly beleaguered by privacy legislation foreign and domestic. Given that California’s Attorney General, Xavier Becerra, has stated that his office faces “serious operational challenges” in ramping up its sole enforcement authority over these obligations, much remains to be seen about when and how enforcement will come about.
Not so for the CCPA’s private right of action. It is likely here to stay, no matter what happens with the rest of the CCPA—rain or shine. While Mr. Becerra has acknowledged that his office’s investigation and enforcement capacities are limited, the capacity of the Plaintiff’s bar is not. As the recent flurry of lawsuits over the California Shine-the-Light Law’s information request provision has shown, consumer attorneys are willing to test businesses even on laws of limited scope and with plentiful safe harbors and defenses. Imagine what they have planned for the CCPA.
A. The private right of action
The law’s new allowance for statutory damages resulting from data breaches—regardless of actual damages—seeks to end the decade-long debate in California courts over what constitutes actual injury when a data breach has occurred but no actual fraud or financial injury has been suffered. With the legislative declaration that companies should pay for “unreasonable” security incidents even if no harm is inflicted on consumers, lawmakers have cleared a major early-litigation hurdle for plaintiffs.
However, the law as currently written offers several protections and open questions to shelter businesses who are trying to reasonably comply with the CCPA. First, businesses have a 30-day right to “cure” alleged violations. This safe harbor is in line with the cure period permitted for the CCPA’s other key requirements, and will provide businesses with advance notice of claims and the ability to engage claimants before the litigation advances. Of course, because of ambiguity in the statute as drafted, it remains unclear what an “actual cure” of an alleged data breach would look like—is it complete containment, apprehension of the bad actors by law enforcement, reasonable mitigation, notification of impacted consumers, or something else? Litigants can expect to wrestle with these questions at the early stages of a CCPA lawsuit, in which plaintiffs will seek to bolster their complaints with allegations that no cure was provided.
Second, the CCPA departs from previous data breach statutes by introducing a duty of care. California’s existing breach notification law requires notification where unencrypted personal information is “acquired by an unauthorized person.” The CCPA, by contrast, makes alleged data breaches actionable only if the business has violated “reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a)(1). This language echoes the security standards currently required under California’s Customer Records Act as amended in 2014. While this protection may not meaningfully deter the filing of private actions, as litigants will argue that any breach is the result of “unreasonable” practices, it will equip businesses with a powerful ultimate defense to liability.
Notably, “reasonable” security programs are difficult to define, as demonstrated by this year’s LabMD ruling. See LabMD, Inc. v. F.T.C., 894 F.3d 1221 (11th Cir. 2018). In that opinion, the Eleventh Circuit found that an FTC cease and desist order was unenforceable because the “reasonableness” standard that it required for LabMD’s data security benchmarks was too ambiguous. The FTC’s order contained no prohibitions or instructions. Instead, it improperly commanded LabMD to, as the court put it, “overhaul and replace its data-security program to meet an indeterminable standard of reasonableness.” But see F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) (finding alleged failure to maintain reasonable and appropriate data security could constitute “unfair” conduct under FTC Act). Given that the CCPA includes a nearly identical command—observing “reasonable security procedures and practices”—real questions exist as to what that standard might mean, and by extension, which types of data security incidents give rise to an actionable claim.
B. Open questions
Several open questions exist. Last month, Mr. Becerra asked the state legislature to shift his office’s regulatory oversight to private litigants by extending the private right of action to the CCPA’s other requirements, which include the rights to delete information and opt-out of data sales. This proposal would bring the CCPA closer to its ballot initiative predecessor, which proposed private enforcement mechanisms for all of its provisions. Indeed, the legislature originally contemplated a broader private right of action, as reflected by, for instance, the more logical application of the right to cure to other CCPA provisions, such as consumers’ opt out rights.
Another open question: Can plaintiffs’ attorneys use existing California consumer laws to make an end-run around the CCPA’s ban on private rights of actions for its other provisions? The Plaintiffs’ bar is almost certain to argue that the “unlawful acts and practices” ban under California’s amorphous Unfair Competition Law, California Business Code § 17200 et seq. (“UCL”), enables a private right of action for underlying CCPA violations beyond its data breach provision.
Consumer litigants are likely to point to the decades of case law in which California courts liberally permit consumers to predicate UCL violations on all number of laws, including those that do not explicitly provide a right of action. This is because it has long been held that, by proscribing “any unlawful’ business practice,” the UCL “borrows” violations of other laws and treats them as unlawful practices that the UCL makes independently actionable. Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co., 20 Cal. 4th 163, 180 (1999). For instance, the California Supreme Court has permitted, under certain conditions, a UCL claim based upon a federal law that had been amended to remove its private right of action. See Rose v. Bank of America, 57 Cal. 4th 393 (2013).
However, plaintiffs should ultimately be unsuccessful in this argument. The statute explicitly states that “[n]othing in this act shall be interpreted to serve as the basis for a private right of action under any other law.” Cal. Civ. Code § 1798.150(c). Three recent decisions suggest that this key saving language will protect CCPA-governed businesses against UCL claims. In Zhang and Rose, the California Supreme Court upheld “the proposition that a plaintiff may not employ the UCL to ‘plead around’ a legislative determination foreclosing private enforcement of another statute” as “valid as far as it goes.” Rose, 57 Cal. 4th at 397; see also Zhang v. Superior Court, 57 Cal. 4th 367, 388 (2013) (upholding “the proposition that a UCL cause of action will not lie to enforce violation of a particular statute only if the Legislature affirmatively intended to preclude such indirect enforcement”) (emphasis added). While the Court noted that it was “not enough” if a statute “simply failed” to provide for a right of action, that is not the case with the CCPA due to its saving language. Zhang, 57 Cal. 4th at 388.
The Ninth Circuit has concurred with this view of the California Supreme Court precedent. Just last year, the Ninth Circuit found, summarizing these opinions, that “[t]he California Supreme Court has held that private UCL claims are barred only when the underlying statute either actually bars private rights of action or provides a ‘safe harbor’ that renders the alleged conduct lawful.” Walker v. Life Ins. Co. of the Southwest, 681 Fed. Appx. 599 (9th Cir. 2017). Because the CCPA has barred private rights of action for all matters beyond its data breach provision, an enterprising plaintiff should be unable to maintain a UCL claim based upon the CCPA’s non-breach requirements.
Notably, the statutes is somewhat in flux. Already, the California legislature has passed SB 1121, which amends the CCPA with several substantive and “technical and clarifying changes.” Several of these changes are relevant to the above analysis. First, in response to Mr. Becerra’s request, the amendment pushes back the January 1, 2020 enforcement deadline to the sooner of July 1, 2010 or six months after his office publishes final regulations pursuant to the law. Notably, other provisions remain effective on January 1, 2010, including the existing private right of action. Second, SB 1121 removes the Attorney General’s so-called “gatekeeping” authority to instruct private litigants not to pursue a data breach action. Third, the law fixes several prior ambiguities and inconsistencies, including specifying that (i) the Attorney General’s available civil penalties are $2,500 per violation or $7,500 for each intentional violation; (ii) the full reach of the HIPAA and CMIA exemption—which applies to the data, not the covered entities—extends to PHI processed by business associates; and (iii) the law’s listing of the categories of “personal information” covered by the CCPA is not prescriptive, but instead illustrative of information that “is capable of being associated with” a consumer or an individual.
The CCPA remains a moving target. Industry interests and consumer rights groups have already joined Mr. Becerra in advocating for changes in all directions. But at this moment, businesses can take little comfort that plaintiff-driven privacy lawsuits will remain at current levels. The lawsuits are coming, rain or shine.
Donna Wilson is the Managing Partner-Elect of Manatt, Phelps & Phillips, LLP, and also chair of the firm’s privacy and data security practice. Brandon Reilly is a an associate in the firm.
The views expressed in this article are those of the authors and not necessarily those of Manatt or of Bloomberg Law.