Companies Face Steep Litigation Risks Under California's New Privacy Law
The California Consumer Privacy Act has put businesses at substantial risk of data breach litigation and litigation from technical noncompliance.
On January 1, 2020, the California Consumer Privacy Act ("CCPA") went into effect. The new law provides consumers with new rights over how businesses collect and handle their personal information. The CCPA also has created substantial litigation risk for businesses.
Data Breach Litigation
The CCPA has a private right of action for data breaches, without any express causation requirement. If a business had inadequate data security, plaintiffs can recover statutory damages between $100 and $750 "per consumer per incident or actual damages, whichever is greater." Thus, a data breach affecting 50,000 California residents has a potential exposure of $37.5 million.
Litigation From Technical Noncompliance
Businesses also face litigation risk from technical noncompliance with the CCPA. Although the CCPA does not have a private right of action for noncompliance claims, plaintiffs will likely enforce noncompliance through class actions under the "unlawful" prong of California's Unfair Competition Law (Business & Professions Code, Section 17200) ("UCL"). The UCL law "borrows" technical violations of other laws and treats them as unfair business practices. It also allows for restitution and injunctive relief. Courts also have awarded prevailing plaintiff attorney's fees in UCL class actions.
Additionally, businesses face class action risk for violations of the CCPA under common law theories, such as negligence or invasion of privacy. For example, the CCPA has provisions governing the sale of consumer data (the "do not sell" provisions). A violation of that provision could trigger class litigation under the theory that the breach of this statutory duty gives rise to a cause of action for negligence per se, with economic damages based upon the loss of value of that personal data.
Insurance for Litigation Risk
Given the anticipated litigation arising out of the CCPA, it is critical that companies review their cyber insurance policies to determine whether they adequately cover CCPA claims.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.