While it remains to be seen what the final text of the California Consumer Privacy Act (CCPA) looks like when it is ultimately implemented on January 1, 2020, at present it seems likely that businesses and employers can expect an influx of lawsuits from individual consumers proceeding under the CCPA’s private right of action. Under the current version of the CCPA, the Act provides a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to the protect the personal information.” In order for an individual consumer to proceed under the Act’s private right of action seeking statutory damages on either an individual or classwide basis, the consumer must provide the business with 30 days’ written notice identifying the specific provisions of the CCPA they are alleged to have violated. The business then has an equal amount of time to attempt to cure the alleged violation.
On August 22, 2018, Attorney General Xavier Becerra sent a letter to the CCPA’s sponsors, setting out his concerns with the CCPA as drafted. Among those concerns was that the private right of action is too narrow – he argues that the private right of action should allow consumers to seek legal remedies for themselves to protect their own privacy, and it should not be limited to a right to sue only if they become victims of a data breach.
Where the line is ultimately drawn as to the CCPA’s private right of action will be informative as businesses and employers prepare to respond to the enactment of the CCPA and begin to understand the parameters of lawsuits brought by individuals.
For a more in-depth analysis of the private right of action and the current state of the CCPA, please refer to the advisory we published on September 12.