California Consumer Privacy Act Part II
August 13, 2019
Failures to follow the mandates of the CCPA will lead to statutory penalties sought by the Attorney General, described below. But the CCPA also provides for a private right of action by consumers victimized by a disclosure of their PI. Section 1798.150 mandates that regardless of a businesses’ compliance with the notice, disclosure and deletion requirements of the CCPA, a consumer may sue for unauthorized access and exfiltration, theft or disclosure of nonencrypted or nonredacted PI. It provides for the greater of actual damages, or statutory damages of between $100 and $750 per consumer, per incident. I’ll discuss the damages below, but first there’s a threshold standard to be met.
The Duty of Security
In order for liability to accrue it must be proven that the disclosure of PI was “a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” (emphasis added). Defining reasonable security procedures and practices could precipitate significant litigation, especially in a field as fluid as information security. Even if parties can agree on a suitable standard such as the NIST Security Framework or ISO 27001 as evidence of “reasonable procedures and practices”, the standards themselves allow considerable room for interpretation. Reference could be made to HIPAA’s Security Rule but even that Rule allows for flexibility depending on a provider’s size and complexity. Furthermore, HIPAA requires covered entities to conduct a risk assessment, and even offers a Risk Assessment tool for providers to follow, all of which are helpful in determining “reasonableness”.
A business can go on to argue that, despite a disclosure of PI, the business took reasonable safeguards in consideration of the nature of the information. This suggests that businesses may argue that super sensitive information, say social security numbers or credit card account numbers, are of a nature that requires stricter standards than, say, an email address. In other words, to paraphrase George Orwell, “all pieces of information are personal, but some pieces are more personal than others”. This could be a critical distinction for those businesses that simply can’t afford a broad improvement of security. Arguing over the value of distinct pieces of data is a gamble, but like most standards short of strict liability, it’s a gamble for both sides.
Damages Under the CCPA
Before a private right of action for statutory damages can be filed, the statue provides for a 30 day cure provision. But that provision only applies to the statutory damages. Plaintiffs’ lawyers may file an action for actual damages without allowing for a cure. Don’t be surprised if Plaintiff’s lawyers send out notices of violations to trigger the cure provisions, but also, at the same time, include a settlement demand to prevent the filing of an action for actual damages. Curing the violation is certainly prudent, but it won’t make the plaintiff’s bar go away.
If a plaintiff can get back early motions to discuss based on the foregoing, then its potential recovery will be determined by the number of consumers that the business has in its databank. More consumers mean more damages, so it’s not surprising that bigger businesses, businesses that collect a lot of PI, and those that store it in separate, discrete silos, will be most at risk. Like traditional class action litigation, smaller companies, and those with less PI, will likely not have huge targets on their backs. But they must nonetheless be vigilant, because even if the plaintiff’s bar does not come after them for data loss, the Attorney General still could for CCPA violations, as discussed below.
Actions by the Attorney General Under Section 1798. 155
If there is no exfiltration of data but a business fails to implement or maintain the notice, disclosure and deletion mandates of the CCPA the Attorney General can seek civil penalties against the offending business. Referencing Business and Professions Code Section 17206, the law establishes a fine of $2,500 per violation, and up to $7,500 for each intentional violation.
It’s unlikely that the Attorney General will be bringing cases for isolated or de minimis violations. Rather, the AG will be looking at wholesale failures in implementation or failure or refusal to execute the law’s directives. By studying the law’s directives and following the advice of privacy lawyers and information governance service providers, businesses should be able to get ahead of the law before it kicks into gear. And, even if a business can’t figure out how the statute applies to them specifically, the statute allows them to “seek the opinion of Attorney General for guidance” on compliance with the CCPA. Like much of the bill, this section is subject to amendment, but the offer to provide guidance from the Attorney General makes it harder for a business to claim that the law’s many vagaries are simply too difficult to comprehend.
As stated, the offer of guidance from the Attorney general is subject to amendment and then, interpretation. Left unsaid is when does the AG have to respond? What happens until then? Does the statute toll while a business waits for a response? What if the response requires a significant amount of effort or cost – is non-compliance “tolled” for any period of time?
Cure Provision
The statute does offer some respite for non-compliance.Businesses are given 30 days after notice to cure alleged noncompliance.For matters involving failures of Notice or Disclosure, that time period seems reasonable, if brief.But there are other violations for which a thirty day cure provision will do no good.One is the prohibition on discrimination against a consumer who exercises rights under the law. Generally, a business may not charge more or offer a different level of quality of goods or services to consumers who exercise their rights unless “that difference is reasonably related to the value provided to the consumer by the consumer’s data”. So, the law effectively requires the business to quantify the value of data against any number and types of goods and services. To comply, a business must calculate that quantification before the Attorney General comes knocking.