The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Even though enforcement actions will only be enacted after July 1, 2020, by the California Attorney General, the private right of action under the CCPA is now in complete effect.
This private right of action offers consumers of California with a valuable tool in order to seek help when their personal information is attained because of a data breach. This could also mean that companies doing business in California may also face civil liability if the systems they have set in place fall into a breach.
Private Right of Action
Under the CCPA, any consumer whose personal information is exposed to unauthorized access due to the failure of a business to implement and keep their security procedures may file a civil action in order to achieve either actual damages or statutory damages. These fines can range from $100 and $750 for every consumer, for every incident.
By establishing a right to receive statutory damages for every violation, this provision of the CCPA law makes it a lot easier for consumers to bring civil action after a data breach. By proving that the actual damages are a result of a data breach, the right actions will be performed.
Protection to Companies
The CCPA opens a private right of action only against businesses and organizations that fail in implementing and maintaining reasonable procedures in terms of security while practicing appropriate to the actual nature of the information.
The CCPA, unfortunately, does not provide a definition of these key terms. Another law provision under the CCPA, however, offers businesses with protection against suits from consumers, especially those who are actively seeking statutory damages.
With this, under Section 1758, 150(b) of the CCPA, a consumer needs to present business with written notice within 30 days of the alleged violation leading to the unauthorized access, theft, exfiltration, or disclosure of the personal information of the consumer.
This means that the business is given 30 days to deal with the violation, notifying the consumer that such a violation has already been cured and that no further violations will happen again. If the organization can act quickly in curing the violation and informing the consumer, there arises no need for the consumer to sue for statutory damages.
Note that the private right of action under CCPA has been introduced for a few months only, and the courts have not yet analyzed it completely. Even though a lot of things are still unclear, what is certain is that this private right of action will further result in high costs for businesses that fail to maintain the appropriate level of care for the personal information of customers. In the same way, companies need to collaborate with knowledgeable counsel in order to make sure that CCPA compliance is observed.
Remedies Under CCPA
In terms of damages under CCPA, consumers may seek either the actual damages or the statutory damages for every violation. The actual damages can be considered as factual questions, while statutory damages are fixed not to be less than $100 and not greater than $750 for every consumer for every incident. This may lead to a huge amount of statutory damage since incidents involving data use include several hundred, thousands, or even millions of consumers.
When it comes to identifying the amount involved in the statutory damages, the courts are instructed to weigh some factors. Here are some of them:
- The nature of the misconduct and its gravity
- The number of violations committed
- Persistence of the actual misconduct performed
- Period of time in which the misconduct happened
- The willfulness of the misconduct of the defendant
- Assets, liabilities and net worth of the defendant
- Other circumstances that are relevant and presented by the parties
The CCPA also authorizes the implementation of both injunctive and declaratory relief, along with other relief that is considered as proper by the court. Even though the size and the scope of the statutory damages under CCPA may be considered as substantial, certain limiting provisions are worth emphasising.
The CCPA introduces a new chapter in the litigation and enforcement of both privacy and cybersecurity. The companies are required to examine their practices involving data collection and storage. The have to take into consideration if they can actually reduce the risk by collecting as less data as possible, by storing them in redacted or encrypted formats. Companies or businesses are also required to evaluate their compliance efforts for data security, to the point of developing a strategy to respond to possible breaches in data security, as well as the risk of the private rights of action quickly. The counsel that is received by the company may help in the development of effective strategies that are tailored fit to the different security issues faced by the company.