One of the most significant aspects of the California Consumer Privacy Act (CCPA) is the fact that consumers in California now have the right to sue companies for their losses resulting from data breaches. While this seems significant, in reality, it’s not much of a change from existing law, and in fact, may ultimately leave consumers with fewer rights.
The statute, California Civil Code Section 1798.150 (a)(1) provides:
(a) (1) Any consumer whose … personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures .. may institute a civil action [t]o recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater [or] Injunctive or declaratory relief.
The CCPA is overall a fairly comprehensive data privacy statute, which requires companies that collect personal information about California residents to provide both opt-in and opt-out requirements for the use, disclosure and sale of that information; to provide certain rights of access to the data collected and to have the data collected to be deleted; and to be able to track how the data was accessed and used.
However, for violations of the privacy requirements of CCPA, consumers cannot sue; in lawyer terms, the statute does not create a “private right of action” for violation of privacy. A consumer can complain to the California Attorney General, who can decide whether to sue, but they cannot (at least under the statute) sue for breach of privacy, even if the violation of privacy is knowing and deliberate.
The CCPA also extends the obligation of companies that collect personal information to use reasonable security to protect that data from a data breach. If the company fails to implement or maintain such security, and this results in a data breach, then the consumer can sue—for either $750 or actual damages (per incident), whichever is higher.
But not really. First, the idea that if a company deliberately exposes your personal information you can’t receive damages but if the company is the victim of a crime in which some criminal “steals” the data you can receive damages frankly rewards the wrong kind of behavior. So if you are merely negligent and someone steals personal data you can be sued, but if you are deliberate you can’t—at least not in a private right of action.
OK, fine. But it’s good that you can recover damages in a lawsuit at least, right? Not so fast, Kemosabe. Ask yourself whether, if you learned that your personal data was breached, you would be willing to file a lawsuit in the Superior Court for the County of Los Angeles in the hope that you might win the whopping amount of $750? I think not.
The true power of the private right of action, both as a deterrent to negligent behavior and as a method of (slightly) compensating those damages, is in the class action lawsuit. When there’s a data breach, lawyers swoop in and sue on behalf of all of the persons impacted. Since the CCPA provides for statutory damages, the class action lawyers are spared having to prove actual damages by each individual plaintiff. A breach with 100,000 subjects? Let’s see … my math is not great, but 100,000 times $100 is $10 million, minimum.
No Lack of Class (Action)
So the CCPA seems to encourage the filing of class action lawsuits for violation of security provisions. However, companies trying to comply with CCPA inevitably will be rewriting their privacy policies to add CCPA language. While they are at it, their high-priced privacy lawyers are likely adding to the privacy policies a mandatory arbitration policy with a class action waiver.
So the Huuge court found that merely having some terms of service was not enough to mandate assent, but that a click “I agree” button would probably work.
Big deal. Huuge?
Nope. Not at all. ‘Cause, let’s face it: Consumers don’t read privacy policies. Consumers don’t read arbitration agreements. Consumers don’t read class action waivers. They don’t read them partly because they are boring. Partly because they are unreadable. Partly because they are not subject to negotiation. But mostly, in the words of Ellen Barkin in “Diner,” “It’s too complicated Schreevie … I just want to hear music, that’s all.” So consumers will click anything you put in front of them, ’cause “it’s too complicated, Shreevie …”
So CCPA provides for certain rights that will quickly and easily be removed by hordes of lawyers. Meanwhile, companies will continue to send updated privacy policies to consumers, some of which will invariably contain the poison pill of class action waivers. Advice: Read these things. Even though I know you won’t.