CCPA Class Action Likely Not Too Classy

One of the most significant aspects of the California Consumer Privacy Act (CCPA) is the fact that consumers in California now have the right to sue companies for their losses resulting from data breaches. While this seems significant, in reality, it’s not much of a change from existing law, and in fact, may ultimately leave consumers with fewer rights.

The statute, California Civil Code Section 1798.150 (a)(1) provides:

(a) (1) Any consumer whose … personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures .. may institute a civil action [t]o recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater [or] Injunctive or declaratory relief.

The CCPA is overall a fairly comprehensive data privacy statute, which requires companies that collect personal information about California residents to provide both opt-in and opt-out requirements for the use, disclosure and sale of that information; to provide certain rights of access to the data collected and to have the data collected to be deleted; and to be able to track how the data was accessed and used.

However, for violations of the privacy requirements of CCPA, consumers cannot sue; in lawyer terms, the statute does not create a “private right of action” for violation of privacy. A consumer can complain to the California Attorney General, who can decide whether to sue, but they cannot (at least under the statute) sue for breach of privacy, even if the violation of privacy is knowing and deliberate.

The CCPA also extends the obligation of companies that collect personal information to use reasonable security to protect that data from a data breach. If the company fails to implement or maintain such security, and this results in a data breach, then the consumer can sue—for either $750 or actual damages (per incident), whichever is higher.


But not really. First, the idea that if a company deliberately exposes your personal information you can’t receive damages but if the company is the victim of a crime in which some criminal “steals” the data you can receive damages frankly rewards the wrong kind of behavior. So if you are merely negligent and someone steals personal data you can be sued, but if you are deliberate you can’t—at least not in a private right of action.

OK, fine. But it’s good that you can recover damages in a lawsuit at least, right? Not so fast, Kemosabe. Ask yourself whether, if you learned that your personal data was breached, you would be willing to file a lawsuit in the Superior Court for the County of Los Angeles in the hope that you might win the whopping amount of $750? I think not.

The true power of the private right of action, both as a deterrent to negligent behavior and as a method of (slightly) compensating those damages, is in the class action lawsuit. When there’s a data breach, lawyers swoop in and sue on behalf of all of the persons impacted. Since the CCPA provides for statutory damages, the class action lawyers are spared having to prove actual damages by each individual plaintiff. A breach with 100,000 subjects? Let’s see … my math is not great, but 100,000 times $100 is $10 million, minimum.

No Lack of Class (Action)

So the CCPA seems to encourage the filing of class action lawsuits for violation of security provisions. However, companies trying to comply with CCPA inevitably will be rewriting their privacy policies to add CCPA language. While they are at it, their high-priced privacy lawyers are likely adding to the privacy policies a mandatory arbitration policy with a class action waiver.

You see, a privacy policy, such as terms of service, can be a contract. If executed correctly, it can bind the consumer. What many companies are doing is requiring consumers who suffer damages or injuries as a result of the misbehavior of the company to forgo their god-given right to haul the offender into court, and instead to arbitrate their claims. While arbitration has some advantages to both consumers and companies (it’s cheaper and faster) when it comes to consumer complaints, companies tend to prefer arbitration because there are fewer obligations of discovery (forcing the company to provide evidence), adverse decisions are not “precedential” (they don’t bind other arbitrators) and, most importantly, companies force consumers to waive the right to pursue a class action. The Supreme Court has ruled that federal law supersedes state law with respect to the enforceability of these mandatory arbitration provisions and that an arbitration agreement can force consumers to waive their ability to pursue class action lawsuits.

So if you have a privacy policy with a class action arbitration waiver and you suffer a data breach, consumers can each sue for $100. Well, technically, they can each demand an arbitration for $100. Individually. Not as a class—if the privacy policy and arbitration agreement are written well and executed properly. If not, you’re in trouble.

Huuuge Mistake

Recently, online gaming app developer Huuge attempted to get consumers to agree to both an arbitration agreement and a class action waiver through an online app. If you looked at the app description and clicked “more,” you would see the notice, “Read our terms of use.” This would include a URL the consumer could type into a browser.  In the mobile app, the three-dot “kebab” in the upper right corner led to a drop-down menu that included an item, “Terms and Conditions” which then included the language that purported to be the arbitration agreement and waiver of class action. While courts have frequently enforced such “browsewrap” agreements, the federal appeals court in the Huuge case noted that users were not required to click “I agree” to assent to the waiver and had no actual or constructive notice that the site even had terms of use or a waiver of the right to sue. The court noted: “Only curiosity or dumb luck might bring a user to discover the Terms.” This, the court found, was not sufficient to compel a waiver of the right to file a class action. So the better approach is to make the user actually read the waiver and actually click an “I agree” button, waiving their rights. (Maybe with language from Dante’s Divine Comedy, “Abandon hope all ye who enter here?”)

Click Here

So the Huuge court found that merely having some terms of service was not enough to mandate assent, but that a click “I agree” button would probably work.

Big deal. Huuge?

Nope. Not at all. ‘Cause, let’s face it: Consumers don’t read privacy policies. Consumers don’t read arbitration agreements. Consumers don’t read class action waivers. They don’t read them partly because they are boring. Partly because they are unreadable. Partly because they are not subject to negotiation. But mostly, in the words of Ellen Barkin in “Diner,”  “It’s too complicated Schreevie … I just want to hear music, that’s all.” So consumers will click anything you put in front of them, ’cause “it’s too complicated, Shreevie …”

So CCPA provides for certain rights that will quickly and easily be removed by hordes of lawyers. Meanwhile, companies will continue to send updated privacy policies to consumers, some of which will invariably contain the poison pill of class action waivers. Advice: Read these things. Even though I know you won’t.

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 202 posts and counting.See all posts by mark