When the California Consumer Privacy Act (CCPA) enters into force on January 1, 2020, it will grant consumers extensive new data rights and place new obligations on companies. This means that just about every company doing business in California or with Californians and meeting certain thresholds (by revenue or data collection) should know about the CCPA, risks for class action litigation and incentives to plaintiff’s attorneys to bring suit in California. While the California Senate Appropriations Committee blocked a bill on May 17 that would expand a private right of action under the CCPA beyond data breaches, business should still anticipate litigation once the CCPA takes effect and build litigation defense considerations into their compliance plans.
Given the unprecedented change to California law, the CCPA could invite a wave of consumer litigation as plaintiffs seek to recover statutory damages under the CCPA’s private right of action. In addition, the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) (UCL) always presents a serious background threat of litigation. As businesses continue to develop new and innovative ways to sell their goods and services to customers in California, including through expanding e-commerce, they must remain vigilant in preparing for litigation that will stem from CCPA enactment.
The Private Right of Action as a Predicate for Consumer Class Action Litigation
The CCPA allows consumers to bring lawsuits when their “nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Significantly, the CCPA provides consumers with the ability to seek either actual damages or statutory damages up to $750 per incident.
In determining the proper amount of statutory damages, courts are obligated to consider, among other elements, “the nature, seriousness ... and persistence of the misconduct,” number of violations, “the length of time over which the misconduct occurred,” willfulness and ability to pay. Further, the court may order injunctive or declaratory relief or any other relief deemed proper for violations of this provision.
The private right of action is available only if it involves unauthorized access to the data and also results from unreasonable security. But significantly, the CCPA does not define “reasonable” security measures, nor has California codified what is meant by “reasonable security.” The Federal Trade Commission and other states have addressed and defined “reasonable” information security practices in other statutory and regulatory regimes. However, California courts will likely have to determine the boundaries of what is or is not reasonable, at least with respect to the CCPA.
Furthermore, the right to statutory penalties did not previously exist for data breaches involving California residents’ personal information. The fact that statutory damages are now available is expected to provide incentive for plaintiffs to bring class action litigation, and with a statutory damages award of up to $750 per violation, the CCPA creates a possibility for staggering verdicts in the consumer class action context.
A California resident may initiate a lawsuit only after giving businesses notice and a 30-day opportunity to cure. If the business cures the violation and provides the consumer with an “express written statement that the violations have been cured and that no further violations shall occur,” the consumer cannot initiate an action. As drafted, the safe harbor provision is a double-edged sword.
On the one hand, the safe harbor provision will provide businesses with advance notice of claims and the ability to engage plaintiffs before litigation progresses. On the other hand, because of the uncertainty in the statute as drafted, it is not clear what an actual cure of the data breach would look like. Questions abound, including how to cure a security breach that has already occurred. This cure period is similar to the notice and cure period under the California Consumers Legal Remedies Act, in which the plaintiffs bar is well versed at requesting “cures” that may be difficult to achieve. Businesses can expect to grapple with the question of whether a cure was adequately provided in a CCPA class action lawsuit.
California Consumer Laws as a Predicate for Consumer Class Action Litigation
The CCPA may also spark expanded class action litigation as plaintiffs’ attorneys use existing California consumer laws to try to enable lawsuits for CCPA violations beyond the data breach provision. The unfair competition law permits any person, acting for the interests of itself, its members or the general public, to initiate an action for restitution or injunctive relief against a person or business entity that has engaged in “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.”
The UCL has historically been a powerful tool for plaintiffs who use its extensive equitable remedies and far-reaching liability standard to pursue consumer class action claims. Consequently, plaintiffs’ lawyers are likely to try to use the CCPA to advance two principal arguments.
First, plaintiffs’ counsel will likely argue that if there has been a violation of the data breach provision (i.e., a breach that was caused by unreasonable information security), plaintiffs may pursue “unlawful” claims for data breaches. While the CCPA expressly — and helpfully — provides that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law,” the boundaries of this limitation are likely to be tested in litigation.
Litigants will likely argue that there is sufficient California case law that permits consumers to base UCL violations on laws that do not explicitly provide a private right of action. Second, the plaintiffs bar will likely pursue violations of the CCPA not related to data breaches to advance secondary UCL claims. While plaintiffs will argue that the limiting clause in the CCPA applies only to the data breach claims, businesses will of course counter that the natural reading of the limitation on using the CCPA as a predicate for a private right of action applies to anything “in this title” (other than the private right of action defined for data breaches).
Besides the plain language, defendants can also advance policy arguments that the language of the CCPA bars private suits based on general violations of the law because the California attorney general is ultimately vested with that authority. The scope of the private right of action has been contentious from the beginning through the recent unsuccessful attempt to amend the CCPA to expand the private right of action, providing substantial legislative history to support the limitation. While much remains to be seen, courts will likely be focused on whether the legislature specifically intended to preclude UCL claims.
Consider Ways to Reduce Litigation Exposure
In addition to instituting CCPA compliance and preparedness in order to comply with the CCPA’s obligations, companies should consider including an arbitration clause and a class action waiver in the website’s terms and conditions, prohibiting users from litigating en masse. While the CCPA includes a prohibition on contract terms that appear targeted at arbitration clauses and class action waivers, this should be preempted by the Federal Arbitration Act, or FAA.
In recent decisions like AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011) and DirecTV Inc. v. Imburgia, 36 S. Ct. 463 (2015) the U.S. Supreme Court confirmed that class action waivers in arbitration provisions are enforceable. In 2017 the Supreme Court in Kindred Nursing Centers L.P. v. Clark, 137 S. Ct. 1421 (2017) reaffirmed that the FAA preempts state laws placing agreements to arbitrate on weaker footing than other types of contracts. The Supreme Court found that a state court rule was really an attempt to target and disfavor arbitration agreements and, on that basis, held that the arbitration agreement at issue was to be enforced. Based on the recent Supreme Court decisions vacating anti-arbitration state rules, it seems likely the CCPA’s attempt to prevent arbitration and class action waivers will be preempted.
Businesses also should critically analyze the conspicuity of their websites’ notices of the terms and conditions, the accessibility and the timing of the notices, as well as the notice and placement of the arbitration provision itself. The terms and conditions must be presented in a manner that provides adequate notice to the user, focusing on the design and content of the website and on the terms and conditions page. To maximize the likelihood of enforcement, the terms should be clear and conspicuous, easily accessible and displayed in a sufficiently large viewing window to provide the user an adequate opportunity to review the terms, thereby eliminating any doubts that a reasonable user would have noticed them. Courts have been more willing to enforce terms and conditions communicated through “clickwrap” agreements that require the user to affirmatively accept the contractual terms before proceeding to the next step in the transaction.
To maximize enforceability when including an arbitration clause, e-commerce businesses should also consider including a delegation clause to the arbitrator. On January 8, 2019, the U.S. Supreme Court issued its decision in Henry Schein Inc. v. Archer and White Sales Inc., No. 17-1272 holding that a court may not override the contractual agreement that delegates arbitrability questions to the arbitrator and rejected the “wholly groundless” exception to the contractual delegation of arbitrability questions. Schein gives online businesses an even greater ability to limit courtroom litigation, and businesses should consider vesting an arbitrator with the power to decide both substantive and threshold questions affecting the parties’ rights to litigate.
The placement of the arbitration provision is also essential to providing the user notice in order to form a binding arbitration agreement. The terms and conditions can ensure sufficient notice of the arbitration agreement by
- including a statement up front that the terms and conditions contain a binding arbitration clause
- stating unequivocally that the parties have agreed to binding arbitration
- explaining how an arbitration proceeding can be commenced
- providing users an opportunity to opt out of the arbitration agreement and informing them that by not doing so, they are agreeing to the arbitration clause
Finally, in addition to presenting the arbitration provision in a manner that provides adequate notice to the user, businesses should evaluate whether their arbitration provision includes easily understandable, balanced provisions to avoid a finding of unconscionability.
The CCPA has potentially far-reaching implications for class action litigation and will not go unnoticed by the plaintiffs bar when it goes into effect January 1. Practitioners should anticipate class action litigation issues early and be aware of the preventative measures that businesses can take even beyond a comprehensive and effective compliance program to support the new consumer data privacy rights, including a defensive review of the information security program, and implementing effective terms and conditions, to minimize the potential for significant exposure.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.