The California Consumer Privacy Act (CCPA) is about to hit the 6-month milestone, and oh what a long, strange trip it’s been. Although the CCPA’s effective date was January 1, 2020, the California Attorney General (AG) has still not issued final regulations for the Act, to the frustration of many businesses seeking to implement CCPA compliance programs, but the AG has repeatedly affirmed that enforcement of the Act will commence on July 1, 2020. Furthermore, plaintiff attorneys have brought a range of CCPA related lawsuits – some under the CCPA’s private right of action provision for data breaches are more expected, with other lawsuits attempting to leverage the CCPA to bring a range of non-CCPA claims. We explore all this and more, below.
There is a procedural process that the AG has to follow to finalize the CCPA regulations. In short, the AG has to submit the proposed final CCPA regulations to the CA Office of Administrative Law (OAL) for review for compliance with the State Administrative Procedures Act. After that, OAL typically has 30 working days to conduct a review and either approve and file with the Secretary of State (SOS) or disapprove. Governor Newsome recently extended this timeframe by an additional 60 days due to COVID-19 pandemic.
Regulations generally become effective once a quarter based on when the final regulations are approved and filed with the SOS. In order for the CCPA final regulations to become effective by July 1, they have to be filed with OAL, approved by OAL and submitted to the SOS by May 31.
As the AG has not submitted the final CCPA regulations to OAL as of this writing, it is unlikely that the OAL will have time procedurally to expedite review and get approval, pushing the potential effective date to the next quarter. This has led to speculation that final regulation will be delayed until October.
Technically there is still time to meet the July 1 date, and the AG could also potentially submit late and ask for earlier enforcement. We continue to monitor the status of the CCPA final regulations and will update this blog when additional information is forthcoming.
Despite a delay in the CCPA final regulations, the California AG has repeatedly affirmed his intent to commence enforcement of the CCPA on July 1, 2020. Indeed, the AG’s office has rejected requests by a consortium of business and trade associations to delay enforcement of the CCPA in light of the COVID-19 pandemic, stating that they are “committed to enforcing the CCPA upon finalizing the regs or July 1, whichever comes first.” Consequently, businesses should still anticipate that regulatory enforcement of the CCPA will commence July 1.
While the AG has committed to enforcing the CCPA starting July 1, unfortunately the lack of final regulations for a regulation full of contradictions and ambiguities creates additional challenges for businesses working towards CCPA compliance. Nevertheless, our Beckage attorneys recommend that businesses do not wait for the promulgation of final regulations to finish preparing for compliance. Instead, it is advised that where the CCPA is unclear on its own requirements, businesses should consider reviewing past interpretations and enforcement of other privacy laws for guidance.
A range of CCPA-related lawsuits have been filed in California in the first six months following the enactment of the CCPA, leading to many questions about the scope of the CCPA’s private right of action.
Initially, the CCPA’s private right of action provision, as written, is narrow: it applies only to the CCPA’s data security provision. Cal. Civ. Code. 1798.150. This provision authorizes consumers to commence civil proceedings against a business whose failure to implement and maintain “reasonable security procedures” resulted in the unauthorized access or exfiltration, theft, or disclosure or consumer non-encrypted and nonredated personal information. Further, the definition of “personal information” in this section of the Act is narrower than the definition of PI applicable to other CCPA provisions, applying only to an individual’s name together with another identifying data element such as SSN, driver’s license number, or medical information. (Note: The California Privacy Rights Act, dubbed CCPA 2.0, which we profiled elsewhere, would expand this definition to include email addresses, usernames and passwords).
As written, the CCPA private right of action provides for the possibility of injunctive, declarative relief, actual damages or statutory penalties for qualifying incidents. But before bringing suit that seeks statutory damages, a plaintiff must provide the business with “notice and cure” opportunity, with the “cure” part of this provision is not defined.
What the CCPA private right of action clearly does not provide, however, is the opportunity for plaintiffs to leverage the CCPA as a basis to bring other claims under other laws. Indeed, the CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes.
But, not unexpectedly, plaintiffs have not heeded this statutory prohibition, and are trying to leverage the CCPA for a range of non-data breach related claims, as described below.
Initially, the majority of CCPA related lawsuits filed to date have been brought in federal courts under the Class Action Fairness Act, 28 U.S.C. § 1332(d), which provides for federal jurisdiction for class-action claims that meet certain thresholds. Because this trend may result in a cannon of federal court CCPA jurisprudence before state courts are called to adjudicate CCPA matters, many anticipate this dynamic may result in even more rigorous state-court enforcement by the California AG post-July 1.
Although CCPA’s private right of action is explicitly limited to allegations of failure to provide injury “reasonable security” resulting in a data breach, plaintiffs have brought claims for violations of the substantive privacy provisions of CCPA.
For example, in the class action filed as Sweeney v. Life on Air, Inc. et al., No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020) (Sweeney), the plaintiffs alleged violations of (i) Cal. Civ. Code § 1798.100(b), requiring notice at or before the point at which personal information is collected and limiting additional uses of personal information; (ii) Cal. Civ. Code §1798.120(b), requiring a business to provide notice of the right to opt-out of sales of personal information; (iii) Cal. Civ. Code § 1798.135(a)(1), requiring a “Do Not Sell My Personal Information” link on a business’s homepage and (iv) Cal. Civ. Code § 1798.135(a)(6), requiring a business using information collected in connection with an opt-out request solely to comply with the opt-out request. (Sweeney Complaint, ¶¶ 102-105.)
On its face, these claims do not appear to be sustainable under the plain text of CCPA, but its remains for the court, the Southern District of California, to clarify the scope of the CCPA private right of action.
Also as expected, plaintiffs are attempting to do that which the CCPA appears to disallow - to use purported violations of the CCPA to state claims under other California statutes. For example, in Hurvitz v. Zoom Video Communications, Inc. et al., No. 2:20-cv-03400 (C.D. Cal. Apr. 13, 2020), plaintiffs allege that defendant Zoom Video Communications (Zoom) violated the provision of CCPA requiring a business to provide notice to consumers of the categories and uses of personal information it collects at or before the point of collection, and prohibiting the business from collecting additional categories of personal information or using personal information for additional purposes without providing additional notice. (See Cal. Civ. Code § 1798.100(b); Hurvitz Complaint, ¶ 213.)
Because substantive CCPA privacy claims may not be brought as private claims under the CCPA, or under other statutes based on the CCPA’s prohibition, the Hurvitz plaintiffs have instead alleged that the violation of the CCPA’s provisions constitutes an unlawful practice in violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. Whether these claims are validly stated and the CCPA can be leveraged in this manner, especially in light of the CCPA’s facially clear prohibition described above, remains a determination for the courts.
As expected, CCPA data breach claims are not being brought as straight CCPA actions, but are accompanied by a range of other privacy tort or statutory claims. For example, in Fuentes v. Sunshine Behavioral Health Group LLC, No. 8:20-cv-00487 (C.D. Cal. Mar. 10, 2020) (Fuentes), the plaintiffs brought 11 claims in addition to the CCPA claim, both statutory and common law. These including claims of negligence, negligence per se, breach of contract, and breach of implied contract arising from a data breach. Plaintiffs frequently bring multiple common law tort claims in data breach actions nationwide, and this trend was anticipated here. Ultimately it means that defense of a CCPA action will almost certainly include defense of other tort claims, for which additional discovery and damages may be available.
The commencement of a CCPA private right of action and related claims present a meaningful risk to businesses doing business in California. Until judicial decisions provide clarity on the scope of the CCPA private right of action and the CCPA’s prohibition, the scope of these risks is substantial and not fully known. With the assistance of our experience Beckage team, a comprehensive CCPA compliance program, in addition to other risk mitigation strategies, should be considered. We can work with your company, regardless of size, to determine the best approach to build a proactive, buildable and defensible program that makes sense for your business.
*Attorney Advertising. Prior results do not guarantee future outcomes.