So Don’t Sue Me: Strategies for Responding to CCPA Consumer Enforcement Notices
After a holiday break marked by a steady stream of emails from media, technology, and retail companies announcing updates to their privacy policies, the California Consumer Privacy Act has now—finally—come into force. Despite the law taking effect, the California Attorney General—who has the exclusive authority to enforce most of the CCPA’s requirements—cannot begin enforcement until July 1.
Companies will not enjoy any reprieve, however, from one critical element of the CCPA: the private right of action for statutory damages. That right now applies—with immediate effect—to any data breach that meets the parameters of Cal. Civ. Code § 1798.150(a) and occurs after January 1. Under that provision, consumers have a right to sue, and to recover statutory damages of up to $750 per consumer from, any CCPA-covered business that suffers a data breach as a result of its failure to implement and maintain reasonable security procedures and practices.
The plaintiffs’ bar will no doubt use this private right of action to aggressively pursue companies that announce data breaches in the coming months. But they’ll face an important hurdle: under § 1798.150(b), before a consumer can bring an individual or class action for statutory damages, they must provide the business 30 days’ written notice that identifies “the specific provisions” of the CCPA that the consumer alleges “have been or are being violated.” The business then has the right to cure the alleged violation, “in the event a cure is possible,” and can eliminate the consumer’s ability to sue for statutory damages by “actually cur[ing] the noticed violation and provi[ding] the consumer an express written statement that the violations have been cured and that no further violations shall occur” within 30 days after receiving the consumer notice.
Like other key provisions in the CCPA, this notice-and-cure provision is unclear in important respects. Under what circumstances would a cure be possible after a data breach? And what would it mean to “actually cure” a noticed violation that caused a data breach? Depending on the answers to those questions, the notice-and-cure provision could offer businesses a way to avoid one of the CCPA’s most significant potential consequences. Or it could simply be a trap for the unwary. We won’t know which until courts have weighed in.
In the meantime, we offer several points for businesses to consider if they receive a CCPA-inspired consumer notice in the wake of a data breach that affects California consumers.
- Does the consumer notice satisfy the CCPA’s requirements?
Under § 1798.150(b), sending a written notice to the business that identifies the “specific provisions” of the CCPA that the consumer alleges have been or are being violated is a prerequisite to commencing an individual or class action for statutory damages. For purposes of the private right of action, the only relevant CCPA provision would seem to be § 1798.150(a), which implicitly requires a business to maintain “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Thus, the statute would appear to require the consumer notice to directly allege a violation of that duty. The level of detail necessary for that allegation, however, is unclear.
There is precedent for requiring consumers to provide detail when they allege a business’s security practices and procedures were unreasonable. In the federal data-breach litigation context for example, courts have held that to survive a motion to dismiss under 12(b)(6), a California plaintiff who alleges a defendant failed to implement and maintain reasonable security procedures and practices must plausibly allege facts that show how the defendant’s procedures and practices fell short of that standard.
Without guidance from courts, however, businesses should not assume that federal court pleading standards will apply to consumer notices under § 1798.150(b). But whatever the contours of the standard for consumer notices, simply complaining about a data breach, or alleging other unrelated violations of the CCPA, likely would not meet them.
- Is a cure possible?
The CCPA does not offer any guidance on whether and when a “cure” is possible after a data breach.
Given that the “violation” is the business’s failure to implement and maintain reasonable security procedures and practices, a “cure” could take the form of improvements to the business’s security procedures and practices that would prevent similar incidents in the future. But there is reason to believe that post-breach improvements to the business’s security program will not be enough. As the Ninth Circuit recently observed, courts interpreting other California statutes that include cure provisions have concluded that “future compliance is an insufficient ‘cure’ if the ill effects of a violation have not been or cannot be remedied.”
If that same logic is applied to the CCPA, whether a “cure” is possible may depend on the nature of the breach.
Consider, for example, a breach involving the inadvertent (but unauthorized) disclosure of personal information to a third party who is willing and able to return or destroy the information, and to provide an attestation that it has done so. In that case, a business could work with that third party to remedy the “ill effects” of any CCPA violation, in a way that would arguably “cure” that violation.
In a breach involving a malicious hacker whose identity is unknown, by contrast, a consumer could argue that it is impossible for the business to remedy the “ill effects” of the breach. But depending on the nature of the information at issue, providing credit monitoring or identity theft protection services to the consumer could arguably accomplish that end. So too could offering direct compensation to the complaining consumer.
- Is responding to the consumer worth the potential risk?
If a cure is possible, and the business believes it can “actually cure” the noticed violation, the CCPA provides a strong incentive for the business to implement that cure and respond in writing to any consumer notice it receives within the statute’s 30-day deadline. Doing so will foreclose the consumer’s ability to bring an individual or class action for statutory damages.
But such a response also entails some risk that the business should weigh carefully.
First, providing an “express written statement that the violations have been cured and that no further violations shall occur,” as § 1798.150(b) requires, might implicitly require the business to credit the consumer’s allegation that its conduct violated the CCPA. Even if the business disagrees with that allegation, an “express written statement” that accepts it to capitalize on the CCPA’s notice-and-cure provision could give the complaining consumer—and others—evidence to support their claims in any lawsuit if the attempt to cure does not succeed.
Second, any representations the business makes in its response to the consumer can give rise to additional claims for statutory damages in the event of any subsequent data breach. Under § 1798.150(b), if the business violates the “express written statement,” the consumer may bring an action for statutory damages for “each breach of the express written statement.”
In sum, as companies continue their struggle to understand how to comply with the CCPA’s myriad requirements for the collection, use, and sharing of California consumers’ personal information, they should also have a plan to address any CCPA-related consumer notice they receive following a data breach. How the business responds to that notice could be the difference between escaping a potentially ruinous class action and providing more ammunition for the plaintiffs.