The California Consumer Privacy Act (CCPA) law is considered among the most comprehensive data privacy mandates in America. It requires covered companies to respect consumers’ privacy and to make sure that any data collection they practice are legal, transparent and necessary to perform the business purpose. A fertile ground for future class actions.
Humans now exist both physically and digitally. As in the physical universe, one misstep online can potentially destroy private lives in an instant. Everyone has reason to be hyper-vigilant closely guarding their personal information. In The Age of Surveillance Capitalism, Shoshana Zuboff’s groundbreaking new book, examines thriving business models geared towards collecting metadata from individuals at nearly every instant --- of every hour every day, cataloging our “every move, emotion, utterance and desire”. Powerful corporations seeking to predict and control our behavior in the long term is disturbing to many on a personal level. Many consider threats to their online security as a highest priority. Indeed, businesses are constantly under attack by trolls and other unscrupulous hackers and digital criminals. Some of the deleterious effects of inadequate data protection are identity theft, financial fraud, destruction of property, damage to reputation, harassment, with its associated emotional physical stress.
And the landscape is now changing. The state of California has a well-documented history as a legislative policy trailblazer, and long recognized as a global center for high technology, innovation, social media and related industries. With this history and environment, the state legislature passed the California Consumer Privacy Act (CCPA) taking effect on January 1, 2020. Modeled after Europe’s General Data Protection Regulation, this law is considered among the most comprehensive data privacy mandates in America. It requires covered companies to respect consumers’ privacy and to make sure that any data collection they practice are legal, transparent and necessary to perform the business purpose. A fertile ground for future class actions.
How does it all work?
California Consumer Privacy Act (CCPA) Nuts and Bolts
Once a California resident believes personal information is or has been collected about them, sold or disclosed to entities without their knowledge, or that any of their privacy rights outlined in the CCPA are being denied, prior to brining a lawsuit they are required to provide the allegedly offending business 30 days written notice identifying the specific provisions of the statute believed to been violated. The suspected violator must act within the 30-day period. They must also provide the consumer an express written statement that the violations have been cured and that no further violations shall occur.
But if no cure, the consumer can initiate legal actions for statutory damages (discussed below) on an individual or class action basis. But no notice is required if pecuniary damages are suffered from violations of privacy requirements.
WHO NEEDS TO COMPLY WITH THE CCPA?
The law is focused on larger business interests, those with gross revenues exceeding $25 million, or annually buying, receiving for a commercial purpose, selling or sharing the ‘personal information’ of 50,000 or more consumers, households or devices; or businesses focusing 50 percent or more of their annual revenues from selling consumers’ personal information.
But in appreciation of the jurisdictional challenges that would follow, the California legislature exempts business if “every aspect” of their commercial conduct “takes place wholly outside of California”. But if the business is collecting personal information of California consumers the law applies to them. California has 40 million people. So if your doing business on the internet good chance you are dealing with a Californian.
WHAT CONSTITUTES ‘PERSONAL INFORMATION’?
‘Personal information’ is broadly defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The statutory list is long. Examples include:
And let’s add in … geolocation data; audio, electronic, visual, thermal, olfactory or similar information; professional, employment-related and education information. That’s a lot of potential exposure! $750 per violation, times the number of users, and each ‘violation’ is for each piece of data!
One item on the list is enough to be in violation of the CCPA. And the list is not exhaustive. Any consumer profile indicating the consumer’s commercial and personal characteristics, buying behavior and preferences can exposes a business.
IS ANYTHING EXEMPT FROM THE ‘PERSONAL INFORMATION’ DEFINITION?
The above categories are quite expansive. A far question is ‘is any information not covered’. Answer, yes, but limited. Information obtained from public governmental records, data that has been ‘deidentified’, which mean it is no longer specifically associated with a person, as long as the company does not ‘reidentify’ it back; and “aggregate consumer information” meaning related to a group or category of consumers, but not linked, or reasonably linkable, to any consumer or household.
THE PENALTIES FOR CCPA NON-COMPLIANCE
If the California Attorney General becomes involved fines of up to $7500 per intentional violation are mandated. Consumer litigants are provided a private right of action and up to $750 per violation. That can add up to lots of money for each time someone accesses a non-compliant application or website. Consider a business that failed to put a right to ‘opt-out’, a right to disclosure statement or a ‘Do Not Sell My Personal Information’ warning on their webpage, multiplied by the amounts of clicks. Each ‘cookie’ can be a violation. The statute directs a court that
In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.
Hence, lots of avenues for plaintiffs’ discovery plan, and the larger the internet or web company possibilities for large damage awards will always loom. Numerous consulting companies are focused on protecting users, and ultimately webpages, in their usage of cookies. And all these users are identifiable --- the exact reason the California legislature passed the Act. With these possibilities class actions exposure to data companies can be extensive.
And of course, each of these possibilities will be tested in the courts as creative lawyers seek to expand, or narrow, the meaning and scope of the new law. Simpluris intends to keep you informed of these developments.
Additionally, California’s Unfair Competition Law, Business & Professions Code Section 17200, empowers plaintiffs, and their attorneys, with additional hammers of attorney fee awards and injunctive relief.
And while Simpluris’ is ready to handle any onslaught of a large scale technological class action administration, digitally and physically, attorneys on both sides must prepare for a whole new class action battleground as the internet and privacy issues has proven to be an expansive ground for these large litigation encounters.