CCPA’s Limited Private Right of Action
The Attorney General’s Office was granted wide discretion and enforcement powers to impose fines of up to $2,500 for unintentional violations and up to $7,500 for each intentional violation. Cal. Civ. Code 1798.155. The CCPA, however, provides for only limited private right of action for individual consumers related to data security breaches. Cal. Civ. Code 1798.150. Plaintiffs can recover actual damages or statutory damages of $100 to $750. A broader potential private right of action was considered and would have permitted individuals to sue for any and all CCPA violations. SB 561. But that amendment failed to pass in May.
Where There’s a Will, There’s a Way?
But anyone expecting that companies will only face privacy-related consumer litigation in the context of a data breach is under-selling the risk. While direct actions under the CCPA may be limited, the requirements of the CCPA may serve as the basis for claims under other consumer protection statutes. And, importantly, the public statements and policies that companies issue will be scrutinized not just for their actual compliance, but for whether companies are fulfilling their own promises. Indeed, nothing prevents individuals from filing putative consumer class action claims alleging false statements, unfair business practices, or misleading conduct on behalf of companies in connection with their privacy policies and practices.
What Types of Claims Are Likely to be Filed?
These claims are likely to be brought pursuant to other California consumer protection statutes, such as California’s Unfair Competition Law (Bus. & Prof. Code 17200), False Advertising Law (Bus. & Prof. Code 17500), and Consumer Legal Remedies Act (Civ. Code 1750). For example:
- Section 17200 prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.” Put differently, a violation of any other California law, including the CCPA, can serve as the basis for a claim. That is true even where that underlying statute does not, itself, give rise to a private right of action.
- Similarly, Section 17500 can give rise to a claim based on by disseminating untrue or misleading statements concerning the performance of services. That would include statements made concerning the collection, use, handling, storage, dissemination, or destruction of personal information in connection with a business’s activities.
- Finally, the CLRA prohibits a broad range of representations and statements concerning a company’s policies, procedures, and services. In addition to actual damages, the statute also permits for recovery of punitive damages and recovery of attorney’s fees.
Courts have found that violations of internal policies and/or statements concerning those policies provide sufficient foundation for such actions. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (plaintiffs’ allegations that they relied on Adobe’s claims that personal data would be protected sufficient to establish UCL standing); Smith v. Chase Mortg. Credit Grp., 653 F. Supp. 2d 1035, 1045-46 (E.D. Cal. 2009) (concluding that defendant’s alleged violation of internal policy provides basis for unfairness claim).
Precision in Privacy Promises
These risks are a good reminder that it is critical not just to have the CCPA required disclosures in privacy statements and communications in response to consumer rights requests, but also to be vigilant and precise about the descriptions of privacy practices and how the company is honoring the rights requests. In the end, a company’s statements about its CCPA compliance could end up triggering potential exposure far greater than anything available under the CCPA itself.