This is the fourth installment in Hogan Lovells’ series on the California Consumer Privacy Act
This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA).
For several years, the plaintiffs’ bar increasingly has relied on statutes like the Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq., and the Customer Records Act, Cal. Civ. Code § 1798.81, et seq., to support individual and classwide actions for purported data security and privacy violations.
The CCPA creates a limited private right of action for suits arising out of data breaches. At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute. Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.
Here’s what you need to know:
The CCPA Provides a Limited Private Right of Action for Data Breach Suits
The CCPA allows consumers, under certain circumstances, to bring suits where their nonencrypted or nonredacted personal information has been subjected to unauthorized access, exfiltration, theft, or disclosure as a result of a business’ violation of its duty to implement and maintain reasonable security procedures. Cal. Civ. Code § 1798.150. (Note: “Personal information” for purposes of data breach-related suits is as defined in the California Customer Records Act (Cal. Civ. Code 1798.81.5(d)(1)(A)), which is narrower than the CCPA’s definition. See Cal. Civ. Code § 1798.150(a)(1)).
Under this provision, consumers may seek actual damages or statutory damages between $100 and $750 per incident, whichever is greater. Cal. Civ. Code § 1798.150(a)(1)(A). In assessing the amount of statutory damages, courts shall consider any one or more relevant circumstances including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of misconduct, the length of time over which the misconduct occurred, the willfulness of the misconduct, and the defendant’s assets, liabilities, and net worth. Id. at § 1798.150(a)(2). Consumers also may seek injunctive or declaratory relief, or any other relief the court deems proper for such violations. Id. at § 1798.150(a)(B) & (C).
Before filing suit, however, a consumer must provide 30 days’ written notice to the business and a 30-day opportunity to cure. Cal. Civ. Code § 1798.150(b)(1). If the business cures the noticed violation within that time frame and provides the consumer an “express written statement that the violations have been cured and that no further violations shall occur,” the consumer cannot initiate an action. Id. If, however, the business’s violations continue, the consumer may initiate an action to enforce the express written statement and may pursue statutory damages for each breach of the written statement, as well as any other violation of the statute that postdates the written statement. Id.
The California Legislature recently passed its first amendments to the CCPA, making clear that this private right of action indeed only applies to data breaches. This is a point of contention for California Attorney General Xavier Becerra, who has urged legislators to further amend the law to allow consumers to seek legal remedies for themselves under the other provisions of the CCPA. For now, though, the private right of action is limited. It provides consumers with yet another statutory basis on which to assert claims arising out of data breaches. Moreover, the plaintiffs’ bar likely will try to argue that the CCPA’s statutory damages provision dispenses with their obligation to show actual injury and particularized harm.
Plaintiffs Likely Will Argue the CCPA Provides a Basis for Unfair Competition Law Claims
Other than the limited private right of action described above, the CCPA precludes individuals from using it as a basis for a private right of action under any other statute. See Cal. Civ. Code § 1798.150(c) (“Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”). While this language, on its face, may seem to prevent the CCPA from being used as a legal predicate for claims under consumer protection laws like the Unfair Competition Law (“UCL”), similar language has not deterred the plaintiffs’ bar in the past, and there is no question they will be eager to test its limits here.
A broadly-worded statute, the UCL provides a cause of action for business practices that are unlawful, unfair, or fraudulent. Cal. Bus & Prof. Code § 17200, et seq. The UCL remains a predominant vehicle for plaintiffs to enforce rights afforded by more fulsome regulatory schemes where they have suffered damages as a result of “unlawful” practices. This is because the UCL “borrows” violations of other laws and treats them as independently-actionable unlawful practices. Cel-Tech Commc’ns, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 180 (1999).
Generally, plaintiffs are prohibited from using the UCL to plead around an absolute bar to private relief. However, in recent years, we have seen that even statutes that do not expressly provide private rights of action may support claims under the UCL. See, e.g., Rose v. Bank of America, N.A., 57 Cal. 4th 390, 393 (2013) (allowing “unlawful” UCL claim for violations of the federal Truth in Savings Act despite no express private right of action because Congress intended for state laws to hold banks to equivalent standards); see also Zhang v. Super. Ct., 57 Cal. 4th 364, 368 (2013) (holding that the Unfair Insurance Practices Act’s bar against private actions did not prevent UCL claim based on grounds that are independent from the underlying statute even when the purported conduct also happens to violate it). Indeed, courts have reasoned that to forestall an action under the UCL, “another provision must actually ‘bar’ the action or clearly permit the conduct.” Rose, 57 Cal. 4th at 398 (quoting Cel-Tech Commc’ns, Inc., 20 Cal. 4th at 183).
In assessing the viability of future CCPA-based claims under the UCL, courts likely will focus on whether the legislature specifically intended to preclude its private enforcement. Because the CCPA specifically permits private actions based on data breaches, it seems probable the plaintiffs’ bar will assert that it provides an additional basis for UCL claims in data breach cases.
In addition, it remains to be seen whether courts will find the CCPA’s language sufficient to bar private suits based on violations of the law other than data breaches. For example, the Health Insurance Portability and Accountability Act (“HIPAA”) likewise does not provide for a private right of action – and the Department of Health and Human Services and states’ attorneys general are responsible for its enforcement – yet the Ninth Circuit has determined that a HIPAA violation can provide the basis for a UCL action. Webb v. Smart Document Solutions, LLC, 499 F.3d 1078, 1082 (9th Cir. 2007) (applying California law in diversity case and holding that absence of private right of action under HIPAA does not foreclose UCL claim based on HIPAA violation).
Past experience with some other California statutes may provide useful authority for arguing that the language of the CCPA should be read to preclude CCPA-based actions under the UCL. For example, in the seminal case of Moradi-Shalal v. Fireman’s Fund Ins. Cos., the California Supreme Court held that the Unfair Insurance Practices Act, which does not expressly preclude a private right of action, bars claims based on alleged violations of that statute because the California Legislature contemplated only administrative enforcement by the Insurance Commissioner. 46 Cal. 3d at 305, 313 (1988), overturning Royal Globe Ins. Co. v. Super. Ct., 23 Cal. 3d 880 (1979). Similarly, the Federal Trade Commission Act does not expressly prohibit a private right of action, yet it has been interpreted to preclude such actions because its enforcement lies with the Federal Trade Commission. See O’Donnell v. Bank of America, Nat. Ass’n, No. 11-16351, 2013 WL 98554, at *1 (9th Cir. Jan. 9, 2013).
Here, the CCPA’s ultimate enforcement authority is the California Attorney General, and its present language disclaims its use as the basis for a private right of action under any other law. While companies possessing information of California consumers will have legitimate grounds to argue that the CCPA is an improper predicate for an “unlawful” claim under the UCL, it would nonetheless benefit businesses for the Legislature to further refine the provision and make that legislative intent even more express. In addition, the plaintiffs’ bar almost certainly will argue that the CCPA does not preclude consumers from bringing CCPA-based claims under the UCL if they can establish that the practice is unlawful, unfair, or fraudulent independent of the fact that it violates the CCPA. However, if a plaintiff lacks standing to bring a UCL claim in the first instance, nothing in the CCPA as worded would provide an independent basis on which to assert a claim.