Consumer Privacy Act: Could the Courts Expand the Private Right of Action Under the CCPA?
It has recently been reported that the California Senate failed to pass Senate Bill 561 which would have allowed a broad private right of action to consumers in the event of violation of the California Consumer Privacy Act (“CCPA”). See news report here.
This is a “win” for businesses in the Golden State, although consumer and privacy advocates are disappointed. Expect efforts to continue in the coming years. The CCPA was enacted last year but allowed only a very narrow private right of action. A “private right of action” is the right of an individual to bring a lawsuit in the event of violation. Under the current version of the CCPA, due to take effect in just a few months, the only private right of action is if a business has lax computer and network security and there is a data breach or other loss of data. In those cases, all the affected consumers can each sue individually or as a class. Each affected consumer can seek statutory damages in the minimum amount of $100 up to a maximum of $750. That is “per incident.” The consumers must prove that any data breaches or loss was caused by a San Diego business’ failure have “reasonable security procedures and practices.”
Otherwise, violations of the CCPA are to be handled by lawsuits filed by the California Attorney General’s office. With respect to statutory penalties, the Attorney General can seek a minimum amount of $2,500 per violation and, if the violation of the CCPA was “intentional,” the Attorney General can seek treble damages (up to $7,500 per violation).
As noted, likely, consumer advocates will continue their efforts to have get the State Assembly to expand consumers’ private right of action. In addition, even if amending the statute fails, California courts could imply a private right of action. That is, the absence of an expressly granted private right of action does not preclude the court from finding an implied right of action. Implied private rights of action are common. Under California caselaw, a private right of action may be implied when such a private right of action ” … is necessary to achieve the statute’s policy objectives.” Mabry v. Superior Court, 185 Cal. App. 4th 208 (Cal:. App. 4th Dist. 2010). One of the factors considered is whether there is a comprehensive administrative means of enforcement of a statute. A California court could determine that allowing the Attorney General to file suit does not meet that standard since the enforcement is not “comprehensive.” Another approach used by California courts looks to whether a private remedy is “appropriate” to further the “purpose of the legislation” and is “needed to assure the effectiveness of the provision.” See Middlesex Ins. Co. v. Mann, 124 Cal.App.3d 558 (Cal. App. 4th Dist. 1981). In the last couple of decades, California courts have been very “pro-consumer” and it is not unreasonable to think that the courts could hold that the CCPA has an implied broad private right of action. You can be sure that privacy and consumer aligned attorneys will be making the arguments.
Call San Diego Corporate Law Today
For more information, call corporate attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard’s law practice is focused on business, transactional, and corporate matters and he proudly provides legal services to business owners in San Diego and the surrounding communities. Call Mr. Leonard at (858) 483-9200 or contact him via email. Like us on Facebook.