The CPRA’s effect on the CCPA’s Private Right of Action
The California Consumer Privacy Act (CCPA) has only been enforced since July 1, 2020. Despite this young law, there is a potential supplemental framework that may be enacted later this year. The California Privacy Rights Act (CPRA) is poised to radically change the dynamics of the CCPA and will likely further strengthen it. Given the likelihood that voters will approve the ballot initiative in November, companies should be prepared to weigh the potential elevated risks regarding the private right of action. It is useful to look at the relevant CCPA and CPRA provisions. The CPRA amendments are bolded within the relevant CCPA provisions.
CCPA and CPRA
1798.150: (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
© Any other relief the court deems proper.
1798.150(b): Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. The implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.
One of the more noteworthy provisions of the CCPA was the implementation of the private right of action. This right is triggered when there is damages as a result from a data breach. However it is limited to when a business failed to “implement and maintain reasonable security practices.” The ambiguous nature of the provision is apparent here as there is not much guidance on what “reasonable security practices” means. Industry experts have pointed to the Attorney General’s 2016 California Data Breach report that indicates 20 cybersecurity measures that could be used to define “reasonable security practices. However, this has yet to be clarified.[1]
During the first five months following January 1, 2020 (CCPA implementation) there were multiple lawsuits issued as a result of data breaches. On its face, the CPRA seems to raise the risk even further with the inclusion of “email address in combination w/ a password or security question” into the triggering mechanism for the private right of action. While this could be the case, the law also could still provide a valid defense against credential stuffing. This is a relatively easy attack where email addresses and passwords that have been initially breached will be repurposed through automated means into the login page of other digital services. What makes credential stuffing effective is because people often reuse the same username and password on multiple accounts.
However, companies that were breached by repurposed emails and passwords will argue that their systems haven’t been compromised and therefore they were able to maintain “reasonable security practices” before the attack. This is in contrast to the CRA effectively stripping another line of defense by disallowing companies from arguing that they cured the data breach by implementing “reasonable security procedures” after the data breach. A data breach that does not constitute a credential stuffing could place a company in a difficult position in arguing that they had “reasonable security practices” before and despite the breach.
The consequences of both the CCPA and the subsequent CPRA still need to be fleshed out. Applicable companies will need to be aware of the potential heightened risks.
