The lingering COVID-19 pandemic has driven many businesses to reimagine how both their workforce and consumers will interface in the future. For employees, working from home has presented new challenges and opportunities. Time previously spent commuting is saved, while communal areas of the home have been re-purposed into makeshift office space, and the daily wardrobe is dictated by scheduled video-conferences. For consumers, the slow migration away from brick and mortar stores has become a sprint, largely mandated by local health orders closing stores. Even stores that remained “open” have implemented online or remote/physically distanced measures to connect with consumers. Buying groceries, clothing, food for delivery, and even dating and other social interactions have moved almost entirely online. As daily “living” moves online individual privacy rights have garnered more attention, including from legislators.
California was one of the first states to enact privacy protections for consumers, specifically the California Consumer Privacy Act (CCPA). The CCPA went into effect on Jan. 1, and granted consumers rights in their specific personal information and a private right of action for breaches of defined personal information. Further, on July 1, the California Attorney General began the public enforcement of the privacy rights of Californians. Penalties for violating the CCPA are steep; up to $2,500 per violation or $7,500 per intentional violation. These “per violation” penalties when considered against the backdrop of websites that receive hundreds, if not thousands, of unique daily users are a sober reminder of the seriousness of the CCPA. Already, a wave of class actions has been filed in California against many businesses that have become synonymous with the COVID-19 pandemic—and more are coming each week.
The CCPA can apply to any business that collects data from California residents. The location of the business collecting the personal data of California residents and thus the CCPA necessarily reaches well-outside the physical borders of the Golden State. For California consumers, breaches of “nonencrypted or nonredacted personal information” give rise to statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. The CCPA does not require that the consumer show actual harm from the data breach in order to recover these statutory damages.
Presently, the CCPA applies to a for-profit entity that collects California residents’ personal data and meets at least one of the following: the business annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households, or devices; the business has an annual gross revenue of over $25 million; or the business derives 50% or more of its annual revenue from selling consumer personal information.
While these narrowing terms may bring solace to many businesses conventionally considered a “small business,” keep in mind that the first of the above prongs will most likely be easily met—especially when our COVID world has moved life online. Does your business receive the personal information of 50,000 Californians a year? If so, your website must now post a link on your homepage that says ‘Do Not Sell My Personal Information’ and comply with the requirements under the CCPA of maintaining such information.
While data-breach litigation has become commonplace, the CCPA provides a statutory framework that will expand data breach cases. Several cases are pending across California alleging that websites have failed to maintain reasonable security safeguards, which lead to a data breach. Of course, internet security is only as good as the hackers attempting to get around such security, compounded by the reality of so many users routinely engaging in unsafe practices while online.
How courts will interpret reasonable security safeguards, and how juries will perceive the efforts taken (or not taken) by businesses, remains to be seen. Given historical similarities to other California laws, we can expect that judges will allow juries to hear evidence and make decisions on a case-by-case basis. The net result to businesses is likely to be expensive, protracted and uncertain litigation that will invite settlements regardless of the merits of the claims being asserted.
Another rapidly expanding area of litigation stemming from the CCPA deals with its compliance requirements. For example, at least one action has been asserted on the grounds that the website in question failed to give consumers notice of their right to opt out of sale of their personal information to a third party along with a failure to provide notice of collection and use practices. While the CCPA does not explicitly provide a right of action to consumers for these alleged failures, entrepreneurial attorneys have used the provisions of the CCPA as a foundation from which to craft claims that rely on common law (i.e., breach of implied contract, etc.).
The CCPA presented a minefield of challenges before COVID-19. Now, in the post-COVID-19 world, the seismic shift towards an almost complete online existence makes the CCPA that much more challenging for businesses. Many scholars have recommended that businesses operating online in any capacity immediately proceed with engaging an internet security and compliance team. It is difficult to argue against taking such a reasoned approach, but more should be done while the nation continues its social-distancing for the foreseeable future. In addition to engaging internet security and compliance teams, businesses must begin carefully evaluating what information their websites capture, how that information is stored, with whom it is shared, and whether that information is truly necessary for business operation. If superfluous data is being collected, “simply because,” business owners may want to reconsider whether the exposure to potential liability and disruption caused by litigation is worth the information being collected.
California continues taking the most aggressive approach of the states towards protection of consumer privacy rights online. Given the borderless nature of the internet, businesses operating across the country need to comply with the CCPA. Furthermore, California is moving quickly towards additional legislation that will provide more rights and controls to consumers over their private information. The CCPA is the tip of the spear (for now) and businesses should expect more government regulation and concomitant litigation over their websites and business practices, especially as the COVID-19 pandemic continues and online interactions, by necessity, multiply.
Bradford Hughes is a member in the corporate law and cybersecurity, data protection and privacy, and litigation practices, based in our Los Angeles and San Francisco offices.