October 24, 2020

Volume X, Number 298


October 23, 2020

Subscribe to Latest Legal News and Analysis

October 22, 2020

Subscribe to Latest Legal News and Analysis

October 21, 2020

Subscribe to Latest Legal News and Analysis

Will the CCPA be the New TCPA for Plaintiffs?

Last year, the California legislature enacted the California Consumer Privacy Act (the “CCPA”), which imposes key data privacy requirements on businesses collecting or storing data about California residents.  The CCPA provides for civil penalties imposed by the California Attorney General (“AG”) and creates a private right of action for those residents impacted by a data breach.  While the CCPA does not go into effect until January 1, 2020, businesses that will likely be subject to the new law have been busy evaluating compliance measures, as the window between enactment and implementation is quickly closing.

Almost 30 years ago, the federal Telephone Consumer Protection Act (the “TCPA”) was likewise implemented to protect consumers when enacted in 1991, but the law was focused on public concern with telemarketing communications at the time.  The amount of litigation, and the number of class actions, under the TCPA has grown exponentially since then, with the U.S. Chamber Institute for Legal Reform reporting a 1,272% increase in TCPA lawsuits from 2010 to 2016.

Now, with increased public focus on data privacy, both the defense and plaintiffs’ bars are preparing for an expected shift to data privacy litigation.  The common consensus is that the CCPA, as the new kid on the block, is likely to create a wave of litigation and class actions, similar to the TCPA.

The current version of the CCPA provides a private cause of action only when a consumer’s “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  One safe harbor is that a consumer seeking only statutory damages must provide a business with 30 days’ written notice of alleged non-compliance, giving the business about a month to cure the violation if possible, before a consumer can bring a claim for individual or class action damages.  The same safe harbor does not apply for those consumers seeking actual pecuniary damages, however.

The California legislature has considered proposed amendments to the CCPA attempting to expand the scope of a private claim under the statute even before January’s effective date.  In particular, the amendments proposed in SB 561 would have created a private right of action for any consumers whose rights were violated under any provision of the CCPA, essentially allowing private litigation for any breach of the statute.  The California AG expressed support for the bill, which also proposed removing a 30-day cure period for the AG’s enforcement and affording the AG the opportunity to publish guidance materials for compliance.  The bill was set for hearing May 17, 2019, but the Senate Appropriations committee chose to hold the bill—meaning the bill will not pass through the Senate this session.  Still, it may not be the last that we hear of SB 561 and other amendments intended to expand the scope of private claims under the CCPA.

Indeed, another pending data privacy bill, AB 1130, was introduced in February and recently amended May 16, 2019.  AB 1130 proposes expanding the types of data sets that give rise to data breach litigation to include, inter alia, biometric data and additional identification documents such as passport number and tax identification number.  Though the bill seeks to directly amend California Civil Code § 1798.81.5, the data covered in that statute, which predates the CCPA, serves as a guide for the data breaches that trigger a right to a private cause of action under the CCPA.

In its current form, there are several common threads underlying the CCPA and the TCPA that will motivate the plaintiffs’ bar to expand its interest from existing consumer protection laws to more nascent data privacy statutes like the CCPA—the first of its kind in the nation.

First, neither the CCPA nor the TCPA caps total damages, and both allow for statutory damages per incident or per violation.  The CCPA providers for consumers to recover the greater of either actual damages or statutory damages of between $100 and $750 per consumer per incident.  The TCPA similarly allows for plaintiffs to elect to recover the greater of either actual damages or statutory damages of $500 per violation, with a chance for treble damages up to $1,500 per violation.  See 47 U.S.C. §§ 227(b)(3), (c)(5).  The opportunity for uncapped statutory damages of hundreds of dollars not just per-plaintiff but per-violation made the TCPA a popular vehicle for class action litigation—and is likely to create the same buzz for plaintiffs and class actions under the CCPA.  While data breach litigation has continued to percolate through the courts for several years, the statutory damages provision of the CCPA makes the statute a game-changer in the privacy realm because it does not require actual injury.  Other privacy statutes, particularly California’s Confidentiality of Medical Information Act, California Civil Code § 56 et seq., and Illinois’s Biometric Information Privacy Act, 740 ILCS/14, also sparked waves of litigation following their enactments, largely because they allow private claims for statutory damages based on a mere violation—without requiring proof of actual harm or actual damages.

Second, there is ambiguity in the requirements of both the CCPA and the TCPA, which gives plaintiffs leeway to test the limits of potential liability.  For instance, the current version of the CCPA allows a private right of action for a business’s failure to maintain “reasonable security procedures and practices appropriate to the nature of the information.”  But the statute does not define what is “reasonable,” and the mention of measures based on “the nature of the information” suggests that determining reasonableness will involve fact-specific inquiries and will require investigation into the types of information a business maintains and that business’s particular practices.  The California AG’s Data Breach Report dated February 2016identified the Center for Information Security’s Critical Security Controls (formerly known as the SANS Top 20) as the standard for what is deemed “reasonable” for security procedures and practices.  But without a clear standard stated in the statute, the threat of litigation under the CCPA could be costly for a business, with the question of reasonableness potentially requiring litigation to proceed beyond early dispositive motions and into the discovery phase.

Plaintiffs have similarly used ambiguities in undefined terms in the TCPA to spur litigation and to generate favorable settlements and judgments.  The D.C. Circuit’s decision in ACA International v. FCC, 885 F.3d 687 (D.C. Cir. 2018), was a culmination of parties’ uncertainty as to terms controlling liability under the TCPA, including what qualifies as an “automatic telephone dialing system” and who is deemed the “called party” that must provide prior express consent to calls.  There have been splits across courts for years on these thresholds issues, even after ACA International.  The undefined terms in the CCPA will similarly lend themselves to judicial interpretation, leaving plaintiffs free to make creative arguments and requiring courts to define statutory terms as new cases arise.

The countdown to the effective date of the CCPA is on.  Given the similarities between the TCPA and the CCPA, companies would be wise to study the rise of TCPA class actions and successful defense tactics as an instructive harbinger before the enactment of the CCPA.  Though some issues will be unique to the CCPA’s restrictions and requirements, plaintiffs will have similar motivation in bringing CCPA lawsuits, and plaintiffs’ tactics in initiating these suits will likely follow a framework similar to early TCPA litigation.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume IX, Number 148



About this Author

Petrina McDaniel Commercial Litigation Attorney Squire Patton Boggs Atlanta, GA

Petrina McDaniel is a commercial litigator and Certified Information Privacy Professional (CIPP/US) whose practice uniquely blends complex litigation and class action defense, regulatory compliance, and privacy risk management. Business-focused and pragmatic, clients laud Petrina as an “extremely energetic and engaged advocate” who provides “legally comprehensive and business-oriented advice.”

Complex Commercial Litigation and Class Action Defense

A member of the firm’s Litigation and Data Privacy & Cybersecurity Practices, Petrina helps domestic and...

Elliot Golding Privacy and Cybersecurity Attorney Squire Patton Boggs

Elliot Golding (CIPP/US) is a member of our Data Privacy & Cybersecurity Practice and Healthcare Industry Group leadership team, where he provides business-oriented privacy and cybersecurity advice to a wide range of clients, with a particular focus on companies handling healthcare and other personal data. He has been selected as an honoree in Global Data Review’s inaugural 40 Under 40 list, representing the best of the data law bar around the world.

Elliot partners with clients to proactively manage risk by developing and implementing information governance programs, drafting privacy and security policies, preparing and testing data breach response plans, and negotiating complex data agreements. He not only counsels clients about what the law currently requires, but also provides industry context and forward-looking advice that takes into account trends and best practices in developing areas, such as the Internet of Things and complying with the California Consumer Privacy Act. In particular, Elliot helps clients understand how personal information may be used and disclosed to support business needs so that companies can stay competitive and compliant in a rapidly evolving environment.

Elliot has also managed hundreds of breach response matters for companies through all aspects of investigation, notification, remediation and engagement with regulators (including federal regulators such as the Office of Civil Rights [OCR] and State Attorneys General). Elliot has defended clients in litigation by State Attorneys General under state security breach notification laws and the Health Insurance Portability and Accountability Act (HIPAA) and has helped clients successfully avoid enforcement actions altogether by working directly with regulators during investigations.

Elliot's practice covers a wide range of laws, regulations, industry standards and best practices, such as HIPAA and HITECH; the California Consumer Privacy Act; 42 CFR Part 2 (Federal Confidentiality of Substance Use Disorder Patient Records); Federal Trade Commission (FTC) Act and FTC guidance; state laws and guidance governing privacy, security and breach notification (such as the California Shine the Light law, Lanterman-Petris-Short Act, Confidentiality of Medical Information Act, CalOPPA, and state laws governing sensitive health information); Telephone Consumer Protection Act (TCPA); CAN-SPAM; Gramm-Leach-Bliley Act (GLBA); Children's Online Privacy Protection Act (COPPA); NIST Security Standards; and Payment Card Industry Data Security Standards (PCI-DSS).

Elliot has several appointments in the American Bar Association’s Science & Technology Law Section, including serving as the co-chair of the E-Privacy Law Committee, co-chair of the Privacy, Security and Emerging Technology Division, vice-chair of the Biotechnology, Healthcare Technology, and Medical Device Committee, and a Council Member. He also serves as a member of the Bloomberg BNA Health Care Innovations Board, is a frequent speaker and writer of thought leadership pieces, and is a Certified Information Privacy Professional (CIPP/US).

Keshia Lipscomb, Squire Patton Law Firm, Atlanta, Litigation Attorney

Keshia Lipscomb is a member of the firm’s Litigation Practice. She focuses her practice on complex commercial litigation and has a wide range of experience defending clients in state and federal courts at the trial and appellate levels. Keshia has experience representing companies across various industries in class action litigation and in lawsuits arising from general business disputes.