Privacy Regulations: The New Litigation Battleground
The California Consumer Privacy Act (CCPA) and California Data Breach Law (Civil Code Section 1798.82) didn’t start the fire, but they are certainly leading the way. However, California is not alone. Nevada and Maine have enacted their own laws, which differ quite a bit from California's approach, plus at least 10 more states have privacy laws in motion, signifying a patchwork of different privacy standards and igniting a sea change for corporate counsel.
While California’s Data Breach Law always included a private right of action (§1798.84(b)), the CCPA ups the ante in providing consumers another avenue to file a private right of action with the added threat of statutory damages (thereby potentially easing the requirement to show damages). These statutes (along with unfair competition claims under Business and Professions Code 17200) may encourage the plaintiff’s bar to file more class action complaints – particularly if the consumer’s personal information is disclosed as a result of a business’ failure to implement reasonable security measures.
Savvy plaintiffs’ attorneys will no doubt exploit companies’ weaknesses and spark a wave of litigation, sweeping up companies that were never before targets of any sort of class action. GCs must take the lead to ensure effective compliance, mitigate liabilities, and protect their companies.