California Consumer Privacy Act of 2018

At the end of June, California state legislators passed the California Consumer Privacy Act of 2018. Coming in to effect on January 1st 2020, the act is set to bring in a number of data protection requirements and new consumer rights similar to those enacted by the EU’s General Data Protection Regulation.

However, amid all the noise about the bill’s passing, one crucial area of the act appears to have been given surprisingly little attention – California has established a minimum cash amount that victims of a data breach could expect to receive should they pursue damages.

The act stipulates that for consumers whose unencrypted or unredacted personal information has been subject to unauthorised access, exfiltration, theft or disclosure, as a result of a business’s failure to implement and maintain adequate security standards, will be able to claim damages of $100 as a minimum and $750 as a maximum per incident or actual damages, whichever is greater.

The law will apply to organisations that are run for profit and do business in California and that meets one or more of the following thresholds:

  • Annual gross revenues in excess of $25 million;
  • Annually buy, sell or share the personal information of 50,000 or more consumers, households or devices;
  • Generate 50% or more of annual revenues from the selling of consumers’ personal information.

This particular part of the act marks a change of fundamental importance for a number of reasons. First, it will almost certainly increase the financial exposure that businesses face as a result of a data breach. Now, even a relatively small breach of, say, 1,000 records could result in statutory damages of $100,000-$750,000 being claimed.

Secondly, it is likely to lead to a big uptick in class action cases in general. To date, claimants in data breach class actions have often struggled to demonstrate standing as it can be difficult to prove what, if any, financial harm might be experienced as a consequence of a breach. For smaller breaches, this has meant less impetus on the part of plaintiff attorneys to bring class actions.

But with the law now enshrining minimum statutory damages for certain data breaches and with affected consumers knowing that they might stand to receive up to $750, we could see a proliferation of class action cases when the act comes into force from opportunistic lawyers looking to get involved in lucrative cases. Importantly, this could lead to a surge in class actions resulting from smaller breaches in particular.

Finally, the act sets a precedent. Back in 2003, California was the first state to introduce breach notification laws. Now, just 15 years later, every state in the union has implemented such laws. Could this act mark the beginning of minimum statutory damages being introduced elsewhere? If history is anything to go by, it shouldn’t come as a surprise if similar acts become more widespread.

For more further Information: