California Consumer Privacy Act (CCPA) – Potential consumer litigation risk
| Consumers can claim statutory damages for repeat breaches of unencrypted personal data.
A U.S. law firm has noted that consumers who file lawsuits for data breaches resulting from security negligence must give 30 days notice of their intentions. This rule applies to data breaches which occur as a result of failure to implement ‘reasonable security procedures’.
If the violation is rectified within the 30 days, a written correspondence must be sent to the complainant stating that no further violations will occur. However, any further violations can make businesses liable for statutory damages.
American consumers can bring legal action if their unencrypted personal data is breached as a result of:
failure of a business to implement and maintain ‘reasonable security procedures’, provided that;
the consumer gives 30 days written notice before filing, to allow the business time to resolve the violation.
If the violation is successfully resolved, the business must inform the consumer of the resolution in a written statement. They must also state that no further violations will occur.
If the security violation reoccurs, the consumer can take action to enforce the statement. They may claim statutory damages for each breach that post-dates the written statement, and any other subsequent CCPA violations.
The amount of actual damages or statutory damages are between $100 and $750 per incident, whichever is greater.
Consumer Litigation Risk | Potential damages
In a post titled ‘California Consumer Privacy Act: The Challenge Ahead’ law firm Hogan Lovells states:
In assessing the amount of statutory damages, courts shall consider any one or more relevant circumstances including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of misconduct, the length of time over which the misconduct occurred, the wilfulness of the misconduct, and the defendant’s assets, liabilities, and net worth. Consumers also may seek injunctive or declaratory relief, or any other relief the court deems proper for such violations.
Important: This article does not constitute legal advice. We recommend that appropriate legal advice should be taken from a qualified solicitor before taking or refraining from taking any action.
Sources and credits: Hogan Lovells – Chronicle of Data Protection, ‘Consumer Litigation and the CCPA – What to expect’ – by Vassi Iliadis and Michael Maddigan.