As privacy and personal data issues continue to be a focus of both legal action and media coverage, privacy policy statements are getting dusted off and reviewed by more eyes. Imprecise or inaccurate policy statements, themselves, can expose a company to potential liability. While most of the recent California Consumer Privacy Act (“CCPA”) attention has focused on the significant operational requirements, data flow classifications, attorney general future enforcement, and the limited private right of action for data breaches, perhaps the largest near-term CCPA risk issue will be how the law overlaps with other California consumer protection statutes, and litigation efforts focusing on alleged inaccuracy or deception based on the public statements companies make about their privacy practices.

CCPA’s Limited Private Right of Action

The Attorney General’s Office was granted wide discretion and enforcement powers to impose fines of up to $2,500 for unintentional violations and up to $7,500 for each intentional violation. Cal. Civ. Code 1798.155. The CCPA, however, provides for only limited private right of action for individual consumers related to data security breaches. Cal. Civ. Code 1798.150. Plaintiffs can recover actual damages or statutory damages of $100 to $750. A broader potential private right of action was considered and would have permitted individuals to sue for any and all CCPA violations. SB 561. But that amendment failed to pass in May.

Where There’s a Will, There’s a Way?

But anyone expecting that companies will only face privacy-related consumer litigation in the context of a data breach is under-selling the risk. While direct actions under the CCPA may be limited, the requirements of the CCPA may serve as the basis for claims under other consumer protection statutes. And, importantly, the public statements and policies that companies issue will be scrutinized not just for their actual compliance, but for whether companies are fulfilling their own promises. Indeed, nothing prevents individuals from filing putative consumer class action claims alleging false statements, unfair business practices, or misleading conduct on behalf of companies in connection with their privacy policies and practices.

What Types of Claims Are Likely to be Filed?

These claims are likely to be brought pursuant to other California consumer protection statutes, such as California’s Unfair Competition Law (Bus. & Prof. Code 17200), False Advertising Law (Bus. & Prof. Code 17500), and Consumer Legal Remedies Act (Civ. Code 1750). For example:

  • Section 17200 prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.” Put differently, a violation of any other California law, including the CCPA, can serve as the basis for a claim. That is true even where that underlying statute does not, itself, give rise to a private right of action.
  • Similarly, Section 17500 can give rise to a claim based on by disseminating untrue or misleading statements concerning the performance of services. That would include statements made concerning the collection, use, handling, storage, dissemination, or destruction of personal information in connection with a business’s activities.
  • Finally, the CLRA prohibits a broad range of representations and statements concerning a company’s policies, procedures, and services. In addition to actual damages, the statute also permits for recovery of punitive damages and recovery of attorney’s fees.
Courts have found that violations of internal policies and/or statements concerning those policies provide sufficient foundation for such actions. See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (plaintiffs’ allegations that they relied on Adobe’s claims that personal data would be protected sufficient to establish UCL standing); Smith v. Chase Mortg. Credit Grp., 653 F. Supp. 2d 1035, 1045-46 (E.D. Cal. 2009) (concluding that defendant’s alleged violation of internal policy provides basis for unfairness claim).

Precision in Privacy Promises

These risks are a good reminder that it is critical not just to have the CCPA required disclosures in privacy statements and communications in response to consumer rights requests, but also to be vigilant and precise about the descriptions of privacy practices and how the company is honoring the rights requests. In the end, a company’s statements about its CCPA compliance could end up triggering potential exposure far greater than anything available under the CCPA itself.