The California Consumer Protection Act (CCPA) that officially went into effect on January 1, 2020, echoes the legislative sentiments of the General Data Protection Regulation (GDPR), a sweeping privacy regulation designed to protect the personal data of European Union residents stored in corporate electronic files. In a similar vein, the CCPA now empowers California’s Attorney General to defend Californians from predatory business or political interests profiteering from trading in consumer data.
Companies Face a New Peril
Initially, California corporations worried about how to comply with CCPA regulations. While many businesses are still grappling with the compliance issue, some now fret that consumers will seek restitution if they suspect a business has not responsibly stored, kept, used, or shared consumer information.
Consumers who feel that a business has not followed the rules of the recent privacy law can now sue far more successfully. The new legislation not only gives customers the legal right to know what information corporations are collecting about them but aggravated customers can also prompt class action lawsuits for selling personal information for profit or sharing it to secure business advantages.
Why Businesses Fear an Increase in Class Action Lawsuits
Data breach class action lawsuits could escalate because the CCPA has significant provisions for a plethora of statutory damages.
Here are three examples of how much easier the CCPA has made it for plaintiffs to claim relief after a data breach:
Plaintiffs don’t have to prove that they incurred an injury after a data breach to file their claims.
Even a relatively minor data breach penalizes a company, fining it $100 for every person affected by it. So a breach that only affects 10,000 people could set a small company back a million dollars.
Plaintiffs can ask for damages even when these damages are difficult to quantify. This deflates arguments that defendants previously used that ambiguous damages did not qualify for class actions.
How Corporations Can Reduce the Risk of Litigation
Rather than feeling victimized by the California Consumer Protection Act, the best defense companies can make is to reduce their risk of litigation.
Here are four strategies companies can use to protect themselves now that the CCPA has changed the rules of courtroom engagement.
1. Encrypt Sensitive Information
Customers can’t accuse a company of failing to safeguard their information if that firm encrypts its consumer data.
If a company has a data breach, customers cannot make a CCPA claim if the company has encrypted all sensitive personal information.
Encryption is a viable solution, but it’s a controversial one because of industry debates between technologists and law enforcement officials on what should and what should not be encrypted.
2. Create Terms and Conditions
It’s not enough for a company to create terms and conditions. They must also clearly present these terms and conditions to customers and ask them to consent to sharing their personal information before the company can do business with them.
Although an elegant strategy, asking customers to sign off on the fact that they have read and agreed upon the terms and conditions of doing business with a company is a sophisticated bluff. It’s a bluff because it might not stand up in court. Consider it more of a deterrent strategy than a foolproof way to evade class actions because the California Consumer Privacy Act of 2018, section 1798.192 has a provision that prohibits the use of class action waivers.
3. Research Reasonable Security Procedures
The CCPA does not clearly define minimum reasonable security procedures. Still, if a company can show that it has abided by industry norms to protect personal information, customers cannot accuse the business of not safeguarding consumer data.
While not an irrefutable method of data protection, striving to implement security procedures provides an adequate line of defense during litigation.
Corporations should base their security procedures on the advice of in-house cybersecurity personnel as well as third-party cybersecurity professionals. This abundance of caution in seeking out internal and external expertise will establish that a company took reasonable steps to decide on the best technological system available to protect personal information.
4. Buy Cyber Insurance
While having cyber insurance does not prevent class action lawsuits, it reduces the financial damages for which companies could be accountable.
Cyber insurance will cover the liability of a business if a data breach steals customers' information. It offers financial protection if hackers steal health records, account numbers, driver’s license numbers, credit or debit card numbers, or Social Security numbers. However, before buying cyber insurance, a business must ensure that the insurance policy aligns with CCPA consumer protection guidelines.
In the final analysis, a company should take proactive steps to reduce its exposure to potential class action lawsuits based on violating the regulations of the CCPA. While it may not be practical to implement all four suggested strategies, even implementing one shows that a company has acted in good faith to protect customer information.