As most business leaders know, the most stringent privacy law in the United States—the California Consumer Privacy Act (“CCPA”)—went into effect this year and applies to all companies that do business in the Golden State.  The CCPA’s private right of action gives California residents the right to sue companies when their personal information is subject to unauthorized access, theft, or disclosure stemming from a company’s failure “to implement and maintain reasonable security procedures and practices.”  Because the CCPA creates a right to statutory damages (ranging from $100 to $750 per violation) without the need to prove actual harm, companies should prepare for a deluge of CCPA class actions. 

One critical aspect of such preparation should be to implement a security breach response plan that will promptly and effectively respond to individual consumer notices following an alleged security breach.  Under the “notice and cure” provision of the CCPA, a private plaintiff must provide a company with 30 days’ written notice prior to filing a lawsuit.  “In the event a cure is possible,” a company can avoid “individual statutory damages of class-wide statutory damages” if it “actually cures” the violation within 30 days and provides the consumer with a written statement to that effect.  The notice and cure provision thus provides a promising avenue for companies seeking to sidestep CCPA class actions.  That said, this section is sure to be one of the most hotly contested parts of the CCPA because the term “cure” is undefined by the statute. 

The attorneys at Lewis & Llewellyn are fully prepared to defend our clients’ interests in single plaintiff and putative class actions based on alleged CCPA violations.  Contact us to learn more about the CCPA or our deep experience addressing privacy issues in litigation.