Big Changes to California Consumer Privacy Laws on Fall Ballot as Enforcement and Class Action Litigation Heats Up
The California Secretary of State Alex Padilla recently announced that the California Privacy Rights Act (CPRA) will appear on the upcoming November 3, 2020 ballot. Nicknamed the “CCPA 2.0,” the CPRA would amend the California Consumer Privacy Act and impose more stringent requirements on employers when it comes to consumer/employee privacy. These changes include establishing the “California Privacy Protection Agency” tasked with enforcing the CCPA through administrative actions, issuing privacy regulations, auditing businesses' compliance with the CCPA, and imposing administrative fines. While the proposed amendments do not yet include a Private Attorneys General Act (PAGA) provision allowing private plaintiffs to pursue civil penalties on behalf of the state for CCPA violations, such a provision may be on the horizon. The California legislature originally passed PAGA because the labor enforcement agencies could not keep up with the growing number of complaints of Labor Code violations in the workplace. With the rapid digitalization of information, growth of companies, and collection of personal information, the proposed California Privacy Protection Agency may simply become an administrative step for private plaintiffs to hurdle before pursuing litigation to claim penalties and attorneys’ fees.
The CPRA would further expand the scope of protection under the CCPA to include “sensitive personal information” such as geolocation; race; ethnicity; religion; genetic data; union membership; private communications; and certain sexual orientation, health, and biometric information. It would also specifically forbid “[r]etaliating against an employee, applicant for employment, or independent contractor” for exercising their “opt-out” or other CCPA rights. Click here for the proposed amendments.
Alastair MacTaggart, Board Chair and Founder of Californians for Consumer Privacy, filed the initiative for the CPRA to appear on the November 2020 ballot. Californians for Consumer Privacy collected 931,000 signatures to qualify for the ballot, which needs a simple majority vote to become law. According to Californians for Consumer Privacy, a recent poll from Goodwin/Simon found that 72% of voters in their study will vote in favor of the initiative. Multiple organizations oppose the initiative including the ACLU of California, ACLU of Northern California, California Alliance for Retired Americans, Color of Change, Consumer Federation of California, Counsel on Islamic American Relations – California, and Media Alliance. Despite the organizational opposition, the prevalent news of data breaches and the concern over personal data will likely lead to the initiative passing in November.
If successful at the ballot-box, employers will have two years to prepare as it does not take effect until January 1, 2023. There is a silver lining in that the proposed amendments extend exemptions from CCPA obligations for employee and business-to-business communications to this date. Employers will need to comply with notice and data security provisions of the CCPA, but the other provisions will not be enforceable until 2023.
And as many business have learned, on July 1, 2020, the California Attorney General’s office turned its sites on enforcement of the CCPA providing an online means for consumers to submit complaints and sending out a barrage of notice letters to companies that it believed were in violation of the CCPA that started the clock on a 30 day response and cure period.
In addition new class action litigation is testing the CCPA in California’s state and federal courts. On March 30, 2020, Cullen v. Zoom Video Communications, Inc., 2020 WL 1561732 (N.D. Cal. 2020) was filed alleging that Zoom collects personal information of its users and discloses it to third parties including Facebook, Inc. without proper notice. On June 11, 2020, Atkinson v. Minted, Inc. 2020 WL 3254373 (N.D. Cal. 2020), Minted is targeted for responsibility due to a hack that resulted in the attempted sale of 5 million customer records including names, email addresses, passwords, addresses, and telephone numbers. And, on July 10, 2020, Gardiner v. Walmart, Inc. 2020 WL 3956295 (N.D. Cal 2020) alleged that Walmart is responsible for a hacker that stole millions of accounts, including customers’ names and addresses and sold them on the web. And, in State Court on May 26, 2020, a complaint alleges that Epiq Systems is responsible after it was hit by a ransomware attack that resulted in the theft of personal information. Karter v. Epiq Systems, Inc., 2020 WL 3577517 (Cal. Super. 2020).
These recently filed cases all allege that the companies violated either the notice or data security provisions of the CCPA. Cal. Civ. Code §§ 1798.100, 1798.150. While these lawsuits were brought on behalf of consumers, employees will likely be filing these types of lawsuits soon against their employers for such violations. The damages sought in these lawsuits range from $5 million dollars to $5 billion dollars, plus attorneys’ fees, which are expected to be substantial. As you know from our previous blog posts, the CCPA requires employers to comply with its notice and data security provisions, and the California Attorney General will be enforcing such actions as of July 1, 2020. If you qualify as a covered business under the CCPA, you should be implementing compliant policies immediately.