CCPA’s cure provision can provide companies relief from class treatment

The California Consumer Privacy Act takes effect on Jan. 1, 2020, and applies to all companies that conduct business in California. Much has been written about the CCPA's substantive requirements and the many pending bills aimed at correcting or modifying those requirements, but very little commentary has addressed the CCPA's novel "cure" provision.

Like other California statutes, the CCPA will give defendants time to remedy the effects of a breach before an affected consumer can sue. If the cure is effective, that consumer can only pursue actual damages, not statutory damages.

Unlike similar statutes, however, the CCPA's cure provision prevents the consumer from bringing a class action for those statutory damages. See Cal. Civ. Code Section 1798.150(b). Because the CCPA will direct courts to award successful plaintiffs between $100 and $750 "per consumer per incident," relief from class treatment will be an attractive goal.

The CCPA's private right of action applies only to "unauthorized access and exfiltration, theft or disclosure" -- however, if it is enacted into law, Senate Bill 561 would expand the scope to all violations of the CCPA. A defendant is liable only if it violates a duty to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information" in the company's possession. The CCPA does not explain or further define this "duty."

The lawsuit proceeds as any other if the plaintiff seeks only actual damages. But, a consumer who seeks the statutory "per consumer per incident damages" must give the defendant 30 days written notice identifying the precise CCPA provisions allegedly violated. The consumer cannot sue until the time period expires.

The law states that individual or classwide action for statutory damages cannot be brought if a business (1) cures the violation within 30 days and (2) notifies the consumer in writing that it has addressed the issue and that there will be no further violations.

This class action bar distinguishes the CCPA from other similar consumer protection laws. For example, the California Consumers Legal Remedies Act requires a 30-day notice and cure period. However, that cure does not prevent the plaintiff from bringing a class action unless the company affirmatively identifies all of the other affected consumers and notifies them that the company will take corrective action upon request, among other procedural hurdles. Also, in most cases, curing an individual's claim under the CLRA does not prevent that person from acting as a representative plaintiff on behalf of a class of other consumers.

The CCPA, however, requires no such complicated or extensive notice. If the cure passes muster, the CCPA directs that "no action for individual statutory damages or class-wide statutory damages may be initiated against the business," Cal. Civ. Code Section 1798.150(b) (emphasis added). In other words, under the CCPA, an individual cure is a class cure. Although other affected consumers may restart the process by following with additional notices, working to cure the individual claims serially may still be worth it, as a series of individual claims may present a smaller burden than a class action.

Unfortunately, the CCPA does not define the term "cure." Judicial interpretations of similar California laws suggest that simply ending the breach, blocking access to hackers or stopping the "exfiltration" of personal information may not be sufficient. Rather, the "ill effects" of the violation will need to be remedied, likely by a payment to make the consumer whole. For example, in Romero v. Dep't Stores Nat'l Bank, the 9th U.S. Circuit Court of Appeals interpreted several California statutes and found that "future compliance is an insufficient 'cure' if the ill effects of a violation have not been or cannot be remedied."

Ultimately, providing a legally adequate cure may prove challenging, particularly before courts have a chance to define standards of adequacy. Adequate cures likely will require companies to demonstrate ongoing compliance with the CCPA. Nevertheless, identifying a cure that a potential CCPA plaintiff will accept as adequate -- or that stands a chance of persuading a court that the claimant is made whole -- seems well worth the effort. The consumer would likely secure a fair resolution, but class counsel is prevented from then using the outsized statutory damages to seek settlements that would be disproportionate to the actual loss caused by a data breach.