The wave of litigation surrounding data privacy violations began in 2015 with the Telephone Consumer Protection Act (TCPA) and has grown significantly under Illinois' Biometric Information Privacy Act (BIPA). Experts warn that the lawsuits will only continue to grow under the California Consumer Privacy Act (CCPA).
The ability for consumers to sue companies for data breaches under California's looming privacy law is likely to prompt a class action tsunami similar to that seen under the Telephone Consumer Protection Act and, more recently, Illinois' novel biometric privacy law, a pair of privacy attorneys from opposing sides of the bar said Friday. - Law360
This spring, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson introduced Senate Bill 561, which would amend the California Consumer Privacy Act by allowing consumers to bring a private cause of action if their rights are violated. This updates the current CCPA language such that consumers would no longer need to demonstrate unauthorized access and exfiltration, theft, or disclosure of their non-encrypted or non-redacted personal information to bring a private cause of action. The violation of their rights alone would suffice. (Note: this aligns closely with the decision made by the Illinois Supreme Court last month to allow a Biometric Information Privacy Act (BIPA) suit to proceed, despite the fact that no appreciable "harm" could be demonstrated from the violation of BIPA provisions by Six Flags).
If Illinois' BIPA is any indication, businesses subject to the CCPA should be concerned about the introduction of a private cause of action for violations without demonstrated harm. Currently, there are over 200 BIPA suits pending in the state of Illinois related to BIPA violations, and businesses without defensible compliance practices in place are sure to feel the consequences of noncompliance.
"BIPA is a magnet for plaintiff's attorneys, because violations carry statutory penalties of between $1,000 and $5,000. The lawsuits claim that each and every time a member of the class scanned his or her fingerprint, the defendant is liable for another penalty... Over one year, a business with 50 employees who clock in once in the morning, clock in and out over lunch, and clock out to go home, potentially faces up to $50 million in potential damages " - IceMiller LLP
While BIPA penalties range between $1,000 to $5,000 per violation, the CCPA grants the California Attorney General the ability to collect penalties for $2,500-$7,500 for each intentional violation. As it is currently written, the private action penalty range is $100-$750. While this number may seem insignificant, the penalties can quickly add up to a substantial, door-closing fine.
"Routinely in our practice, we'll have a million-record event that will be disclosed, we give the notice as required and it's crickets. A million records often won't draw a class action," Meal said. "[But] that case that today wouldn't draw a class action ... now is a $750 million case overnight. It's insane." - Douglas Meal, Orrick Herrington & Sutcliffe LLP for Law360
Recently, an amendment to Illinois' BIPA, Senate Bill 2134, was proposed aiming to curtail the wave of class action lawsuits by eliminating the private right of action and turning enforcement authority over to the Department of Labor and the Attorney General. The bill, which garnered the support of many businesses, did not report by its March 28th procedural deadline and thus is not expected to see further progress.
While employers welcomed introduction of the legislation, until legislation is actually passed stripping an individual's private right of action, Illinois employers will likely continue to face an onslaught of class action lawsuits filed in Illinois state courts. - Shawn Fabian, SheppardMullin
Schedule a call to learn how Jordan Lawrence is helping companies defensibly address key data privacy & cybersecurity regulations like BIPA and CCPA to minimize risks and limit exposure.