In this episode of OnAir with Akin, cybersecurity, privacy & data protection practice co-head Michelle Reed and counsel Molly Whitman and Lauren York discuss the newly published third edition of the firm's annual CCPA Litigation and Enforcement Report, which, through analysis of hundreds of cases, provides readers with a clear view of the landscape in this fourth year of the California Consumer Privacy Act.
Among the topics covered:
- 2022 CCPA litigation overview.
- Key statistics and trends from the report.
- Industries hardest hit by CCPA lawsuits.
- Important takeaways for businesses in California.
Transcript:
Jose Garriga: Hello, and welcome to OnAir with Akin. I'm your host, Jose Garriga.
Longtime listeners will know that this time of year sees the publication of the firm's annual California Consumer Privacy Act, or CCPA, report.
And, in fact, I'm talking today with three of the Akin lawyers behind the newly released 2022 CCPA Litigation and Enforcement Report, which analyzes litigation and enforcement actions last year brought under the CCPA.
I also have the pleasure of welcoming back all three of my guests today, each of whom has appeared on one or more of our earlier CCPA episodes: Akin cybersecurity, privacy & data protection practice co-head Michelle Reed and counsel Molly Whitman and Lauren York.
They'll be discussing the headline findings from the new report, what they mean for business, and what 2023 looks like for those doing business in California.
Welcome to the podcast.
Michelle, Lauren, Molly, welcome back to the show. This is the third year that you all have produced this outstanding report. Let's dive into what you all learned from what sounds to be very extensive research.
We last sat down to discuss the CCPA in April 2022. So, to start off, Michelle, if you would, could you give listeners just a capsule description of what the CCPA is and then the 30,000-foot view of privacy-related litigation in California in 2022?
Michelle Reed: Sure. Thanks for having us. The California Consumer Privacy Act, known as the CCPA, was passed in 2018 and went into effect on January 1st, 2020, and then shortly thereafter was amended by the California Privacy Rights Act [CPRA], which went into effect in January 1st of this year. What we study in this report is the private right of action, the class action lawsuits that are brought in connection with the CCPA and typically in the event of a data breach.
The high-level view of what we've seen over the past three years is that, while the first year, there was a lot of question over what types of suits were being brought—we saw lots of suits brought for data breach, but then also for other privacy violations of the CCPA—as we've entered the third year of enforcement, it's become very clear that people are suing over data breach, which is exactly what the statute contemplated, and they're suing in spades.
What we've seen since it was enacted is that 320 CCPA claims have been filed in 28 different states across the country, both state and federal courts, under the CCPA private right of action.
More broadly, privacy-related litigation doesn't limit itself just to the CCPA. And, so, this report focuses on the CCPA private right of action and the class actions that stem from that, but there are plenty of other class actions that are being filed in California and across the nation related to privacy. And I think we'll see that on a go forward since the CCPA has so specifically limited the private right of action to enforcement related to data breach.
Alternatively, the California attorney general also has enforcement power over the CCPA, and we saw that the first enforcement action that was announced by the California attorney general was in 2022. And if you read through our report, you'll see some of the attorney general's [Twitter] tweets, and it becomes really clear that there will be one thing that I think we can guarantee in the future: more enforcement actions by the attorney general and continued litigation across the United States related to this landmark act.
Jose Garriga: Thank you. That's very interesting. So, just staying with the idea of statistics, I know there are a lot of interesting facts that you all have been able to pull out of, as I mentioned, this very extensive research. So, from that all, Molly, if you would share with the audience, what's the single most significant statistic that you would want people to know that you discovered in the course of your studies?
Molly Whitman: Well, Jose, this report is chock-full of statistics, and that comes from the collective efforts of so many brilliant people in our firm who spent hours, as you said, analyzing hundreds of cases. So, I'm going to take a little bit of leeway here and talk about a couple of very interesting statistics.
One thing to know is that businesses are required to report breaches that impact the personal information of at least 500 consumers to the California AG. And by "consumers," I mean California resident consumers. And, so, we've now had the benefit of three years of notifications being posted publicly to the AG's website. And one thing that we looked at was the correlation—or to determine if there was a correlation—between where a public notice is made of a breach and then whether there's follow-on litigation. So, for this past year, 2022, we pulled all the AG notices that were available and compared them to our analysis of the CCPA litigation, and we found that 80% or more of CCPA suits had a corresponding breach notice filed with the AG. And we also compared the total number of notices filed with the AG with all of the cases that we located, and we boiled that down into what we determined was about a 15% chance of facing a CCPA-related class action after reporting a breach to the California AG.
I want to take a pause there because I want to say very clearly that this is not meant to dissuade companies from reporting breaches. The CCPA offers a range of statutory penalties per violation, and those penalties are highest where there are intentional violations. And when we're looking at enforcement actions from the agency, the established agency or the AG that have the power to enforce all CCPA provisions, you could be looking at up to a $7,500 fine per violation. So I want to be very clear that just because there is, of course, a correlation between having a public notice of a breach and eventually possibly facing a class action, that doesn't mean that you shouldn't comply with the requirement to notify the AG of that breach.
One more statistic, I think, it's important to point out is we found that more than half of the breaches that resulted in CCPA litigation this past year were breaches that impacted the personal information of 100,000 or more people. And, now, that's people, not necessarily California consumers. And because litigants are often bringing additional claims along with their claims of CCPA violations, they're adding multiple classes to their complaints. They may have a national class, especially where you've got a national retailer and a company that has customers all over the country, for example. So, even though the CCPA technically only protects the privacy interests of California residents, you may end up with seeing litigation where there is a much greater overall population of people who have potentially been damaged or alleging damages, and that will possibly affect potential exposure.
Jose Garriga: Thank you. So, moving beyond statistics a bit, Lauren, if I could ask you to chime in here, what were the big trends this last year in CCPA litigation and in what way did they differ, if they did differ at all, from those in 2021?
Lauren York: Thank you so much for having us back, Jose. Excited to be here to talk about this report. I mean, I think Molly and Michelle have hit on a lot of the major trends that we saw this year. I think the big takeaways here are really that privacy continues to be an incredibly dynamic space where you're seeing a lot of movement. I really think that one of the trends that we're starting to see is that plaintiffs have gotten better, more sophisticated about really hewing to the statutory language of the CCPA itself. So, we're seeing all of these CCPA claims across the country, but what I found kind of shocking this year was that, well, our raw number of claims has gone down quite significantly—I know you asked for trends and not statistics—but I think 50% fewer CCPA suits this year.
But once you control—and we were able to do that, given the vast amount of information that we have as a result of many, many people on the Akin side digging in—is that, yes, that is true, there are fewer raw number of claims brought, but the quality of those claims is so, so much higher, and you're not seeing the kind of mad dash that you saw last year of multiple plaintiffs attorneys bringing multiple suits in different forums around the country. So, it almost all points to the idea that this litigation is getting more sophisticated, more streamlined.
I think another thing that I thought was very interesting compared to last year, TransUnion was a major Supreme Court decision that people have spoken a lot about if you're in the privacy space. So, really, in federal court, there are major implications for Article III standing, and I think we really expected for there to be a very large impact in CCPA claims and privacy claims in general unless plaintiffs could tie their injury back to a breach specifically. So, the concept there is you must have something concrete that happened to you. So, perhaps you can show like, here's the credit card fraud, or here's the time I had to spend sorting through all the notices that I received. And state court doesn't have that kind of stricture based on plaintiffs, so we expected maybe CCPA claims to start going heavily into California courts. And, instead, what we're seeing is 60% of cases this year initiated in federal court and then a third of those in state court removed. So I think it's somewhere around like 75% of CCPA claims are going to touch federal court at some time, which I think changes the landscape in the way that you think about how to handle CCPA litigation, especially on the business side. And it will be interesting to see how that continues to play out.
Jose Garriga: Thank you. Yes, I agree. Michelle, coming back to you, we're talking about hundreds of cases. Were there industries where the CCPA lawsuits tended to land? Which industries were the ones that were hardest hit in terms of these lawsuits?
Michelle Reed: Well, everyone's ears should perk up because there is one standout, which is financial services. Financial services industry was by far the hardest hit for the second year in a row, with 34% of CCPA cases filed in 2022 and just over 35% of the cases filed in 2021. This makes sense from a logical standpoint because financial services are frequently targeted by cyber attacks because they carry the sensitive personal information that's valuable on the black market. They're required to collect and maintain this, and, so, they are often the targets of cyber breaches and attacks.
The trend also, though, demonstrates the effect or, actually, lack thereof, of the exemption under the CCPA for data covered by the Gramm-Leach-Bliley Act. So, to get a little technical, under the CCPA, if you have data that is governed by the Gramm-Leach-Bliley Act, it is a data-based exemption rather than an entity-based exemption. The same is the case for HIPAA [Health Insurance Portability and Accountability Act] for health care. And what you would think is that if you had an exemption for Gramm-Leach-Bliley and for HIPAA, that you wouldn't see financial services companies being subject to this, you wouldn't see the health care companies being subject to this because of those exemptions. But it's actually the opposite of what we see.
The number two in the industry is medical, which is at 13%. So, not quite as much as financial services, but it's pretty clear that those exemptions did not have the impact of resulting in no suits against those companies and those industries. And this is something that is probably related to the type of data that they have, and the frequency with which the financial institutions are targeted by bad actors is also reflected in new regulatory initiatives from the SEC [Securities and Exchange Commission] and the FTC's [Federal Trade Commission] amendments to the safeguard rule.
Now let me pause there and say that doesn't mean that businesses operating in other industries can breathe a sigh of relief because all of the other industries are pretty much represented, and though there's some difference, they're pretty much equal, and it really just depends on who had the bad luck that year to have the data breach. And, so, I don't think if you're not in financial services, you're not in health care, you can say, "Ah, this isn't a problem for me," because it probably is.
And now that the CPRA has expanded the type of personal data that consumers can bring suit over to include email address and password, I wouldn't be surprised if we see more CCPA actions against businesses in other industries that do not collect what we normally would consider the traditional types of data like Social Security number or banking information. And, in fact, we've already seen attempts to bring CCPA claims against businesses that experience very large data breaches impacting millions of consumers, even if the data impacted is mostly limited to email or username and password. In light of these CPRA updates, I would expect that plaintiffs are going to be very active in this space, and we'll see some of these suits have more success.
Jose Garriga: Interesting, thank you. A reminder, listeners, we're here today with Akin partner Michelle Reed, who co-heads the firm's cybersecurity, privacy & data protection practice, and counsel Molly Whitman and Lauren York.
So, Lauren, let me go back over to you. In previous episodes we've discussed the spillover effect of California's privacy legislation to other U.S. states. What are the headline items regarding CCPA's impact last year on state-level and also on federal privacy legislation?
Lauren York: Sure, it's a great question and something to really think about how this is going to change, I think, eventually how business is done in the United States and the approach that you take to privacy. But I think at this stage, we don't have federal privacy litigation, and we have four other states other than California that have comprehensive privacy legislation, but none of those have a private right of action for consumers impacted by a data breach. So, CCPA is really the standout still, leading the way on what privacy rights are going to, I think, begin to look more like in the future. So, those four other states—Virginia, Colorado, Utah, Connecticut—have more in common in many ways with each other than they do with the CCPA.
Even beyond just the private right of action and their lack thereof, the state laws have exemptions for employee data and business-to-business data. So, those are a distinct issue for companies that are looking to do what's best on the privacy front. And California is still the leader, I think, in the privacy space and especially since there hasn't been anything at the federal level that's harmonizing all these statutes. I think it's worth mentioning, I think we're at about 19 states that have active comprehensive privacy bills right now in 2023. So, we might see other states start to join California in the private right of action trend, but, as of right now, still uncertain as to how that all shakes out and if we ever do see something on a federal level that connects all those disparate frameworks for dealing with privacy.
Jose Garriga: Thank you. So, listeners will have inferred from what I said in my intro that I've had the pleasure of having this conversation or similar ones over the years on the topic of the CCPA, and, in fact, this is our fourth episode. And, so, Molly, looking at the implementation of the CCPA in practice today, how has that differed from, or jibed with, your initial sense of how this legislation was going to go?
Molly Whitman: I want to jump off of what Lauren was discussing with the fact that the CCPA really does stand apart in a lot of ways. We saw back in 2018 when the Californians for Consumer Privacy group led by Alastair Mactaggart sponsored the initial bill for the CCPA, that they meant business. They made it very clear that the CCPA was intended to be what I believe they called the strongest consumer privacy law ever enacted in the United States, and they also sponsored the amendment, the CPRA, and we've seen that come to fruition. In many ways, it certainly is the strongest consumer privacy law ever enacted in the United States.
So, when we're talking about implementation, it does correspond with what we anticipated, which was that this law needs to be taken seriously, and from the most recent CPRA amendments, it's only getting more stringent. Especially because the CPRA established the agency arm that is able to focus solely on enforcing the CCPA, there is a lot more attention being paid to consumer privacy rights in California than arguably anywhere else in the country.
One development that we are very interested in, and our clients are very interested in, following is how courts are going to handle the "reasonable security procedures and practices" prong of the private right of action. So, consumers can bring a private right of action where they have suffered a loss to a data breach, but the statute also says that that data breach has to be as a result of the business' failure to implement reasonable security procedures and practices. And we haven't gotten a ton of guidance yet as to what reasonable security procedures and practices actually look like, especially because the threat landscape is evolving constantly, technology is evolving constantly. And, so, we suspect that the agency and the AG will be very involved in shaping what is considered to be a reasonable security procedure and practice over time.
We've also seen that play out in the recent regulations proposed by the agency, which we expect to be finalized very soon. I believe they're currently with the OAL [California Office of Administrative Law] for final approval before they will be released. Those regulations include discussion of cyber audits and say that the agency can conduct cyber audits even unannounced. And as of now, those regulations don't actually define what a cyber audit is. So, at least for me, I have a lot of questions as to, are the cyber audits that the agency may be conducting going to set a standard for these security procedures and practices? Will the agency be looking to validate a business' security measures when they're performing these audits? How frequent will audits be? There are a lot of questions that everyone is going to have, and I know we here at Akin are going to be monitoring this and many more issues over the course of the next year.
Jose Garriga: That's interesting. Thank you. Michelle, then, just to wrap up, you all have shared some terrific information here. What would be the takeaways be, the big takeaways, that you would offer listeners who are doing business in California?
Michelle Reed: First, get your arms around information governance. Data minimization is a concept that was introduced by the CPRA. And although the private right of action that we go over in this report doesn't allow, necessarily, enforceability of data minimization, if you have a data breach, and you have not minimized your data, you now, thanks to the CPRA's revisions regarding data minimization, are much more likely to face a longer lawsuit in connection with the CCPA. And, so, make sure you have an arm around what data you have, how you use it, how you process it, how you store it, who you share it with. Those things are very important, and making sure that you're not overretaining, that you're really organizing it specific to its purpose, that is a critical aspect of this.
Number two, I think what Molly talked about before about reasonable security—make sure you have reasonable security in place, however it's defined, and that you're really staying up to date on the various security issues.
And then third, and we highlight this towards the end, there will be enforcement from the California attorney general. In 2022, as I mentioned before, we saw the first public enforcement action from the California attorney general on CCPA, and we expect that we'll have many other ones. But the California attorney general has announced and provided statistics on the many, many different investigations that it has had on CCPA alleged violations. And they go from everything from a noncompliant privacy policy to an improper charging of fees for CCPA requests to a noncompliant authorization verification method. I mean, all sorts of very specific things that are governed by the CCPA and its implementing regulations. It is critical to have an eye on security and an eye on privacy because, as we've seen, hundreds of suits that have been filed over the last several years—the plaintiffs aren't giving up, and neither is the attorney general. And, so, vigilance is required for every California business.
Jose Garriga: Thank you. That's a good point. Listeners, you've been listening to Michelle Reed, who co-heads Akin's cybersecurity, privacy & data protection practice, and counsel Molly Whitman and Lauren York. Thank you all for making the time to share your views and insights into this terrific new edition of the annual CCPA report.
And thank you, listeners, as always, for your time and attention. Please make sure to subscribe to OnAir with Akin at your favorite podcast provider to ensure you do not miss an episode. We're on, among others, iTunes, YouTube, and Spotify.
To learn more about Akin and the firm's work in, and thinking on, cybersecurity, privacy and data protection matters, search for "cybersecurity" on akingump.com; take a moment to read Michelle, Molly and Lauren's bios on the site; visit our Akin Data Dive blog for insights and analysis on all matters related to cybersecurity and privacy; and, finally and closest to the theme of this episode, visit our LinkedIn page or akingump.com to get your own copy of the 2022 CCPA Litigation and Enforcement Report.
Until next time.
OnAir with Akin is presented by Akin and cannot be copied or rebroadcast without consent. The information provided is intended for a general audience and is not legal advice or a substitute for the advice of competent counsel. Prior results do not guarantee a similar outcome. The content reflects personal views and opinions of the participants. No attorney-client relationship is being created by this podcast, and all rights are reserved.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
