Under the CCPA, there is a private right of action that can be triggered where there is a breach of certain categories of unencrypted personal information resulting from a business’s failure to “implement and maintain the reasonable security measures. A consumer can file a civil action to recover the higher of either: 1) actual damages; or 2) statutory damages between $100 and $750 per consumer per incident. This can add up even for a small data breach. What’s notable here is that by creating a right to statutory damages for each violation, the CCPA makes it much easier for a consumer than ever before to recover damages, because proving actual damages in a data breach can be and has been difficult, if not impossible. Now that California consumers no longer need to prove actual damages, this is all but certain to increase class action litigation.
To mitigate these risks, CCPA-covered businesses not only need to focus on ensuring their terms are enforceable and include class action waivers but they also need to address what reasonable security measures are specific to their data processing activities, encrypt the types of personal information that are covered under the private right of action, and supervise vendors whose inaction or sloppiness could draw them into a consumer lawsuit. Vice versa, vendors should also take note of this risk and expect to see more robust indemnity clauses in agreements.
Looking at recent cases, there are certain ways to increase the chances of the terms being enforceable.
- In order to meet the standards set forth by some courts, ideally you should require users to scroll-through, highlighting waiver language in some conspicuous font, and/or include a confirmatory button. Again some may see this as being in tension with business objectives so you need to balance the risks.
- The language regarding what the user’s action (e.g. By clicking….you agree to …) should be in a darker color that contrasts with a lighter background and the font should be of a sufficient size.
- For evidence in any future disputes, businesses should retain and archive records of each version with their associated dates. Save screenshots or videos of how the terms were presented to the user.
- Engineering and legal should ensure as much consistency in the manner of agreement across all platforms.
Businesses should ensure that their attorney has the opportunity to approve of changes to user interfaces for user agreements and choices before engineers implement a modification.