What is the CCPA's Private Right Of Action?
The Private Right of Action in CCPA can be defined as a right that allows individuals to sue organizations for data violations even in the case of a third-party breach. It is a highly debated topic in privacy law that is handled differently across the globe. The Private Right of Action is the ultimate enforcer of an organization's commitment to keeping individual data safe, but with such a strong check comes risk.
In this case, the desire to add another avenue for privacy regulation enforcement must be weighed against the danger that a Private Right of Action will be abused by litigators looking for a quick profit. Lawmakers must also grapple with the potential for astronomical fees that could be awarded against a company in class-action data breach lawsuits.
The Private Right of Action in CCPA is partially limited, but still grants the consumer the right to initiate litigation in the event that a business fails to
“implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” (CCPA Section 1798.150(a)(1))
Furthermore, if a company is able to remedy the violation quickly in response to consumer notice, they can't be held liable for statutory damages. A final limitation is that the Private Right of Action only applies to breaches of sensitive data. Other states in the country, such as Connecticut, allow individuals to initiate litigation if they believe any of their personal data was breached.
Why Is Private Right of Action controversial in Data Privacy law?
Part of the controversy behind the inclusion of the Private Right of Action is the potential cost it poses for businesses. Individuals can recover statutory damages within the range of $100 to $750 per incident per individual. This can add up very quick considering organizations hold personal data on millions and millions of households. Should individuals have to the right to initiate a lawsuit if the breached organization maintained reasonable safeguards accepted industry wide? Privacy advocates and their opponents are currently in a gridlock.
In the United States, privacy advocates are growing frustrated with industry-friendly proposals that remove the Private Right of Action entirely. Privacy advocates argue that one benefit of allowing individuals to engage in searches of personal data breach will put less strain on the California’s AG office. Previously, the AG’s office has stated that there is a hard limit on the amount of privacy rights cases they can take in a calendar year.
In Europe with the GDPR, private rights of action are handled a little differently. In the GDPR consumers are also protected and have the opportunity to be compensated for damages, however, the GDPR is set up for class action lawsuits instead of individuals seeking recoupment for their own damage. Maximum penalties for violation of the GDPR are €20 Million or 4% of global revenue, whichever is greater. In both territories, the enacted legislation aims to protect consumers and provide better accountability and self-regulation by data collecting organizations.
Conclusion: The Future of Private Right To Action?
How do we value individual privacy rights in America and what does this mean in the information age? Will the rights of individuals in California be further expanded in the coming years to include all CCPA violations? Only time will tell. At present, the inclusion or exclusion Private Right of Action appears to be one of the key stumbling blocks in any discussion of Federal US Privacy Laws.