Class-Action Risk to Businesses from New Consumer Privacy Laws

Posted in: Class Actions by Dowling Aaron on

New California consumer privacy laws which have the potential to set off a wave of class-action litigation against businesses go into effect January 1, 2020.

The California Consumer Privacy Act of 2018 (CCPA) [1]allows consumers to demand that businesses tell them exactly what personal information the business has collected about them. Consumers will also have the right to prohibit businesses from selling their personal information (also known as “opting out”). Additionally, businesses cannot discriminate against consumers that opt out by charging them more or denying service to consumers who exercise these rights.

All businesses that collect or process consumer personal information, do business in California, and meet one of the following requirements must comply with the CCPA.

1. Have annual gross revenues over $25 million;
2. Buy, receive, sell, or share the personal information of 50,000 or more consumers, households or devices each year; or
3. Derive 50% or more of annual revenue from selling consumers’ personal information.
[1] Found at Cal. Civil Code s 1798.100 et seq.

Strikingly, the CCPA grants consumers the private right to sue businesses if their personal information is stolen or merely accessed without authorization due to a business’ failure to implement reasonable and appropriate security practices. Consumers can recover the greater of actual or statutory damages, which range from a minimum of $100 to a maximum of $750 per consumer per incident. A breach of thousands of records can quickly add up, and result in a very large judgment. We expect that class-action attorneys will exploit this opportunity.

Protected information includes not only identifiers such as name and address, but also internet activity information, such as the consumer’s interaction with a website; histories of products or services purchased or considered and search history; geolocation data; biometric information; and more, in both digital and non-digital forms.


If your business deals with personal information and meets one of the criteria above, you will need to take steps as soon as possible to comply with the CCPA. In addition to the requirements above, the CCPA mandates that you take affirmative steps including providing a clear and conspicuous link on your internet homepage titled “Do Not Sell My Personal Information” directing the consumer to a page where he or she can opt out; adding a description of the consumer’s rights under the CCPA to your online privacy policies; and notifying the consumer that their personal information will be collected at or before the time it is collected.

In order to reduce your risk as a class action target under the CCPA, we recommend that you consider updating your website terms of use and policies, and train your staff on the CCPA and security measures necessary to prevent unauthorized access. As states become more active in regulating consumer privacy, California businesses should be aware of other privacy regulations that may affect them. For instance, the EU General Data Protection Regulation (GDPR), although a European regulation, applies to any company anywhere in the world that that handles and stores the personal data of at least one EU resident.

Please contact Robert Tookoian at (559) 432-4500 if you would like assistance formulating the disclosures required for your websites, if you are interested in updating your website terms of use, or if you foresee any issues with litigation under the new law.

The information contained in this blog is provided for informational purposes only, and should not be construed as legal advice on any subject matter. No recipients, clients or otherwise, should act or refrain from acting on the basis of any content included in this blog without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from an attorney licensed in the recipient's state. The content of this blog contains general information and may not reflect current legal developments, verdicts or settlements. The Firm expressly disclaims all liability in respect to actions taken or not taken based on any or all the contents of this blog.