Courts across the United States continue to grapple with California’s landmark consumer privacy law, the California Consumer Privacy Act (CCPA). While the contours of this law are being litigated on multiple fronts, one important, but not most discussed provision, is Section 1798.150(a)(1), the right to cure.
The CCPA, like other, similar California privacy laws, includes an opportunity to cure after notice. Cf. California Consumer Legal Remedies Act, Cal, Civ. Code. § 1770, et seq. (providing a 30-day cure period, but not eliminating a statutory class action by way of the cure). Specifically, an affected consumer must give a business thirty days’ notice of a CCPA violation prior to initiating any suit for individual or class-wide statutory damages. Importantly, “[I]f within the 30 days the business actuallycures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur,” the CCPA forbids an individual or class-wide statutory damages action against the business. While a consumer may always – without notice – file an action for actual money damages because of alleged CCPA violations. Preventing statutory damages can protect from greater liability. But what does it mean to “actually cure” the violation?
Curing the Violation and Avoiding Statutory Damages
Plaintiffs may argue that following a cyberattack, unauthorized access of a business’s stored consumer data cannot be undone. Under the CCPA, however, a business need not undo a breach to cure an alleged violation. Courts in the Second Circuit, and one in California, have held that a business need not place the consumer in the same position they would be in absent a breach but must simply remedy any violation of the business’s duty to implement reasonable security procedures. See, e.g., In re Waste Mgmt. Data Breach Litig., 21-CV-6147, 2022 WL 561734, at *7 (S.D.N.Y. Feb. 24, 2022) (appeal filed March 25, 2022); see also Rodriguez v. River City Bank, No. 34-2021-00296612, 2021 Cal. Super. LEXIS 105085, at *21 (Cal. Super. Ct. Sept. 2, 2021) (holding that implementation of appropriate security measures does constitute a cure under the current version of the CCPA). No other courts have weighed in on this issue as of yet.
Therefore, to protect itself after a breach, a business should—
(1) immediately repair any deficiency leading to the breach; and
(2) adjust relevant securities practices, as needed and appropriate.
If a CCPA letter is received, it is imperative to provide the complaining consumer with an express, written statement that the violations have been cured and that no further violations shall occur. This letter should be as detailed as possible to express the full efforts to ensure a violation has been cured. These steps should diminish the risk of statutory damages under the CCPA.
Still, several questions remain unanswered. For one, is a proper cure response following an individual notice dispositive of any future statutory class or just a putative class led by the complaining consumer? For another, will the circuits agree on the adequacy of a CCPA violation cure with respect to the remedial measures taken? For now, we await further interpretation. We also await the California Privacy Rights Act (CPRA), which goes into full effect January 1, 2023. The CPRA maintains the 30-day notice and cure period but reasonable security procedures and practices following a breach will no longer constitute a cure with respect to that breach. Check back for further updates on trends in CCPA and CPRA practice. For more information, please feel free to reach out to the authors or others in BakerHostetler’s Digital Assets and Data Management Practice Group, which regularly counsels and advocates for clients on CCPA compliance, risk, and enforcement within the evolving legal landscape.