Will the CCPA's Private Right of Action Lead to More Privacy Lawsuits?

Drive down the Las Vegas strip and every third and fourth billboard is advertising a law firm focused on getting compensation for people who have experienced accidents such as trips and falls. Focusing on an area known as injury law, these firms seek out people who have experienced injury as a result of a business' negligence and look to obtain some form of financial payout for the victim. 

Lawsuits are big revenue generators... for lawyers 

When a lawyer is successful at litigating a business, it can result in significant revenue for their law firm, especially in cases such as class-action suits. For example, in one data breach case, the courts awarded a settlement of $380 million for consumer compensation and fees associated with the case, but from that awarded $80 million to the attorneys. 

One of the reasons for an attraction to injury law is often the ease of taking cases to court – businesses have insurance to protect themselves in such events and most of the time, the insurance company will simply choose to settle a claim instead of trying to fight it in court. Even in cases where the argument ends up before a judge, the courts tend to favor consumers unless the business can present clear and factual evidence demonstrating lack of fault.

The CCPA makes for an easy target 

The CCPA legislation is geared around protecting the consumer and bolstering their rights regarding data when interacting with businesses. The law mandates certain requirements that businesses must adhere to and opens the door for lawsuits where they do not. 

In terms of penalties, civil awards can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation, meaning that a case with many plaintiffs could yield substantial compensation for the consumers involved and most certainly the attorneys who took the case to court. 

With such high potential payouts and a consumer-base that is significant, the CCPA could prove to be a profitable business area for law firms, especially if class-action suits can be formed. 

Insurance or protection? 

As organizations look to establish their stance around data breaches, the CCPA and other compliance regulations, insurance is often an option which many consider. Most data breach insurance policies only cover a direct breach – that is, a breach of your servers resulting in data loss. But from a CCPA perspective, a simple non-compliance advertiser could be considered cause for a claim of data loss, especially if a user has requested that an organization not sell their data. 

One of the challenges with ecommerce is the number of external parties involved in a transaction, whether it be the third-party services utilized within a website, the advertisements being displayed to generate revenue, the services the advertisers themselves use, the credit card processing tools or the many other vendors that form part of the supply chain. When many entities are involved in an event, the potential for data loss is increased and from a CCPA perspective, the organization is responsible for it all. 

As organizations are essentially responsible for data loss, even when the fault is with one of the third parties which they utilize, the risk of a compliance violation increases with every external component. While businesses invest significant time and money into protecting their own assets, they are often unable to – or do not even realize they should – apply the same measures and standards to their third-party technologies. 

Show clear and demonstrable protection 

We can expect to see many CCPA-related lawsuits hit the headlines as consumers and law firms take advantage of the rights the legislation gives. As organizations prepare for the potential of CCPA-related suits, it is imperative that they put solutions in place which can demonstrate clear compliance through enforcement, auditing, documentation and data leakage prevention. Most compliance solutions focus on providing a workflow and the auditing aspects but fail to enforce the consent choices made by users and pass data outside of the website to third parties to action compliance. 

Watch our video on how workflow solutions can leave your website vulnerable to attack and class action lawsuits, and get in contact to learn more about how you can ensure compliance.