The Private Right of Action in CCPA can be defined as a right that allows individuals to sue organizations for data violations even in the case of a third-party breach. It is a highly debated topic in privacy law that is handled differently across the globe. The Private Right of Action is the ultimate enforcer of an organization’s commitment to keeping individual data safe, but with such a strong check comes risk.
The Private Right of Action in CCPA can be defined as a right that allows individuals to sue organizations for data violations even in the case of a third-party breach. It is a highly debated topic in privacy law that is handled differently across the globe. The Private Right of Action is the ultimate enforcer of an organization’s commitment to keeping individual data safe, but with such a strong check comes risk.
In this case, the desire to add another avenue for privacy regulation enforcement must be weighed against the danger that a Private Right of Action will be abused by litigators looking for a quick profit. Lawmakers must also grapple with the potential for astronomical fees that could be awarded against a company in class-action data breach lawsuits.
The Private Right of Action in CCPA is partially limited, but still grants the consumer the right to initiate litigation in the event that a business fails to
“implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” (CCPA Section 1798.150(a)(1))
Furthermore, if a company is able to remedy the violation quickly in response to consumer notice, they can’t be held liable for statutory damages. A final limitation is that the Private Right of Action only applies to breaches of sensitive data. Other states in the country, such as Connecticut, allow individuals to initiate litigation if they believe any of their personal data was breached.
Part of the controversy behind the inclusion of the Private Right of Action is the potential cost it poses for businesses. Individuals can recover statutory damages within the range of $100 to $750 per incident per individual. This can add up very quick considering organizations hold personal data on millions and millions of households. Should individuals have to the right to initiate a lawsuit if the breached organization maintained reasonable safeguards accepted industry wide? Privacy advocates and their opponents are currently in a gridlock.
In the United States, privacy advocates are growing frustrated with industry-friendly proposals that remove the Private Right of Action entirely. Privacy advocates argue that one benefit of allowing individuals to engage in searches of personal data breach will put less strain on the California’s AG office. Previously, the AG’s office has stated that there is a hard limit on the amount of privacy rights cases they can take in a calendar year.
In Europe with the GDPR, private rights of action are handled a little differently. In the GDPR consumers are also protected and have the opportunity to be compensated for damages, however, the GDPR is set up for class action lawsuits instead of individuals seeking recoupment for their own damage. Maximum penalties for violation of the GDPR are €20 Million or 4% of global revenue, whichever is greater. In both territories, the enacted legislation aims to protect consumers and provide better accountability and self-regulation by data collecting organizations.
How do we value individual privacy rights in America and what does this mean in the information age? Will the rights of individuals in California be further expanded in the coming years to include all CCPA violations? Only time will tell. At present, the inclusion or exclusion of Private Right of Action appears to be one of the key stumbling blocks in any discussion of Federal US Privacy Laws.
Ethyca hosted its second P.x session with the Fides Slack Community earlier this week. Our Senior Software Engineer Thomas La Piana gave a live walkthrough of the open-source privacy engineering platform, Fides 2.0. He demonstrated how users can easily deploy Fides and go from 0 to full DSR automation in less than 15 minutes. If you weren’t able to attend, here are the three main points addressed during the session.
Introducing consent management in Fides 2.0. With the coming state privacy laws in 2023, your business needs to have granular control over users’ data and their consent preferences. Learn more about how Fides can enable this for your business, for free.
Ethyca launched its privacy engineering meetup, P.x, where Fides Slack Community members met and interacted with the Fides developer team. Two of our Senior Software Engineers, Dawn and Steve, gave presentations and demos on the importance of data minimization, and how Fides can make data minimization easier for teams. Here, we’ll recap the three main points of discussion.
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Get a Demo