As one year ends, another begins. So too it seems with California’s embrace of multi-million dollar privacy class actions.
The purported illegal recording of cellular or cordless phone calls under Section 632.7 of the California Penal Code has long been a favorite of the class action bar due to the availability of staggering statutory damages. These actions are all but dead, however, following the Fourth Appellate District’s decision in Smith v. LoanMe, Inc., 2019 DJDAR 11930, holding that some form of eavesdropping is required to state a cause of action under Section 632.7. No longer is the simple recording of a cellular or cordless telephone call between the actual participants to the call actionable. While many have long argued that the actual language of the statute as well as its legislative history – including the legislative history of the California Invasion of Privacy Act (Pen. Code §§ 630, et seq.) in general – require some form of spying to state a claim under Section 632.7, the court of appeal in LoanMe has made it official. Barring review or inconsistent rulings by other appellate districts, privacy class actions under Penal Code Section 632.7 are likely a thing of the past.
However, birth of a new California privacy class actions is right around the corner. Come January 1, 2020, California’s Consumer Privacy Act of 2018 (“CCPA”) will finally come into force. Recognized by many as one of the most significant regulations overseeing the data-collection practices of companies in the United States, it is a force to be reckoned with. While the last year has seen companies scrambling to bring their data collection practices into compliance, the real teeth lies in the possible statutory damages available following a data breach. More to the point, effective January 1, 2020, Section 1798.150(a)(1) of the California Civil Code provides that “[a]ny consumer whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action . . . (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” The breadth and meaning of these few words and the CCPA in general will be litigated for years to come. The possible monetary recovery associated with every data breach demands it. One only needs review some of the legal headlines over the past few years to recognize that hundreds of millions of consumers – including tens of millions of California consumers – are affected each year by a data breach. The availability of possible statutory damages for each such consumer will certainly give rise to new privacy class action litigation in California.
So, as the saying goes – out with the old, and in with the new.