Yesterday, I read an article on JD Supra answering the question “Can a company be sued under the CCPA for failing to post a ‘do not sell my personal information’ link?” To my surprise, the answer given was “No.”
The analysis in the post actually addressed the question of whether a consumer could sue a company for failing to post the link, but it did not address who else might have a cause of action.
Who can sue under the CCPA?
§1798.150 of the CCPA provides a cause of action for a data breach involving disclosure of a consumer’s personal information because of a business’s failure to implement reasonable security measures. This section allows consumers to sue the business for damages after giving the business notice and a chance to cure the issue if that is possible.
§1798.155 of the CCPA allows the California Attorney General to bring a civil action against a business. This action can be brought for any violation of the CCPA including a failure to post a ‘do not sell my personal information’ link if the business is required to provide one. Just like in the data breach case, businesses have a chance to cure the issue after being notified of a potential violation before an action can be commenced.
Public vs. Private Causes of Action
Of course, there is a higher chance of being sued under a law that provides a private cause of action, which allows anybody who is injured to sue you, than there is under a public cause of action, which requires a public body such as the state Attorney General to sue you. Government agencies only have so many resources and they need to prioritize where they focus their efforts.
Nevertheless, it seems irresponsible to suggest that a company cannot be sued if they fail to post the required ‘do not sell my personal information’ link. Depending upon the nature of the company, the type of information collected, and the way in which it is being sold, a business might attract the attention of the AG, and the penalties for intentionally violating the CCPA could be large (up to $7,500 per violation, which could be per consumer).
The CCPA comes into effect on January 1, 2020 and businesses that sell personal information should provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on the homepage that California consumers will see (see §1798.135).
Disclaimer: the information included here is provided AS IS for discussion purposes only. It may not be completely accurate, may not be applicable in all situations, and should not be acted upon without specific legal advice based on particular situations.