Data Privacy Photo: Shutterstock

The California Consumer Privacy Act is set to go into effect Jan. 1, and, according to experts, class action litigation is coming.

The upshot for companies? Get ready. Yesterday.

“We're past the time where companies should have started preparing for the CCPA,” Edward McAndrew, a partner at DLA Piper in Washington, D.C., said.

In April, the 2019 Carlton Fields Class Action Survey indicated that the next wave of class action suits will result from data breaches. The report, citing responses from over 300 general counsel and senior in-house attorneys, indicated that state data privacy laws such as the CCPA will be the reason for an expected uptick in these kinds of class action suits.

As the law is currently written, consumers have a private right of action when their non-encrypted and nonredacted information is stolen. The law also allows consumers to file a claim even if they do not show actual damage from the data breach, according to a blog post by consulting company Epiq.

Cameron Azari, vice president at Epiq, said because it is difficult to show actual damage, historically data breach suits have mixed results. However, not having to show actual damage may make it easier for plaintiffs to succeed.

“I think that plaintiffs attorneys are going to be on the watch for wherever there is a recognized exposure of data,” Azari said.

Active preparation and documenting the steps made to become compliant with the law will also show a presiding court that a company was not negligent with data in the event of the breach. McAndrew said the questions the courts will ask are: Did the company act reasonably and did they act reasonably upon discovery of the breach?

“There is going to be potential liability if the plaintiff can establish that the company did not act reasonably in terms of attempting to secure the data,” McAndrew said.

He said at DLA Piper, he and his colleagues are working on building compliance programs for the CCPA.

Companies should also be preparing for the cost of litigation. McAndrew previously said the cost of discovery alone in one of these cases could be high.

“I suspect that if they aren't budgeting this year, they'll be budgeting next year,” McAndrew said.

It will not just be the multibillion-dollar companies of the world, Azari said. He said he would also expect plaintiffs attorneys to look at smaller companies that can still hold the personal data of tens of thousands of people. Because of the wide net the CCPA and other laws like it cast, compliance departments are becoming more sophisticated.

“None of these corporations want to be involved in a data breach,” Azari said. “I would think it's going to make defendants even more vigilant.”

For best practices, McAndrew said legal departments should look at some of the best practices that state regulators have published on best ways to protect data.

“If companies adopt those, they're going to be well-positioned to argue that they didn't act unreasonably,” McAndrew said.