- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Can companies use arbitration clauses and class-action waiver provisions to mitigate the risk of CCPA-related class actions?
More than likely.
The CCPA states that consumers may seek, on “an individual or class-wide” basis, actual damages, statutory damages, or injunctive or declaratory relief following certain types of data security breaches.1 The CCPA further states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under [the CCPA], including, but not limited to, any right to a remedy or means of enforcement” is “void and unenforceable.”2 The reference to contract provisions limiting consumer rights as being void and unenforceable has led some plaintiffs’ attorneys to suggest that the California legislature intended to invalidate the use of arbitration and class action waiver clauses in contracts as those provisions might prevent consumers from proceeding on a “class-wide” basis.
Despite the language in the CCPA, the United States Supreme Court has consistently affirmed the strong federal policy favoring arbitration and the enforceability of class action waivers in arbitration agreements. In the landmark case of AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011), the Supreme Court explained that the Federal Arbitration Act (“FAA”) was specifically designed to preempt state laws that undermine the goal of the FAA to promote arbitration. Furthermore in Sanchez v. Valencia Holding Co., 61 Cal. 4th 899 (2015), the California Supreme Court determined that class action waiver provisions within contracts are enforceable even if a state law appears to provide for class action type recovery.
As a result, and based upon the holdings in Concepcion and Sanchez, there is a strong argument that the CCPA will not be interpreted as preventing consumers from entering into arbitration agreements or from agreeing to waive their ability to proceed in class actions.
Is there an obligation to monitor service providers under the CCPA?
The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA. Among other things, the CCPA prohibits any agreement or contract provision that seeks to waive or limit a consumer’s rights under the CCPA.
Comparison to Other Privacy Laws
Similar to the CCPA, the GDPR imposes certain requirements when a company uses a service provider. Both the CCPA and the GDPR require companies to contractually limit the service provider’s uses of personal information and to ensure the same restrictions that apply to the company will flow down to the service provider.
To Do List
To comply with the CCPA companies should:
- Review existing agreements with service providers to identify potential gaps.
- Identify instances in which you may be using a service provider that has access to information about Californians and with whom you do not currently have agreements in place.
- Update agreements with service providers to ensure that they meet the new requirements of the CCPA.
How We Can Help
Companies across the globe have retained BCLP to draft service provider agreements, or review their service provider agreements to spot anything that might be considered out of compliance with legal or regulatory requirements.
|Cal. Civil Code 1798.140(v), (w)
Cal. Civil Code 1798.145(h)
Cal. Civil Code 1798.192