Can companies use arbitration clauses and class-action waiver provisions to mitigate the risk of CCPA-related class actions?
More than likely.
The CCPA states that consumers may seek, on “an individual or class-wide” basis, actual damages, statutory damages, or injunctive or declaratory relief following certain types of data security breaches.1 The CCPA further states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under [the CCPA], including, but not limited to, any right to a remedy or means of enforcement” is “void and unenforceable.”2 The reference to contract provisions limiting consumer rights as being void and unenforceable has led some plaintiffs’ attorneys to suggest that the California legislature intended to invalidate the use of arbitration and class action waiver clauses in contracts as those provisions might prevent consumers from proceeding on a “class-wide” basis.
Despite the language in the CCPA, the United States Supreme Court has consistently affirmed the strong federal policy favoring arbitration and the enforceability of class action waivers in arbitration agreements. In the landmark case of AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011), the Supreme Court explained that the Federal Arbitration Act (“FAA”) was specifically designed to preempt state laws that undermine the goal of the FAA to promote arbitration. Furthermore in Sanchez v. Valencia Holding Co., 61 Cal. 4th 899 (2015), the California Supreme Court determined that class action waiver provisions within contracts are enforceable even if a state law appears to provide for class action type recovery.
As a result, and based upon the holdings in Concepcion and Sanchez, there is a strong argument that the CCPA will not be interpreted as preventing consumers from entering into arbitration agreements or from agreeing to waive their ability to proceed in class actions.
CCPA Privacy FAQs: So what is with the CCPA’s deadline? Is it, or is it not, going into force on January 1, 2020?
There is a good deal of confusion about when the CCPA actually “becomes law.” The confusion is due, in large part, to a lack of drafting clarity presumably caused by the hasty drafting of the Act.1
The CCPA includes the following references to deadlines:
| Issue | Description | Date |
| Enacted | Date that the law was enacted. | June 28, 2018 |
| Operative | Date that the law becomes “operative.”2 | January 1, 2020 |
| Enforceable by private suit | Date that individuals can bring suit for an alleged violation of the data security provisions.3 | January 1, 2020 |
| Attorney General Mandatory Regulations | Date by which the Attorney General must “adopt” regulations on mandatory topics.4 | On, or before, July 1, 2020 |
| Attorney General Discretionary Regulations | Date by which the Attorney General can adopt additional regulations on other topics that may “further the purposes” of the CCPA | No deadline |
| Attorney General Enforcement Actions | Date by which the Attorney General can bring an enforcement action under the CCPA.5 | July 1, 2020 (unless final regulations are published sooner) |
In summary, although the statute becomes “operative” on January 1, 2020, the only enforcement of the statute as of that date relates to suits involving data security breaches. A company cannot be a defendant in a civil action for the privacy-oriented provisions of the CCPA until July of 2020 – at which time the Attorney General can bring enforcement actions premised on any provision of the CCPA (regardless of whether such a provision relates to privacy or security, or one of the Attorney General’s regulations).
The timeline created by California legislature has raised questions about whether the Attorney General is prohibited from initiating an enforcement action until July 1, 2020 (i.e., prohibited from filing a lawsuit until that date), or whether the Attorney General is prohibited from bringing an enforcement action for conduct that occurs prior to July 1, 2020. In other words, the CCPA is ambiguous about whether companies that violate the privacy provisions of the Act on January 1, 2020 are immune from liability, or could be subject to an enforcement action initiated on July 1, 2020, as the January conduct would fall within the scope of the four year statute of limitations that applies to an Attorney General initiated suit.6 While the text of the Act is ambiguous, a strong argument could be made that the intent of the legislature in building a delayed enforcement period into the statute was to provide businesses with time – between when the statutorily mandated interpretative guidance is first proposed and when it is approved as a final rule – to process that guidance, and take steps to come into compliance. In addition, the Attorney General has not given any indication to-date that he intends to bring enforcement actions premised on conduct that occurs between January 1, 2020 and the final publication of regulations. The net result is that while the Attorney General might theoretically attempt to bring a suit under the CCPA on July 1, 2020 for conduct that occurred before July 1, 2020, as a practical matter, it is highly unlikely that he will attempt to do so, and dubious that such an attempt, if made, would be successful.