As one year ends, another begins. So too it seems with California’s embrace of multi-million dollar privacy class actions. The purported illegal recording of cellular or cordless phone calls under Section 632.7 of the California Penal Code has long been a favorite of the class action bar due to the availability of staggering statutory damages. These actions are all but dead, however, following the Fourth Appellate District’s decision in Smith v. LoanMe, Inc., 2019 DJDAR 11930, holding that some form of eavesdropping is required to state a cause of action under Section 632.7. No longer is the simple recording of a cellular or cordless telephone call between the actual participants to the call actionable. While many have long argued that the actual language of the statute as well as its legislative history – including the legislative history of the California Invasion of Privacy Act (Pen. Code §§ 630, et seq.) in general – require some form of spying to state a claim under Section 632.7, the court of appeal in LoanMe has made it official. Barring review or inconsistent rulings by other appellate districts, privacy class actions seeking statutory damages under Penal Code section 632.7 are the past.
But fear not – the birth of a new California statutory damages provision has arrived. Come January 1, 2020, California’s Consumer Privacy Act of 2018 (“CCPA”) will come into force. Recognized by many as one of the most significant regulations overseeing the data-collection practices of companies in the United States, it is a force to be reckoned with. While the last year has seen companies scrambling to bring their data collection practices into compliance, the real teeth lies in the possible statutory damages available following a data breach. While data breach class actions are not new, statutory damages under the CCPA are. Specifically, in the event of a breach as defined by the CCPA, an affected consume may seek to “recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” The breadth and meaning of these few words will be litigated for years to come. The possible monetary recovery associated with every data breach demands it of both sides to any claim.
So, as the saying goes – out with the old, and in with the new.