The California Consumer Privacy Act’s 30-Day Right to Cure

Under the California Consumer Privacy Act (“CCPA”), effective January 1, 2020, California consumers [1] will have a private right of action if their unencrypted or unredacted personal information is the subject of a data breach that results from a business’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” [2] Victimized consumers may recover damages between $100 and $750 per consumer per incident, or actual damages, whichever is greater. [3] To calculate statutory damages, courts will look at the seriousness of the violations, the number of violations, the length of time over which violations occurred, the willfulness of the business’s conduct, and the business’s assets, liabilities, and net worth. [4] Before filing suit for statutory damages, a consumer must notify the business of the alleged wrongdoing and provide the business 30 days to cure. [5] If a cure is possible and completed, the business must provide the consumer with written confirmation of the cure and a statement that no further violations will occur. If these requirements are met, the consumer may not file a lawsuit (individually or on a class-wide basis) for statutory damages, unless and until future violations occur. [6] No notice and opportunity to cure is required prior to filing an action for actual pecuniary damages. [8]

While the CCPA does not provide guidance on what must be done to cure, [9] two California statutory schemes with “cure” provisions may provide guidance to courts: the Consumer Legal Remedies Act (“CLRA”) and the Rosenthal Fair Debt Collection Practices Act (the “Rosenthal Act”)—both of which provide defendants a right to cure a purported violation of the statute. The CLRA, for example, provides two frameworks from which the CCPA might draw: the adequacy of the pre-suit notice and the whether the business cured the violation.

The CLRA provides that “(a) [t]hirty days or more prior to the commencement of an action for damages [10] pursuant to this title, the consumer shall do the following: (1) [n]otify the person alleged to have employed or committed methods, acts, or practices declared unlawful by Section 1770 of the particular alleged violations of Section 1770[;] (2) [d]emand that the person correct, repair, replace, or otherwise rectify the goods or services alleged to be in violation of Section 1770”. [11] There has been significant litigation in California regarding the adequacy of pre-suit notice under the CLRA. A pre-suit letter that fails to identify the particular § 1770 violations that the plaintiff alleges fails to comply with the CLRA and, consequently, prohibits a suit for damages. [12] The court found that strict application of the requirement was necessary in order to achieve this goal. [13] The same should be true with the CCPA: strict application of the notice requirement, not substantial compliance, should be necessary to put a business on notice.

Similarly, a pre-suit notice under the CCPA should be considered inadequate where it gives notice only of the data breach without alleging and providing any factual basis as to why the data breach was caused by a business’s failure to implement and maintain reasonable policies and procedures since a plaintiff must plead and prove both elements under the CLRA. [14] A pre-suit notice must provide why the business failed to “implement and maintain reasonable security procedures and practices” and why that failure caused the data breach. The plaintiff’s bar will undoubtedly argue that such notice is not reasonable or even possible given consumer’s lack of insight into the business’s practices and procedures. Nonetheless, liability only results if the data breach is the result of a business’s failure to “implement and maintain reasonable security procedures and practices.” Therefore, if a business is to cure or, in the parlance of the CCPA, to provide the plaintiff with written confirmation of the cure, the business must be advised where its failure lies.

A business’s efforts to cure under the CLRA generally have been met by California courts with some hostility. Despite businesses’ attempts to cure this CLRA violation during the 30-day period, consumers repeatedly sue anyway. [15] Such filings have led to lengthy and contentious litigation over whether the business cured the violation to the satisfaction of the consumer’s counsel, whether other claims existed beside the cause of action requiring the 30-day notice, [16] whether the business imposed conditions on the cure that the reviewing court found unacceptable, [17] or whether the claims filed despite the cure (aka tender) did or did not arise under the CLRA.

In Benson v. S. Cal. Auto Sales, Inc., 239 Cal. App. 4th 1198 (2015), for example, the Court of Appeal denied a purchaser’s request for $182,273 in attorneys’ fees and costs after the purchaser rejected the seller’s pre-litigation tender. The Court of Appeal applied “a hybrid standard [of review] to evaluate whether the circumstances identified in the statute as criteria for an award exist [and] . . . whether substantial evidence supports the exercise of the court’s discretion.” The Court of Appeal rejected Benson’s contention that the dual requirements of a mutual release and giving up non-CLRA claims rendered the seller’s cure inadequate. The Court of Appeal found no error in the trial court’s conclusion that the non-CLRA claims added no value to Benson’s CLRA claim and found that requiring a mutual release was both routine and wise. [18]

The Ninth Circuit Court of Appeals, however, distinguished the Benson case in Gonzales v. CarMax Auto Superstores, L.L.C., 845 F.3d 916 (9th Cir. 2017). There, the Court of Appeals granted summary judgment to Gonzales on his CLRA claim, and held that the dealer’s tender did not protect the dealer against an attorneys’ fees award because Gonzales did not seek damages under the CLRA. The Court of Appeals remanded the case for the district court “to determine in the first instance whether Gonzales qualifies as a prevailing plaintiff.” Unfortunately, the case was settled and dismissed, so there will be no answer on remand.

Benson and Gonzalez leave unanswered whether a trial court should focus in the first instance on the CLRA claim or the non-CLRA claim when both are pleaded and a Benson-style tender is made. Gonzales, despite outward appearances, did not bridge the gap left by Benson, which had “declined to ‘address the requirements for an attorney fee award based on a request for injunctive relief.’ ” [19] Instead, Gonzales only muddied the waters further by remanding the case to determine whether the purchaser prevailed in the first instance. And, Courts critical of Benson have distinguished Benson on the basis that Benson applies no hard-and-fast rule, but instead merely reflects well-settled rules of appellate procedure giving deference to trial court’s discretionary decisions.

The cure provision in the Rosenthal Act may provide an additional source of guidance for businesses attempting to rely on the CCPA’s 30-day cure provision. The Rosenthal Act provides that a debt collector shall have no civil liability if “within 15 days either after discovering the violation which is able to be cured, or after the receipt of a written notice of such violation, the debt collector notifies the debtor of the violation, and makes whatever adjustments or corrections are necessary to cure the violation with respect to the debtor.” [20] Two notable differences appear, however, between the Rosenthal Act’s and CCPA’s respective cure provisions. First, unlike the CCPA (and CLRA), the Rosenthal Act’s cure provision is not a pre-suit notice requirement. [21] Second, “whether” a violation can be cured under each statute’s language differs. The Rosenthal Act permits a defendant to cure where the violation is “able to be cured.” [22] Accordingly, decisions interpreting this provision have focused on whether the violation can be cured and return a debtor to the position she was in before the violation. [23] The CCPA’s cure provision differs, stating that “[i]n the event a cure is possible, if within the 30 days the business actually cures the noticed violation,” and provides the consumer with confirmation of such cure and assurance that such a breach will not occur in the future, then “no action for individual statutory damages or class-wide statutory damages may be” filed. [24]

While decisions focusing on the Rosenthal Act’s “able to be cured” requirement would, arguably, seek to return the debtor to the position the debtor was in before the violation, [25] the same limitation would not necessarily be true under the CCPA’s “if possible” cure provision. First, of course, the language between the statutes differs. Second, but more importantly, a business suffering a data breach cannot undo a data breach, turn back time, or return the proverbial genie to the bottle. But, still the CCPA’s right to cure must have meaning, and courts cannot ignore express statutory language as mere surplusage. [26] Thus, arguably, the opportunity to cure under the CCPA cannot apply to curing a data breach that itself cannot be cured but, instead, must apply to curing the business’s failure to implement and maintain reasonable security procedures and practices that caused the breach. This is true because a data breach itself is not actionable without being caused by a business’s failure to implement and maintain reasonable security procedures and practices. [27]

The California legislature has substantial experience in providing businesses with a right to cure in other statutory schemes. The legislature provided a right to cure to a business suffering a data breach, [28] despite knowing that the business’s customers who have no damages cannot be returned to their same pre-breach position. That is why the legislature prohibited businesses from avoiding liability by curing for those customers who suffer actual damages. [29] Taken as a whole, the notice requirement and opportunity to cure were intentional and must be given meaning consistent with the purpose of the statute. [30]

So, what can a business who suffered a data breach do to “cure”? At a minimum, a business must cure its failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” [31] After all, to effectuate a cure, a business must provide written confirmation to the consumer of the cure and include a statement that no further violations will occur. [32] But, a business responding to a pre-suit CCPA notice must also critically examine the notice and its specificity. For example, does the notice merely state that a data breach occurred? Or does the notice contain specifics about the purported failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information” that caused the data breach? [33] Benson and its progeny, and jurisprudence under the Rosenthal Act’s cure provision, suggest both judicial hostility and a narrow interpretation of cure provisions and that businesses who cure are likely to be sued anyway.

Footnotes 

1. A “consumer” is “a natural person who is a California resident,” as defined in 18 Cal Code Regs § 17014 (1994). Civil Code § 1798.140(g) (2018).
2. Id. § 1798.150(a) (2018).
3. Civil Code § 1798.150(a)(1)(A) (2018). Consumers may also recover injunctive relief (id. (B)) or any other relief that the court deems proper (id. (C)).
4. Civil Code § 1798.150(a)(2) (2018).
5. Id. § 1798.150(b) (2018).
6. Cal Code Regs, supra.
7. Cal Code Regs, supra.
8. Id.
9. The California Attorney General is required to release final regulations by July 1, 2020. The Attorney General issued proposed regulations on October 10, 2019, none of which addressed Section 1798.150(b)’s right to cure as of the time of writing.
10. By its terms, however, the failure to give the CLRA’s 30-day notice or a business’s failure to cure within 30 days of notice of the violation do not insulate the business from injunctive relief. Civil Code, supra, § 1782(d) (1970). See also Clarke v. Carmax Auto Superstores CA, No. ED CV16-00704 JAK (DTBx), 2017 U.S. Dist. LEXIS 186378 (C.D. Cal. July 24, 2017) (“Plaintiff has brought both common law and CLRA claims of fraud. He does not, and could not seek any damages under the CLRA claim, because they are not allowed under Cal. Civ. Code § 1782, when a compliant, corrective offer has been made. See also Gonzales v. CarMax Auto Superstores, LLC, 845 F.3d 916, 918 (9th Cir. 2017) (damages are not available under the CLRA when a timely repurchase offer has been rejected); Benson v. S. Cal. Auto Sales, Inc., 239 Cal. App. 4th 1198, 1204, 192 Cal. Rptr. 3d 67- (2015) (same). Therefore, only injunctive relief is available under this cause of action.”).
11. Civil Code, supra, § 1782(a) (1970).
12. Von Grabe v. Sprint PCS, 312 F. Supp. 2d 1285, 1304 (S.D. Cal. 2003).
13. Outboard Marine Corp. v. Superior Court, 52 Cal. App. 3d 30, 40-41, 124 Cal. Rptr. 852 (1975); Von Grabe, 312 F. Supp. 2d at 1303.
14. E.g., Anderson v. Kimpton Hotel & Rest. Grp., L.L.C., No. 19-cv-01860-MMC, 2019 U.S. Dist. LEXIS 133869, at *13-14 (N.D. Cal. Aug. 8, 2019); Razuki v. Caliber Home Loans, Inc., CASE NO. 17cv1718-LAB (WVG), 2018 U.S. Dist. LEXIS 196070, 2018 WL 6018361, at *1 (S.D. Cal. Nov. 14, 2018) (“[d]efendant knew of higher-quality security protocols available to them but failed to implement them”; finding allegation was “precisely the type of threadbare claim Iqbal warns of”).
15. See, e.g., Aviles v. Ocwen Loan Servicing, L.L.C., No. 18-CV-1749 JLS (NLS), 2019 U.S. Dist. LEXIS 81465 (S.D. Cal. May 14, 2019) (“Defendant’s purported notice of cure pursuant to Section 1788.30(d) cannot be considered for purposes of the present Motion under either doctrine. That Defendant allegedly sent a notice to Plaintiff is neither generally known nor readily determined from sources whose accuracy cannot reasonably be questions. Consequently, that fact cannot be judicially noticed. Further, Defendant’s purported notice is mentioned nowhere in Plaintiff's Complaint. Accordingly, it does not form the “basis” of Plaintiff's RFDCPA claim and cannot be incorporated by reference. Rather, the notice of cure “merely creates a defense to the well-pled allegations in the complaint,” which, as the Ninth Circuit recently emphasized, means the document cannot be incorporated by reference into Plaintiff's Complaint. See Khoja, 899 F.3d at 1002. Consequently, the Court cannot determine at this time whether the notice of cure Defendant claims to have served on Plaintiff pursuant to Section 1788.30(d) absolves it from liability for its alleged violations of the RFDCPA.”).
16. Valdez v. Seidner-Miller, Inc., 33 Cal. App. 5th 600 (2019) (“Seidner could have made an appropriate correction offer had it offered simply to refund Valdez's down payment and monthly payments, pay off the outstanding loan balance, and pay attorney's fees and costs. Although Valdez would still have been able to pursue his other claims, nothing would have prevented Seidner from attempting to negotiate a separate settlement of those claims. But Seidner's effort to exact additional concessions from Valdez as part of a global settlement ran afoul of sections 1752 and 1782, subdivisions (b) and (d), of the CLRA.”).
17. See, e.g., Goglin v. BMW of N. Am., L.L.C., 4 Cal. App. 5th 462 (2016) (that a pre-litigation Benson-type tender had no effect where Plaintiff continued to pursue claim (and attorneys’ fees) under the Song-Beverly Act).
18. Id. at 1209-10.
19. Id. at 918.
20. Civil Code, supra, § 1788.30(d) (1977).
21. See Adams v. CIR Law Offices, LLP, No. 07cv1041-IEG(LSSP) 2007 US District Lexis 63808 (S.D. Cal. Aug. 29, 2007) (plaintiff’s failure to notify and provide opportunity for defendant to cure alleged violations does not relieve defendant of liability).
22. Id.
23. Timlick v. Ncb Mgmt. Servs., No. A152467, 2019 Cal. App. Unpub. LEXIS 4895 (Cal. Ct. App. July 23, 2019) (unpublished decision applied the Rosenthal Act’s 15-day cure provision to a type-size violation); Timlick v. Nat’l Enter. Sys., No. A154235, 2019 Cal. App. Unpub. LEXIS 3198 (Cal. Ct. App. May 7, 2019) (accord); Romero v. Department Stores National Bank, 2018 WL 1079728, at *1 (9th Cir. 2018 (That California would require a creditor to return a debtor to the position she was in before the Rosenthal Act violation in order to “cure” that violation finds support in other contexts, where future compliance is an insufficient “cure” if the ill effects of a violation have not been or cannot be remedied. [citations omitted] Because the Banks’ violation here is the type that has allegedly caused harm like interruption of Romero’s solitude, which cannot be cured merely by ceasing calls going forward, the district court erred in granting judgment for the Banks on this claim on the basis of the mere assertion of the defense.); Watkins v. Investment Retrievers, Inc., 2018 WL 558833, at *5–6 (E.D. Cal. 2018) (apology and correction letter within 15 days regarding debtor’s possession of the vehicle fell within section 1788.30(d)); Afewerki v. Anaya Law Group, 2017 WL 3567829, at *4–5 (9th Cir. 2017) (Anaya Law Group’s $3,000 overstatement of the principal due in the state court complaint, exacerbated by the statement of an inflated interest rate, was material but was able to be cured under section 1788.30(d)).
24. Civil Code § 1798.150(b) (2018) (emphasis added).
25. Romero v. Department Stores National Bank, 2018 WL 1079728, at *1 (9th Cir. 2018) (Stating that California would require a creditor to return a debtor to the position she was in before the Rosenthal Act violation in order to “cure” that violation finds support in other contexts, where future compliance is an insufficient “cure” if the ill effects of a violation have not been or cannot be remedied).
26. Even Zohar Constr. & Remodeling, Inc. v. Bellaire Townhouses, L.L.C., 61 Cal. 4th 830, 837 (2015)-38 (2015) (citations omitted); Jurcoane v. Superior Court, 93 Cal. App. 4th 886, 893 (2001) (“We must read statutes as a whole, giving effect to all their provisions, neither reading one section to contradict others or its overall purpose, nor reading the whole scheme to nullify one section.”); id. at 894. (“[W]e presume the Legislature intended everything in a statutory scheme, and we should not read statutes to omit expressed language or include omitted language.”)
27. E.g., Anderson, 2019 U.S. Dist. LEXIS 133869, at *13-14 (Judge Chesney dismissed a data breach claim under Civil Code 1798.81.5 because the Plaintiffs pleaded no facts, other than the data breach itself, to support their contention that the defendant failed to maintain reasonable security measures.)
28. The legislature rejected the Attorney General’s sponsored legislation to eliminate the 30-day cure right as to AG enforcement actions. See Senate Judiciary Committee, SB 561 (2019-2020), hearing date April 9, 2019.
29. Civil Code, supra, § 1798.150(b).
30. 926 N. Ardmore Ave., L.L.C. v. County of L.A., 3 Cal. 5th 319, 328 (2017).
31. Civil Code, supra, § 1798.150(a).
32. Id. § 1798.150(b).
33. Id. § 1798.150(a).