Once the California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, the California courts will be inundated with a litany of interpretive questions. One that will no doubt surface concerns the proper interpretation and scope of the standing provision in the CCPA's private right of action for statutory and actual damages under Section 1798.150(a)(1). The California Legislature granted standing under this provision to "[a]ny consumer whose nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information."

By its terms, this provision certainly would afford standing to a person who is a "consumer" in California and who is a victim of "an unauthorized access and exfiltration, theft, or disclosure" of his or her protected "personal information" that is caused by a "business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." But is the scope of the statutory standing provision limited to those who are actual victims of identity theft or other harm caused by an actual unauthorized disclosure, access, or exfiltration? Is the statutory language susceptible to a broader construction by the California courts?

Proponents of a broader construction can be expected to advocate that any consumer who is merely subject to the risk of possibly having some unauthorized access or theft or disclosure occur "as a result of" any "business's violation of the duty to implement and maintain reasonable security procedures and practices" should also have standing to sue under Section 1798.150(a)(1). The plaintiffs' bar may be expected to contend that any consumer "subject to" such a risk should have standing to sue — beforethe occurrence of any data breach or identity theft or other tangible harm — because the CCPA mandates that all businesses comply with their "duty to implement and maintain reasonable security procedures and practices" that are appropriate in light of the nature of the personal information at issue.

If courts were to entertain such an open-ended construction of Section 1798.150(a)(1)'s standing provision, that would open the proverbial floodgates of litigation against virtually any company, where the plaintiffs' bar will likely contend that the reasonableness of any business's security procedures and practices should be a triable issue of disputed fact. When coupled with the CCPA's statutory damages provisions, litigation concerning the proper scope of the CCPA's statutory standing provision may take on monumental significance for all affected businesses.

As courts are called upon to interpret the CCPA's standing provision, they will apply familiar rules of statutory interpretation — focusing on the plain meaning of the statutory text, and any relevant portions of the legislative history. See, e.g., Horwich v. Superior Court, 21 Cal. 4th 272, 276-77 (1999). And "[w]hen attempting to ascertain the ordinary, usual meaning of a word, courts appropriately refer to the dictionary definition of that word." Wasatch Prop. Mgmt. v. Degrate, 35 Cal. 4th 1111, 1121-22 (2005). So, here, one can expect the proponents of a broad standing analysis to point to Merriam-Webster's definition of "subject to" as meaning "affected by or possibly affected by (something)." (Emphasis added). This could be used to argue that a mere possible risk of disclosure or theft due to a company's violation of its duty to implement and maintain reasonable security procedures and practices should be enough for any individual consumer to have standing to sue under the CCPA.

But could the California Legislature possibly have intended such a dangerously overbroad interpretation of standing under Section 1798.150(a)(1)? Likely not. Indeed, there is no support for such a broad construction of the standing provision in either the legislative history or preamble to the bill. Nor is there any reference to standing being afforded to those who are merely subject to the possible risk of having their personal information compromised. Quite the opposite. The Senate Judiciary Committee's report on AB 375 (June 25, 2018) recites the text of the statutory standing provision, including its "subject to" language, but then specifically explains at page 21 that "[t]his would create a private right of action for those whose personal information has been compromised through the failure of a business to properly maintain that information." (Emphasis added). Likewise, the CCPA's preamble indicates that the statute "would provide a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer's nonencrypted or nonredacted personal information," without any mention of a mere risk of such access or theft. Similarly, in its discussion of the Legislature's "intent" and what "rights" the CCPA is designed to ensure, Section 2 is entirely silent as to any supposed "right" to be free from a mere risk of disclosure. See CCPA, Section 2(i) ("[I]t is the intent of the Legislature to further Californians' right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights: (1) The right of Californians to know what personal information is being collected about them. (2) The right of Californians to know whether their personal information is sold or disclosed and to whom. (3) The right of Californians to say no to the sale of personal information. (4) The right of Californians to access their personal information. (5) The right of Californians to equal service and price, even if they exercise their privacy rights.").

Accordingly, even if the statutory language might be susceptible of an overbroad interpretation that affords immediate statutory standing to any consumer who is merely subject to a possible risk of having his or her personal information stolen or accessed as a result of a business's failure to implement and maintain reasonable security procedures and practices, the absence of any support for such a broad interpretation in the legislative history or full statutory regime should derail such efforts from the plaintiffs' bar. As the California Supreme Court has held, "[t]he fundamental purpose of statutory construction is to ascertain the intent of the lawmakers so as to effectuate the purpose of the law. In order to determine this intent, we begin by examining the language of the statute. But it is a settled principle of statutory interpretation that language of a statute should not be given a literal meaning if doing so would result in absurd consequences which the Legislature did not intend. Thus, the intent prevails over the letter, and the letter will, if possible, be so read as to conform to the spirit of the act." Horwich, 21 Cal. 4th at 276 (citations and internal quotations omitted).