The California Consumer Privacy Act (CCPA), which became effective January 1, 2020, regulates the collection, use, disclosure, and security of personal information and is a significant change from prior federal and state privacy laws in the United States.
The CCPA gives individuals rights over their personal information, including the right to deletion, the right to know, and the right to opt out of the selling of personal information. The law broadly defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o)(1). The CCPA applies to companies that “do business” in California and (1) have an annual gross revenue of $25 million or more; (2) collect, share, or sell data of 50,000 California residents or more; or (3) derive at least 50 percent of their annual revenues from selling personal information. Cal. Civ. Code § 1798.140(c).
The key requirements for businesses subject to CCPA include
- providing specific, detailed public privacy notices to consumers about the business’s data collection, use, sharing, and selling practices;
- responding to consumer requests to access, delete, or stop selling their data; and
- implementing reasonable data security measures to safeguard consumers’ information.
Many businesses unfamiliar with robust privacy regulations, like the European General Data Protection Regulation (GDPR), have spent significant time, money, and resources on ensuring compliance with the CCPA. For example, businesses subject to the CCPA have had to inventory what personal information they collect, adopt internal procedures to handle requests from consumers, and publicly post detailed privacy notices that cover both in-person and online interactions with consumers and employees. Businesses that “sell” personal information—defined by the CCPA as the exchange of personal information for “valuable consideration”—have had to place a “Do Not Sell My Info” link or button on the bottom of their websites.
Attorney General Enforcement and Penalties for Violations
The California attorney general will enforce the CCPA through civil actions beginning July 1, 2020. The legislature delayed enforcement to provide the attorney general more time to finalize regulations for the CCPA. Draft regulations were released on October 10, 2019; however, many privacy professionals do not anticipate finalized regulations until the spring of 2020, notwithstanding the fact that the law went into effect on January 1 of this year.
Penalties for violating the law include a $2,500 fine for each negligent violation and a $7,500 fine for each intentional violation. However, businesses have 30 days to cure any noncompliance before the attorney general may bring an action. It is unclear, however, whether the 30-day cure period is a true “get out of jail free card” or might be limited in some way by the California attorney general.
At this time, most attorneys and privacy practitioners expect that the California attorney general will rely heavily on consumer complaints and data breaches as the basis for enforcement actions, especially where there are multiple complaints or egregious security mistakes accompanying a data breach.
Private Right of Action for Data Breaches
Even though the CCPA does not create a broad private right of action for all violations of the law (as some had proposed), a consumer may bring an action if a business exposes certain consumer personal information in a data breach and the data breach was caused by the business’s failure to use reasonable data security practices. Cal. Civ. Code § 1798.150(a)(1).
In previous reports, the attorney general indicated that “reasonable [data] security practices” include implementing the minimum level of controls identified by the Center for Internet Security’s Critical Security Controls. See generally Kamala D. Harris, Attorney General, California Data Breach Report, at ii (Feb. 2016). Examples of controls include
- continuous vulnerability management,
- inventory of software and hardware,
- account monitoring,
- security training, and
- penetration testing (i.e., testing designed to identify and exploit vulnerabilities in a business’s security measures).
Id. at 39.
Consumers that bring an action under the CCPA may recover the greater of (a) statutory damages between $100 and $750 per consumer per incident or (b) actual damages. Cal. Civ. Code § 1798.150(a)(1). Consumers may also seek injunctive or declaratory relief or “[a]ny other relief the court deems proper.” Id. Prior to filing the action for statutory damages, the consumer must provide the business 30 days’ written notice identifying the specific provision of the CCPA that the business allegedly violated. If the business (1) can and does cure the violation within the 30 days, (2) notifies the consumer in writing of the cure, and (3) does not violate the CCPA again within the 30 days, then the consumer cannot bring an action for statutory damages. No such notice to the business is required for actions seeking actual pecuniary damages.
Given the potential for both state enforcement actions and private actions related to data breaches, the CCPA will likely give rise to a new wave of privacy litigation in California. Given the CCPA’s broad scope and reach, we also expect jurisdictional challenges, as well as challenges to the delegation of regulatory authority to the California attorney general.
All businesses subject to the CCPA should consult with an experienced privacy attorney and move swiftly to meet the CCPA’s key requirements, if they have not already done so.