CPRA Brings Heightened Enforcement Risk Alongside Data Breach Private Right of Action

More than a year after its effective date, the California Consumer Privacy Act (CCPA) remains top of mind for businesses. In the first quarter of 2021, additional CCPA regulations were finalized; board members were named to the new privacy agency tasked with enforcing the California Privacy Rights Act (CPRA); California attorney general (AG) and CCPA enforcer Xavier Becerra was confirmed for his federal Cabinet position and vacated his AG post; and his replacement, Assembly member Rob Bonta, was named as the next attorney general. On Election Day 2020, California voters passed the CPRA ballot referendum—referred to by some as “CCPA 2.0”— only 10 months after the CCPA became effective and only five months after enforcement of the CCPA by the Office of the Attorney General of California (OAG) began.

The CPRA amends the CCPA substantially, including, among other things, by imposing more prescriptive notice obligations as to the types of data collected and time periods for data retention, adding four new consumer rights and corresponding obligations for businesses, and heightening contractual requirements with data recipients. As to litigation risk and enforcement of the law, the CPRA also changes the private right of action for security breaches, as well as the rulemaking and enforcement authority under the title. While the OAG’s enforcement of the CCPA has been far more circumscribed than expected, due in part to the OAG’s focus on issues related to the COVID-19 pandemic, businesses can expect appreciably higher enforcement risk and activity under the CPRA. Businesses can also expect that the spate of actions from private litigants—including cases that attempt to expand the private right of action beyond security breaches—will continue under the CPRA.

The CPRA’s Private Right of Action

The CCPA provides a private right of action for data breaches attributable to a failure to maintain reasonable security, and the title makes clear that the title may not be the basis for any other private right of action. The private right of action remains largely unchanged by the CPRA as the CPRA only provides a private right of action for data breaches, like the CCPA.

The title provides for an opportunity to cure before a litigant is entitled to seek statutory damages, and the same cure provisions remain following passage of the CPRA. While it is somewhat unclear in which situations it is possible to cure a security breach, the CPRA has clarified what is not a cure. In particular, the CPRA provides that “[t]he implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.” Thus, statutory damages cannot be avoided by fixing a vulnerability that already resulted in an incident. Accordingly, the cure seems limited to curing a vulnerability before the “unauthorized access and exfiltration, theft or disclosure results from the business’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

The CPRA also expands the scope of information covered by the private right of action to include “email address in combination with a password or security question and answer that would permit access to the account.” This expands the scope of personal information subject to the CCPA/CPRA’s security provisions from not only what is defined in California Civil Code section 1798.81.5(d)(1)(A) to now also include subsection (d)(1)(b).

With these minor changes to the private right of action provisions, organizations can expect that the litigation activity under the post-CPRA version of the title will continue. Certainly, cases based on the CCPA and plaintiffs’ success under them—including in the cases where they are bootstrapping non-data-breach CCPA violations as grounds for private actions, as in the case involving videoconferencing giant Zoom—will have a bearing on litigation following the effective date of the CPRA amendments as well.

Class Action Waivers Banned?

The CPRA purports to prohibit businesses from obtaining class action waivers from consumers. In particular, it states that

[a]ny provision of a contract or agreement of any kind, including a representative action waiver, that purports to waive or limit in any way rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

(CPRA addition in bold/italics.)

However, the consensus is that neither the current version of the title nor the CPRA-amended version would invalidate class action waivers, in view of settled Supreme Court precedent on the Federal Arbitration Act and preemption on states’ attempts to do so.

Concurrent Application of the CCPA and CPRA: Jan. 1 Through July 1, 2023

The Agency may begin administrative enforcement of the CPRA-amended title on July 1, 2023, six months after the operative date of January 1, 2023, for most of its provisions (certain provisions, like those establishing the Agency and extending the exemptions for human resources and business-to-business data, became effectively immediately upon passage). Similarly, newly added section .185(d) provides that the OAG may begin to bring civil actions for violations of the CPRA-amended title, and private litigants may bring civil actions for personal information security breaches under the CPRA-amended title provisions, starting on July 1, 2023 (though, there is ambiguity as to the latter, discussed in further detail below). The original CCPA, meanwhile, remains effective and enforceable through the CPRA’s July 1, 2023, enforcement date.

While technically the expanded CPRA obligations will apply during this stub period, they cannot be enforced until July, creating a safe harbor during that period. That said, a more surgical review of the relevant provisions regarding the concurrent application and enforcement safe harbor reveals many nuances that are outside the scope of this article but should be closely considered and understood by businesses.

The Agency’s Administrative Enforcement Procedure

The CPRA sets forth a prescriptive procedure under which the Agency will administratively enforce the CPRA alongside the California Administrative Procedure Act. The CPRA provides that, to commence an investigation, the Agency may either act upon a complaint or investigate possible violations on its own initiative. The Agency has seemingly broad audit authority, introduced in concept and to be fleshed out in the regulations, that will likely inform and form the basis of some of its investigations. As to complaints, any “person”—that is, any individual or organization—may bring a CPRA complaint to the Agency. This means that consumers, competitors, vendors, customers, consumer advocacy groups, whistleblowers, and other parties have standing to bring complaints about a business’s privacy practices. The Agency is afforded discretion “not to investigate and must notify the complainant of the decision on whether to take action, along with the reasons for such action or inaction.”

The Agency’s enforcement actions are split into two different hearings—one for determining probable cause for further investigation and, if the Agency determines probable cause, a second, full administrative hearing. Upon commencement of an investigation, the Agency must give the alleged violator a 30-day notice of the Agency’s consideration of the alleged violation before considering whether probable cause of a violation exists. The notice must also include a summary of the evidence, and must inform the alleged violator of its right to be present in person and represented by counsel at any proceeding of the Agency held for the purpose of considering whether probable cause exists. The Agency holds a private proceeding for the purpose of considering whether there is probable cause (unless the alleged violator files a request that it be public).

If the Agency determines there is probable cause for believing the title has been violated, then the Agency will hold an administrative hearing in accordance with the California Administrative Procedure Act. The Agency may subpoena witnesses; take evidence; and require by subpoena the production of books, papers, records, or other items material to the performance of the Agency’s duties.

There is no automatic right to cure for violators under the Agency’s enforcement mandate, as there has been for OAG actions under the original CCPA. If the Agency determines on the basis of the administrative hearing that a violation or violations have occurred, it has the discretion to permit the violator “a time-period to cure the alleged violation” (notably, the CPRA states that only a covered “business” can be provided a right to cure, though this is likely an error, and the same discretion is expected to be applied to service providers and contractors). If the violator fails to cure, or if the Agency forgoes a cure period, the Agency may seek injunctive relief and/or payment of administrative fines. The administrative fines in the CPRA-amended title are up to $2,500 for each violation, or up to $7,500 for each intentional violation or violation involving minors. The CPRA introduces the concept of joint and several liability of multiple violators. The Agency may bring a civil action for unpaid administrative fines.

If, after an administrative hearing, the Agency determines that no violation has occurred, the Agency must publish a declaration so stating. Any decision of the Agency with respect to a complaint or administrative fine is subject to judicial review in an action brought by an “interested party” and will be subject to an abuse of discretion standard. Clearly, what constitutes an interested party is a matter that will be subject to much debate.

A five-year statute of limitations applies to the Agency’s enforcement ability; however, if an alleged violator engages in “fraudulent concealment” of its acts or identity, or fails to produce or delays the production of documents sought by subpoena under a CPRA administrative proceeding, the five-year statute of limitations will be tolled for the period of concealment and for the period of delay, respectively.

Attorney General Enforcement

The OAG’s enforcement of the original CCPA ends, and its enforcement of the CPRA-amended title begins, on July 1, 2023.

Like under the current CCPA, the AG can seek injunctions and civil penalties under the CPRA-amended title. The court hearing the civil action has discretion to consider the good faith cooperation of the alleged violator when determining the amount of the civil penalty. Notably, however, the CPRA-amended title does not mandate a cure opportunity when a civil action is brought by the OAG after July 1, 2023, but the OAG likely will have prosecutorial discretion to offer one.

The CPRA addresses overlap between OAG and Agency enforcement. The Agency must stay an administrative action or investigation upon request of the OAG and cannot thereafter pursue an investigation or administrative action on the matter unless the OAG subsequently determines not to pursue an investigation or civil action. However, the OAG cannot bring a civil action for the same violation that is the basis of an Agency decision or order. A business must not be required to pay both an administrative fine and a civil penalty for the same violation. Interestingly, this requirement does not mention the other defined parties in the CPRA, such as service providers, contractors, or other persons, but that omission is likely unintentional.

Enforcement by City Attorneys and County District Attorneys?

Some, including Californians for Consumer Privacy, the organization responsible for the CCPA and CPRA, assert that county district attorneys and certain city attorneys have the power to bring civil actions for violations of the CPRA-amended title. This position, however, is questionable, as explained below.

The current CCPA provides that “[t]he civil penalties provided for in [section .155] shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.” The CPRA amends section .155 to instead govern administrative enforcement by the Agency and adds section .199.90, which will govern, in part, civil actions brought under the CPRA-amended title. Section .199.90 of the CPRA-amended title does not include the provision providing exclusive enforcement power to the OAG. As a result, proponents of the additional enforcement bodies argue that section 17200 of the Business and Professions Code (also known as the “Unfair Competition Law” (UCL)) allows the OAG, county district attorneys, and certain city attorneys (of cities with population > 750,000) to bring civil actions for violations of the CCPA.

The viability of these claims is questionable for a number of reasons, which will not be addressed in this article. That said, businesses still face the risk of expanded enforcement by these potential, additional enforcement bodies.

Issuance of Regulations

In addition to its administrative enforcement responsibilities, the Agency will assume the OAG’s responsibility of issuing regulations under both the currently effective CCPA and the CPRA-amended title. There is a distinction, likely unintended, that delineates when the Agency may begin issuing regulations and when it will fully assume rulemaking responsibility from the OAG. The applicable provisions arguably provide a period of overlap where both the Agency and OAG have the authority to issue regulations, though that certainly cannot have been the intent of the authors. It remains to be seen when the Agency in fact assumes rulemaking responsibilities. Given that final regulations under the CPRA-amended title must be adopted by July 1, 2022, the Agency has a very short timeline to carry out this task, regardless of when it takes over.

Considering the significant mandate for regulations—there are 22 enumerated areas in which the CPRA mandates new regs, compared to the original CCPA’s seven—the Agency may only have time and resources to focus on new CPRA mandates once it takes the helm of the rulemaking authority from the OAG. However, issues avoided by the OAG’s rulemaking under the current CCPA, such as sales in the context of digital advertising and third-party cookies, could also be of interest to the Agency, and the Agency will have the authority to rewrite the regs previously issued by the OAG.

The Agency will likely issue a first set of draft regulations by late summer or fall 2021. Businesses should expect the regulations to be quite voluminous, with the page count likely numbering in the triple digits (in comparison, the CCPA regulations are 28 pages long).

Conclusion

With an agency tasked solely with enforcing the law and issuing regulations under it, organizations can expect increased rulemaking and enforcement activity of this greatly complicated legal regime. Given the complexity of the law, which may eventually number in the hundreds of pages once regs are adopted, organizations must begin understanding and preparing for the CPRA well in advance of 2023. With CPRA regulatory activity to begin as early as the summer of 2021 and to continue into 2022, businesses should engage with and prepare their stakeholders early and often in order to be ready for the CPRA’s changes.