06 July 2020
From July 1st, 2020, the California Attorney-General will begin enforcing the California Consumer Privacy Act (CCPA).
From this date, the Attorney-General can pursue a civil penalty from any person that fails to comply with the CCPA. These fines could easily add up to hundreds of millions of dollars in some cases and will apply to a violation of any section of the CCPA.
Businesses showing a proactive and reasonable approach to compliance may be able to escape a penalty, even where a CCOA violation has occurred.
Let's consider what we know so far about the CCPA's penalties, and how to avoid them.
The CCPA focuses on "businesses," meaning for-profit entities that operate in California and meet at least one of the following thresholds:
A careful reading of the CCPA's section on civil penalties suggests that not only businesses will be liable for a penalty under the CCPA at section 1798.155:
The CCPA's penalties can apply to businesses, service providers (companies that process personal information on behalf of a business pursuant to a written contract), and "other people."
The civil penalty is one of two types of enforcement mechanisms in the CCPA, the other being a private right of action which allows consumers to pursue civil legal claims against businesses.
Unlike the CCPA's private right of action, which can only be triggered by a data breach, the California Attorney-General can pursue penalties from businesses that violate any part of the CCPA.
Examples of CCPA violations that could result in a civil penalty include:
Service providers may be liable for a CCPA penalty if they use, retain, or disclose personal information for purposes outside of their contract with a business.
Other than businesses and service providers, other people could possibly breach the CCPA's rules on the onward transfer of personal information. For example, if a third party unlawfully sells personal information it has received from a business.
The California Attorney-General can pursue a civil penalty from a business, service provider, or other person that has been notified of a CCPA violation and has failed to cure it within 30 days:
This notification is likely to come from the California Attorney-General, as this is the office responsible for pursuing penalties under this section.
However, it appears that notification of a CCPA violation under this section may come from a consumer. This may be true whether or not the consumer can take private action against the business (i.e. even if the violation does not amount to a data breach).
Under California's other major privacy law, the California Online Privacy Protection Act (CalOPPA), the Attorney-General has required businesses to submit "compliance plans" detailing how they will cure alleged violations within the 30-day notice period. We may expect to see similar enforcement action taking place under the CCPA.
If the business rectifies its violation within 30 days, it can avoid a civil penalty.
If the business fails to cure its violation within 30 days, the California Attorney-General will pursue a penalty from the business.
If a business is found to be liable for a civil penalty under the CCPA, the amount will be:
A "violation" occurs each time a consumers' rights are violated by a non-compliant business. As such, these penalties can add up to some phenomenal amounts.
We can learn from previous cases under CalOPPA when considering how the California Attorney-General might go about calculating CCPA penalties.
The Attorney-General's case failed, but it gives an indication of how "violations" are counted. A "violation" of CalOPPA had occurred each time Delta's app had been downloaded by a consumer.
So, for example, if Delta's app had been downloaded by 100,000 consumers (a very conservative estimate), and if the Attorney-General had pursued the highest penalty available under CalOPPA ($2,500 per violation), the penalty could have totaled $250 million.
So, a penalty in the hundreds of millions was possible even under CalOPPA. And note that the CCPA's maximum fine is much larger than CalOPPA's, at $7,500.
We can imagine how, like with CalOPPA, CCPA violations could quickly stack up.
For example, businesses that regularly transfer personal information to third parties without valid notice, for example using third-party cookies, could be committing thousands of violations per day.
In California law, one "violation" occurs per consumer, and so multiple instances of the same violation against the same consumer will only count as one violation.
Therefore, whether a consumer downloads a non-compliant app once or five times, only one violation has occurred.
Cases such as People vs. First Federal Credit show that the California Attorney-General has the discretion to pursue smaller penalties from smaller businesses that would not have the resources to pay the full $2,500 or $7,500 penalties available to it.
The Attorney-General is also likely to impose smaller fines on businesses that are cooperative and approach CCPA compliance in good faith.
Understandably, many businesses are nervous at the prospect of a privacy law that can lead to fines in the hundreds of millions.
But the CCPA is clearly designed to encourage businesses to take reasonable steps towards compliance, and there is every indication that the California Attorney-General will act reasonably where businesses approach compliance in good faith.
Working toward CCPA compliance at the earliest possible opportunity will help ensure you are not subject to allegations of having violated the law.
If you do unintentionally violate the CCPA, it will be far easier to cure your violation within the 30-day notice period from a position of preparedness.
Some key steps you can take towards CCPA compliance include:
Here's what we know so far about CCPA penalties:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.