In Part One of this blog we introduced the California Consumer Privacy Act of 2018 (CCPA) and highlighted some of the important points organizations need to look out for to be compliant. In Part Two we elaborated on the scope of the CCPA in terms of businesses covered and their obligations. In this final part we will discuss how the CCPA will be enforced and what you can do now to become CCPA compliant.
Although the CCPA will not go into effect for more than a year from now, due to recent scandals and the privacy movement in California, it seems likely that it will be aggressively enforced. There are mainly two avenues for enforcement: through a private right of action and by the California Attorney General.
Private Right of Action
The CCPA provides consumers with a private right of action to seek damages for unauthorized access and exfiltration, theft, or disclosure of their nonencrypted or nonredacted personal information in the amount of statutory damages no less than $100 and no more than $750 per incident or actual damages. When assessing the amount of statutory damages, courts will consider:
- the nature and seriousness of the misconduct,
- the number of violations,
- the persistence of the misconduct,
- the length of time over which the misconduct occurred,
- the willfulness of the defendant’s misconduct, and interestingly enough
- the defendant’s assets, liabilities, and net worth.
While $750 seems to be a nominal amount, a typical breach usually consists of hundreds, if not thousands of records, so $750 per incident can add up pretty quickly.
However, there are some roadblocks along the way before an individual can recover statutory damages. Consumers will be first required to provide the business with a 30 days’ written notice to remediate their violation. If within 30 days the business actually remediates the violation and provides the consumer an express written statement that the violations have been cured and that no further violation shall occur, no action for individual statutory damages or class action can be initiated against the business. I can’t think of any business that will not try to provide a written statement, even at the price of misrepresentation. Would this mean that the CCPA will not have any teeth? Let’s hope not. If the violation continues despite the business’s written statement, the consumer will have the right to file a lawsuit for statutory damages for each breach of the express written statement as well as any subsequent violations.
Fortunately, if the consumer is seeking actual pecuniary damages suffered as a result of alleged violations of the CCPA, no such notice should be provided.
The Champion of California Privacy – The Attorney General
A consumer who brings a lawsuit against a business must notify the California Attorney General within 30 days after the action has been filed. The Attorney General must act within 30 days and has mainly two options: (1) prosecute the violation on its own, as if the Attorney General does not prosecute within 6 months, the consumer may proceed with the action or (2) do nothing and let the consumers proceed with the lawsuit.
Businesses that fail to cure any alleged violation within 30 days after being notified shall be liable for a fine up to $2,500 per violation.
Any business or service provider that intentionally violates any provision of the CCPA may be liable for a fine up to $7,500 for each violation.
What Should Your Company Do Now?
In anticipation of the changes to California law that will go into effect on January 1, 2020, US businesses likely to be affected by the new law should review their use and collection of personal information and consider the implementation of the following. One thing to note is that the CCPA is likely not in its final form. Regulators will likely clean up and may significantly alter it between now and January 1, 2020.
- Recognize how this new act (as well as GDPR) applies to your business, especially if you use online behavioral advertising and analytics to monitor the use of your website or app.
- Chat regularly with your marketing team to figure out more about their personal data collecting, sharing, and storage practices.
- Conduct a privacy / security assessment to understand how personal data (considering its new all-encompassing definition) is collected, used, disclosed, and sold. Identify gaps and prioritize remediation to ensure your company’s readiness for compliance with the CCPA.
- Implement technological changes needed to comply with this new law, allowing ample lead time to complete.
- Implement processes to be able to address any requests connected to California residents exercising their new privacy rights, including verification of identity, with special consideration for children under the age of 16.
- Implement recognized security frameworks / standards, such as NIST or ISO 27001 to demonstrate that your business implemented “reasonable security procedures and practices” and check whether you could encrypt or redact consumers’ personal information.
- Take a look at your third-party data processing relationships (i.e. do they handle any of your customers’ in-scope data) and contractual agreements. Implement changes as necessary to reflect the requirements of the CCPA.
- Train your staff on the new requirements and “execution” of CCPA, well ahead of its effective date.
- Consider the use of California-only websites and offerings (though this may not be worth the effort as other states are expected to follow suit).
What the Future Brings
It is game on. The US privacy landscape has changed. According to the International Association of Privacy Professionals (IAPP), more than 500,000 US businesses (most of them are small- to medium-size companies) will be affected by this new law. Even companies anywhere in the world who have personal data of California residents and meet the relevant threshold will have to comply with the CCPA. And the CCPA is just the beginning. It is inevitable that other US states will enact similar data privacy laws that support a higher standard of transparency and accountability. Companies in the US and abroad must recognize that we are in an era where good privacy is good business. Organizations should not lag. Now is the time to get ahead of the curve by implementing leading-edge programs to align with the ever-increasing expectations of privacy. It is obvious that some of the provisions of the CCPA are mirroring the requirements of GDPR, although its overall scope is much narrower and therefore much less comprehensive. Nevertheless, companies that comply with GDPR and the CCPA will gain undeniable competitive advantage against those who take a “wait and see” approach. Very simply it is Privacy or Perish – just ask the now-defunct Cambridge Analytica.
If you would like to learn more about how the CCPA will affect your organization, feel free to leave a comment below. You can learn more about Online's Risk, Security and Privacy practice by visiting our website or reading our collection of blogs.