CCPA 2.0 and the Changing Privacy Landscape, Part VII: Penalties and Enforcement Mechanisms
As discussed throughout this series, the passage of the California Privacy Rights Act (CPRA) will change the privacy landscape in California and impact the compliance efforts of businesses serving California consumers. In addition to expansion of the rights promised to consumers under the California Consumer Privacy Act (CCPA), this seventh installment in our series discusses the new penalties and enforcement mechanisms for subject businesses created by passage of the CPRA on November 3, 2020. As previously discussed, the CPRA is fully operative on January 1, 2023 (with a look-back period beginning January 1, 2022). As we know from the lead up to the CCPA’s enforcement, these deadlines pass quickly and it is important for businesses to understand the potential penalties for noncompliance.
In addition to a private right of action and civil enforcement by the California Attorney General’s office, which were previously created under the CCPA, the CPRA creates the California Privacy Protection Agency (CPPA, or Agency). The Agency will have administrative enforcement powers to effect compliance with the amended California privacy law.
The CPPA is the first state agency dedicated to privacy enforcement, and is similar to the data protect authorities in Europe that enforce the General Data Protection Regulation (GDPR) in each of the European Union Member States. One of the Agency’s main functions will be to administer, implement, and enforce the CPRA through administrative actions. The CPRA creates the possibility that subject businesses may be liable for an administrative fine due to an administrative enforcement action brought by the Agency. The CPPA will be authorized to investigate possible violations either through receiving a complaint by any person, not limited to California residents, or through its own initiative.
Critically, while the CCPA gave the California Attorney General the authority to investigate violations, the CCPA granted potentially out-of-compliance businesses a 30-day window to cure any violation identified by the Attorney General before that office could begin enforcement actions. The CPRA removes this “right to cure” for subject businesses.
Potential administrative fines under the CPRA may not be more than $2,500 per violation or $7,500 per intentional violation or violation including personal information of individuals under 16 years of age, the same as those originally outlined under the CCPA. Further, the CPRA provides for both joint and severable liability with respect to administrative fines where two or more people are responsible.
Private Right of Action
The private right of action created under the CCPA still remains an enforcement mechanism under the CPRA. This mechanism is available to consumers where their information is impacted in a data security incident, as specifically defined under Section 1798.150(a)(1) of the CPRA. In such a situation, California consumers “whose nonencrypted and nonredacted personal information [as defined under Section 1798.81.5(d)(1)(A) or their email address and the means to access that account]... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices ... may institute a civil action.”
Additionally, the CPRA creates a new reasonable security requirement associated with a consumer’s private right of action. Under the CPRA, businesses collecting consumers’ personal information must implement reasonable security practices and procedures to protect the personal information from a data security incident.
Attorney General Enforcement
The California Attorney General’s enforcement authority associated with data privacy created by the CCPA is maintained in the CPRA. Under Section 1798.199.190 of the CPRA states that “[a]ny business, service provider, contractor, or other person that violates [the CPRA] shall be subject to an injunction and liable for a civil penalty ... which shall be assessed and recovered in a civil action brought ... by the Attorney General.” Similar to administrative enforcement, penalties for violations of the CPRA may not be more than $2,500 per violation or $7,500 per intentional violation or violation including personal information of individuals under 16 years of age.
Enforcement by Either the Attorney General’s Office or CPPA
The CPRA acknowledges that there are two authorities that can enforce the CPRA and requires the Agency, upon request, to defer to the California Attorney General regarding administrative actions and investigations by pausing its proceedings while the attorney general’s office reviews the matter.
Due to the nature of creating two enforcement authorities for the CPRA, the legislation states that if the Agency issued an order or decision regarding a violation, the California Attorney General’s office cannot pursue a civil action for that same violation. Further, a business cannot be required to pay both an administrative fine and civil penalty for the same violation.
Lewis Brisbois’ Data Privacy & Cybersecurity Team will continue to monitor developments around the implementation of the CPRA. Please revisit this blog and subscribe to Digital Insights to receive email notifications about further installments in our CPRA series analyzing how the CPRA will amend the CCPA and impact businesses operating in California.