CCPA fundamentals (or CCPA 101): Consequences of Violating the CCPA, and New Data Breach Requirements

Type: Blog
Topic: Compliance

What are the consequences of non-compliance of requirements under the CCPA?

The CCPA is enforced by the California state attorney general. Businesses found to be in violation of any of their obligations imposed by the CCPA are subject to a civil penalty of up to $2,500 per violation and up to $7,500 per willful violation. All settlements will be directed towards a new “Consumer Privacy Fund,” which will be used to offset future costs incurred by the courts or the state attorney general in relation to these requirements.

What is expected of the state attorney general prior to the effective date?

On or before January 1, 2020, the state attorney general should adopt additional regulations to further clarify some of the more ambiguous points under the CCPA, including:

• Updating additional categories of personal information to address technological changes
• Updating the definition of unique identifiers to address technological changes
• Updating to include additional exemptions to comply with federal or state law, such as those relating to trade secrets and intellectual property rights
• Updating to establish rules regarding how consumers can submit requests to opt out of the sale of personal data, including the adoption of a “recognizable and uniform opt-out logo or button”
• Updating to ensure notices are provided to consumers in easily-readable language

What are the new requirements surrounding personal data breaches?

Under the CCPA, consumers are only provided with a right to private action when they have been subject to a personal data breach. Under the CCPA, a breach is defined as any incident where consumers’ non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. The CCPA refers specifically to personal data breaches defined under California’s Breach Notification Law.

Therefore, private right of action becomes available when a breach, as defined above, occurs regarding the following personal information:

• An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
  • Social security number
  • Driver’s license number or California identification card number
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Medical information
  • Health insurance information
  • Information or data collected through the use or operation of an automated license plate recognition system
• A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

* As noted previously, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Prior to initiating a private right of action, consumers must provide the business with a 30-day written notice identifying the specific provisions that have been violated. If the business can offer a resolution for the violation within the 30-day period, it must provide the consumer with a written statement notifying the consumer of the resolutions and that no class action may be initiated. If, however, the business continues to violate its security requirements to protect personal data, the consumer may initiate a class action against the business. Through a private right of action, consumers are granted the ability to seek damages of $100 – $750 per incident, or actual damages. When determining the amount of statutory damages to apply to a business who has experienced a breach, the court will consider the nature and seriousness of the breach, the number of violations, the length of time the breach occurred, whether the business’s misconduct was willful, and the defendant’s financials.

This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.

Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.  www.compliancepoint.com