The CCPA is enforced by the California state attorney general. Businesses found to be in violation of any of their obligations imposed by the CCPA are subject to a civil penalty of up to $2,500 per violation and up to $7,500 per willful violation. All settlements will be directed towards a new “Consumer Privacy Fund,” which will be used to offset future costs incurred by the courts or the state attorney general in relation to these requirements.
On or before January 1, 2020, the state attorney general should adopt additional regulations to further clarify some of the more ambiguous points under the CCPA, including:
Under the CCPA, consumers are only provided with a right to private action when they have been subject to a personal data breach. Under the CCPA, a breach is defined as any incident where consumers’ non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. The CCPA refers specifically to personal data breaches defined under California’s Breach Notification Law.
Therefore, private right of action becomes available when a breach, as defined above, occurs regarding the following personal information:
* As noted previously, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Prior to initiating a private right of action, consumers must provide the business with a 30-day written notice identifying the specific provisions that have been violated. If the business can offer a resolution for the violation within the 30-day period, it must provide the consumer with a written statement notifying the consumer of the resolutions and that no class action may be initiated. If, however, the business continues to violate its security requirements to protect personal data, the consumer may initiate a class action against the business. Through a private right of action, consumers are granted the ability to seek damages of $100 – $750 per incident, or actual damages. When determining the amount of statutory damages to apply to a business who has experienced a breach, the court will consider the nature and seriousness of the breach, the number of violations, the length of time the breach occurred, whether the business’s misconduct was willful, and the defendant’s financials.
This blog is part of an educational series that will explain the fundamentals of California’s upcoming data protection act, CCPA – who it impacts, how to comply, and more. Follow along as our expert team breaks down the complexities of CCPA.