This final article in IAPP’s series on the California Privacy Rights Act focuses on the law’s enforcement mechanisms and potential penalties. Like the California Consumer Privacy Act, the CPRA includes a private right of action and civil enforcement by the attorney general. It also provides for administrative enforcement by the new California Privacy Protection Agency created by the law. Although civil and administrative enforcement of the CPRA will not begin until July 1, 2023, businesses should be aware of these provisions, particularly as the CPPA takes shape in the coming months. The changes to the private right of action provision and the new reasonable security requirement also merit consideration, particularly given the number of CCPA class actions filed to date.
Administrative enforcement
As detailed in the first article of this series, the CPRA establishes the first state agency dedicated to privacy. One of the CPPA’s functions is to “administer, implement, and enforce” the CPRA through administrative actions while the attorney general retains civil enforcement powers.
The scope of the CPPA’s “Administrative Enforcement” is set out in CPRA Section 1798.155. This provision amends its CCPA counterpart, removing references to the attorney general’s enforcement authority. It deletes the provision in Subsection (a) allowing businesses or third parties to seek guidance from the attorney general regarding compliance and the language in Subsection (b) giving businesses a 30-day period to cure any alleged violation. Whether a business has time to cure an alleged violation is now at the CPPA’s discretion, pursuant to CPRA Section 1798.199.45, and the CPPA is charged with providing guidance to businesses in Section1798.199.40(f).
CPRA Section 1798.155 provides that “[a]ny business, service provider, contractor, or other person that violates [the CPRA] shall be liable for an administrative fine ... in an administrative enforcement action brought by the (CPPA).” The CPPA can investigate possible violations “on its own initiative” or “[u]pon the sworn complaint of any person,” not just California residents, per Section 1798.199.45.
The amount of the potential administrative fine is the same as the CCPA — up to $2,500 per violation or $7,500 per intentional violation — except the CPRA increases the potential fine for violations involving consumers under 16. The specific language in Section 1798.155(a) of the CPRA describes the liability for an administrative fine as “not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor, or other person has actual knowledge are under 16 years of age.” Section 1798.199.55(b) of the CPRA further provides for joint and several liability with respect to administrative fines “[i]f two or more persons are responsible for any violation or violations.”
Enforcement by the attorney general
The attorney general’s enforcement authority is in Section 1798.199.190 of the CPRA, which states in Subsection (a) that “[a]ny business, service provider, contractor, or other person that violates [the CPRA] shall be subject to an injunction and liable for a civil penalty ... which shall be assessed and recovered in a civil action brought ... by the Attorney General.” Courts have the discretion to “consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty.”
The amount of a potential civil penalty is the same as for an administrative fine, but the language regarding violations involving minors is different. Section 1798.199.90(a) provides for “a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers.” “Actual knowledge” a consumer is under 16 is not required.
It is unclear whether the distinction between these two provisions is significant. Section 1798.199.55(a)(2) of the CPRA, which relates to the CPPA’s fining authority in the context of a determination a violation occurred, uses the same language for minors as the civil penalty provision.
Section 1798.199.90(c) of the CPRA addresses the fact there are two enforcement authorities and requires the CPPA, upon request, to defer to the attorney general regarding investigations and administrative actions, staying its proceedings to allow the attorney general to pursue the matter. It specifically states, “[t]he agency may not limit the authority of the Attorney General to enforce this title.” However, pursuant to Subsection (d), if the agency has issued an order or a decision, the attorney general cannot file a civil action against the person for the same violation. Section 1798.199.100 also provides “[a] business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation.”
Private right of action
As discussed in an earlier article, the CCPA’s private right of action in Section 1798.150 is available to consumers where there are unauthorized access and disclosure of certain nonencrypted and nonredacted personal information due to a business’s failure to “to implement and maintain reasonable security procedures.” The provision references and borrows from Section 1798.81.5 of California’s Customer Records Act, which predates the CCPA and includes a reasonable security requirement for businesses that own, license or maintain personal information about a California resident. The CPRA expands the types of personal information included in the CCPA private right of action provision and clarifies a business’s obligation to provide reasonable security for the personal information it collects, specifically requiring compliance with Section 1798.81.5 of the CRA.
Pursuant to Section 1798.150(a)(1) of the CCPA, only consumers “whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices ... may institute a civil action.” What constitutes “personal information” for purposes of asserting a private right of action is more limited than the broad CCPA definition. The private right of action provision uses the definition of “personal information” from Section 1798.81.5(d)(1)(A) of the CRA. “Personal information” under this subsection means an individual’s name “in combination” with another listed “data element,” “when either the name or the data elements are not encrypted or redacted.” The data elements include a Social Security number, driver’s license or another specified identification number, account number or credit or debit card number with access code or password, medical or health insurance information, or unique biometric data.
The CPRA uses the CRA definition of “personal information” in the newly titled “Personal Information Security Breaches” provision but also adds a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.” This language is similar to the definition of “personal information” in Section 1798.81.5(d)(1)(B) of the CRA, which includes a “username or email address in combination with a password or security question and answer that would permit access to an online account.” Accordingly, a broader scope of personal information may be the basis for a private right of action under the CPRA in the event of unauthorized access and disclosure of information. This provision will be operative Jan. 1, 2023.
As discussed in a 2019 Orrick blog post, it is worth noting that the definition of “personal information” in Section 1798.81.5 of the CRA has been amended several times. In fact, Assembly Bill 825, introduced Feb. 16, 2021, proposes the definition be amended to include genetic information. Any changes to the definition of “personal information” in 1798.81.5 will change the definition in the private right of action provisions of the CCPA and, when operative, the CPRA. Monitoring such amendments will be important since, as noted by the Orrick blog, “each update to this definition will increase the risk of civil liability for companies that experience a notifiable data breach involving California consumers.”
The CPRA also includes a new requirement regarding reasonable security. While the CCPA private right of action provision refers to a business’s duty to implement and maintain reasonable security procedures and practices, the CPRA makes this obligation clear. Section 1798.100(e) of the CPRA obligates businesses collecting consumer’s personal information to “implement reasonable security procedures and practices ... to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.”
Section 1798.150(b) of the CPRA further states “implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.”
Conclusion
Businesses can expect a different enforcement landscape under the CPRA, with both the CPPA and the attorney general having enforcement authority. It will be interesting to watch how the attorney general approaches CCPA enforcement over the next few years and whether the CPPA provides any insight into its enforcement priorities. Similarly, litigation regarding the CCPA’s private right of action provision is likely to inform the interpretation of both the CCPA and CPRA provision.
This article concludes our series on the top-10 operational impacts of the CPRA. We will continue to monitor and report on CCPA enforcement and litigation, the forthcoming CPPA board appointments, CCPA and CPRA rulemaking, and other developments that occur regarding these laws.
Photo by Matthew Hamilton on Unsplash
