Violating the new California Consumer Privacy Act (CCPA) exposes organizations to potentially large civil penalties and statutory damages. Thanks in part to these large fines, as well as California’s size and population, the CCPA will heavily influence data protection practices nationwide.
This final installment in a five-part series exploring the CCPA’s operational impacts analyzes the penalties and enforcement mechanisms created by the new law. Prior installments explored, in Part One, the law’s scope; in Part Two, its transparency and notice obligations; in Part Three, responding to subject access requests; and in Part Four, consumer rights to erasure, non-discrimination, and opt-out of personal information sales.
Civil penalties under the CCPA and Section 17206 of the Business and Professions Code
The major liability section of the CCPA is found in Section 1798.155(a) of Title 1.81.5. Under subsection (a) of this provision, California’s attorney general is empowered to bring an action against any company or individual person violating the CCPA for up to $2,500 as allowed by Section 17206 of the Business and Professions Code. However, enterprises have 30 days after receiving notice of noncompliance from the California Attorney General’s office to cure it, and only thereafter are they subject to an enforcement action for violating the law.
This system is the same as that used to enforce the California Online Privacy Protection Act (CalOPPA), a 2003 law which required website operators to “conspicuously” post a privacy policy on their website if the site collects personally identifiable information. It is likely that the enforcement of the CCPA will follow the same rules as CalOPPA and other, similar laws, which use §17206 for a penalty. This means that damages will be tabulated on a per-capita basis. Each user whose profile is illegally processed, sold, etc., will represent an independent violation.
To illustrate, if a business sells the profiles of 100 users who have asked that their information not be sold, the maximum penalty is $25,000, not $2,500. This interpretation finds support in the 1973 California Supreme Court case People v. Superior Court, which held that the number of violations is the number of persons the violations were directed at, with multiple violations against the same person (in that case material misstatements) counted together as one violation. Therefore, the sale of one profile multiple times will likely constitute a single violation.
Damages calculations under Section 17206 may be mitigated if the defendant lacks the financial ability to pay the penalties as mitigation (see People v. First Federal Credit Corp. and Hewlett v. Squaw Valley Ski Corp.). Moreover, penalties are set under section Section 17206(b) by considering the nature, persistence, length, willfulness, and seriousness of the misconduct, such as when the California Attorney General applied CalOPPA to mobile apps in 2012.
The CCPA does present one crucial difference from CalOPPA and its other predecessors: intentional violations have a higher cap of $7,500, as specified in Section 1798.155(b). This indicates that the California legislature views willful violations of data privacy more seriously than unfair competition violations, and may – if imposed to the full extent of the law – threaten to drive out of business enterprises that willfully violate the law.
To illustrate the implications of these penalties, consider its possible effect on Facebook, whose Cambridge Analytica scandal was one of the motivations for the citizen’s initiative inspiring the CCPA (see Section 1798.198(b)). According to publicly available data and some estimation, Facebook has approximately 24.6 million users in California. Using this number, were Facebook found to have violated the CCPA, it could face a rough full maximum penalty of $61.6 billion for an unintentional violation affecting each of its users and up to $184.7 billion for an intentional violation.
Private right of action under the CCPA
The CCPA, unlike CalOPPA, grants a private right of action to individual Californians under Section 1798.150 of Title 1.81.5. The section gives any natural person with California residency a right of action if their unencrypted or unredacted personal has been exposed due to a business’s failure to maintain appropriate security safeguards. It should be noted that the definition of personal information in this section is that defined in Title 1.81, Section 1798.81.5(d)(1)(A), not the definition found in the remainder of the act. This definition is sufficiently narrower and limited to a person’s name (at least first initial and last name) and either their social security number, driver’s license or state identification number, bank or credit card information, or medical or health insurance information.
There is no pecuniary damages requirement; plaintiffs can instead seek statutory damages between $100 and $750; injunctive or declaratory relief; or “any other relief the court deems proper.” Actual damages are only recoverable if they exceed the statutory damages. Actions can be aggregated into a class action. The rejection of an actual damages requirement is consistent with a recent Ninth Circuit decision earlier this year. The Ninth Circuit found that the risk of identity theft caused by a breach of personal information permits a federal action against the data controller, with no actual damages or specific evidence of identity theft required.
Although it doesn’t have a pecuniary damages requirement, the private right of action has two checks. First, the action is subject to the same notice requirement as its public counterpart. Prospective plaintiffs, except those pursuing an individual action for pecuniary damages, must give a prospective defendant business written notice of the intended action and 30 days to cure the problem. The action can only proceed if the company fails to fix the problem within the time allotted.
Second, the California attorney general has the authority to stop or superintend a private action. Within 30 days of filing the action, after the chance to cure has elapsed, the plaintiff must notify the attorney general’s office. The attorney general can decide to prosecute the action, instead of the customer, or bar the customer from proceeding with the action. If the office does not act within 30 days of receiving the notice — or proceed with the action within six months of informing the putative plaintiff they intend to prosecute — the plaintiff may continue their action unimpeded.
Here is a flow chart of the full CCPA private action procedure:
The AG’s ability to issue interpreting regulations
Under Section 1798.185 of Title 1.81.5, the California Attorney General is authorized to promulgate regulations after public comment regarding more detailed implementation of the CCPA and additional regulations “as necessary to further the purposes of this title.” This includes the categories of personal information covered, definitions of terms, exemptions needed for compliance with other laws, and rules and procedures for following the law. The IAPP expects these regulations to be issued in 2019, before the law comes into effect at the beginning of 2020.
Photo credit: Makaristos [Public domain], from Wikimedia Commons
