California Consumer Privacy Act (CCPA) Fines and Consumer Damages

The California Consumer Privacy Act (CCPA) permits the CA Attorney General to bring a civil action in the name of the people of California to enforce the CCPA (AB-375, as subsequently amended by SB-1121). It also provides for a consumer lawsuit to seek statutory or actual damages, whichever is greater, for the failure to implement reasonable procedures and practices that result in a data breach of unencrypted personal information. Below are the permitted fines and penalties under the new California privacy law.

 

 
Potential Government Fines

Intentional violations of the California Consumer Privacy Act can bring civil penalties of up to $7500 for each violation in a lawsuit brought by the California Attorney General on behalf of the people of the State of California. The maximum fine for other violations is $2500 per violation.

There are two areas where we expect to get clarification from the AG and the courts over the next few years:

1. What will be considered a violation for the “per violation” clause?
2. When is a violation considered intentional?

Per Violation:

It is unlikely that the law will aggregate incidents involving multiple consumers into a single violation with a maximum civil penalty of $7500. Practically, it would not be a big enough fine under that interpretation to justify the privacy compliance effort (particularly with a 30 day period to cure any violations). Additionally, the California Attorney General would not be able to justify the expense in terms of time and resources to file litigation for such an amount. Instead, it seems more likely that “per violation” is going to evolve into a per consumer standard closer to the per incident per consumer standard provided for in the data breach class action section.

Nevertheless, if the California legislature had wanted to replicate the damage scheme from its class action section, it certainly knew how to do so. Rules of statutory construction would therefore suggest that a different application is warranted for the “per violation” phrase. However, the precise contours of this application will be are unknown. It may be that “per violation” depends on the language of the section that is violated and, for DSAR requests, it is a per consumer request standard.

This seems likely to be one of the areas where the California Attorney General issues a clarification as part of its development of the implementing regulations in the next year or so. After all, estimates of potential GDPR fines for businesses are in the millions (and even potentially billions for larger businesses given the 4% of global annual revenue standard), so $7500 just seems small in comparison. Stay tuned!

Intentional:

The other important question for compliance professionals and businesses in estimating the size of potential fines under the CCPA is whether the $2500 cap or the $7500 cap applies. This turns on whether the violation is considered intentional, which is a straightforward and familiar standard in most areas of the law but is complicated here because of the 30 day period to cure.

If a business does not take steps to cure the violation in the thirty day period after receiving notice, then that may ultimately be pretty solid evidence that the violation was intentional. This assumes of course that it was indeed possible to cure the violation following the notification. As a result of the cure provision, all violations where it is possible to cure during the thirty day period and the company does not could potentially be considered intentional.

Normally, the intent standard applies at or before the time of the violation. However, in this case, there is no enforceable violation until after the notification period elapses. So it remains to be seen at what time the “intentional” standard will be applied.

 

 
Consumer Actual and Statutory Damages

The CCPA provides for consumer lawsuits with statutory damages of between $100 and $750 per consumer per incident, or actual damages, whichever is greater. In assessing statutory damages, the law suggests courts consider, among other things, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

These lawsuits may be brought if “nonencrypted or nonredacted public information” is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information …” Section 1798.150(a)(1).

In SB 1121, the California legislature took steps to limit the scope of the class action provision, indicating that the “cause of action … shall not be based on violations of any other section of this title.” Section 1798.150(c). Although there may have been some uncertainty as to whether the private cause of action applied broadly to violations beyond data breaches, SB-1121 removed much of the doubt about the legislative intent. As a result, it is relatively well established that the consumer lawsuits are intended to allow for complaints only when there is a negligent data breach concerning personal information.

 

 
30 Day Waiting Periods

A violation of the new CA privacy law for the purposes of a lawsuit by the Attorney General occurs if the business receives notification of the alleged noncompliance and fails to cure the alleged violation within 30 days.

For the purposes of the section on individual or consumer class action lawsuit seeking statutory damages, the consumer must provide written notice identifying the specific provisions of the law that have been violated. If the business actually cures the noticed violation(s) and provides an express written statement indicating that the violations have been cured and that no further violations shall occur, then no action may be brought. Notice is not required prior to a consumer seeking actual pecuniary damages through a lawsuit.

 

 
Delayed Enforcement of CCPA Penalties

There won’t be penalties issued under the law by the Attorney General until between January 1, 2020 and July 1, 2020. The initial date for enforcement by the AG was pushed back from January 1 to six months after the final rules are published by the California Attorney General, but in no event later than July 1, 2020. We will closely monitor events that happen to bring you news of the finalized effective date as well as information first enforcement actions when they become public knowledge. Based on the announcement that the draft regulations will be issued in the fall of 2019, it is unlikely that government enforcement begins before April.

Nevertheless, it is important to remember that the law still technically goes into effect on January 1, 2020. Only enforcement by the Attorney General was delayed, so businesses must technically still be in compliance with the law by January 1 and do face the threat of class action lawsuits from negligent data breaches then.