As businesses continue to reel from the confusing compliance requirements of the California Consumer Privacy Act (“CCPA”), California voters approved Proposition 24. Proposition 24 is a robust expansion of consumer rights and protections, but it also necessitates additional compliance efforts to satisfy the requirements of the CCPA. Proposition 24, otherwise known as the California Privacy Rights and Enforcement Act (“CPRA”), makes several changes to the CCPA, like adding new consumer rights and creating a new category of information subject to additional protection requirements. Of note, CPRA significantly expands access to a private right of action and broadens the capacity of the state and individuals to bring enforcement actions. The vast majority of CPRA’s changes will go into effect at the start of 2023 with enforcement beginning six months later. But CPRA does not override the need to comply with the CCPA in the meantime.
The Current Approach to Enforcement
The CCPA designated the California Department of Justice, led by the California Attorney General, as the enforcer of CCPA violations. The Attorney General was authorized to seek injunctions and penalties. In this context, an injunction is a court order to stop or prevent an action from occurring. The available penalties take the form of fines of up to $2,500 or $7,500 per violation, depending on the nature of the violation. Fines can be levied up to $2,500, per violation, if the violation(s) is deemed unintentional or accidental. By contrast, an intentional violation can result in a maximum fine of $7,500, per violation. Under the CCPA, these fines cannot be sought by individuals.
Any individual violation can command a penalty, but the extent of the fines can be cumulative. In other words, an accidental violation of only one hundred consumers’ rights could face a fine of up to $250,000, as well as significant disruptions in the workplace during a potential investigation. So, the larger a business is, and the more individual consumers’ information the business possesses, the more substantial the penalties that can be imposed. The true measure of penalties is subject to the discretion of the Attorney General, who has expressed that attempted compliance and cooperation with investigations would be looked upon favorably. However, the California Attorney General is an elected official so compliance and enforcement goals may change with time.
Fortunately, the CCPA requires that a business receive notice 30-days before an enforcement action can be brought. This notice period allows businesses time to fix minor compliance issues or internal procedural practices before any investigation or fine will be levied.
The private right of action available to California consumers, before CPRA, is very restrictive. This limited right of action allows businesses to be shielded from some liability by developing and using reasonable security practices. Consumers are not able to sue businesses for individual violations of the CCPA’s obligations and compliance requirements. Instead, consumers may only sue under a narrow set of circumstances. Those are where nonencrypted or nonredacted personal information is exposed or breached by a third party after it has been determined the breach resulted from the business’ poor security practices, notice was given, and there was a continued failure to comply with security requirements. In that instance, consumers are permitted to seek statutory damages ranging from $100 to $750, up to the measure of actual damages suffered. Injunctive relief is also possible, and these claims may be accumulated into a class action suit.
The New Approach to Enforcement Under CPRA
CPRA alters who can bring lawsuits and levy fines for CCPA violations, beginning January 1, 2023. CPRA, once in effect, will noticeably expand the private right of action for consumers. CPRA also creates a new state agency for data protection that will have the capacity to enforce violations of the CCPA. This new agency, the California Privacy Protection Agency, will serve as the face of administrative enforcement and compliance under CPRA. The agency will adopt much of the rulemaking authority and investigative authority that the Attorney General now possesses.
Civil actions for injunctions and penalties will still be brought by the Attorney General and in the same manner as under the CCPA. This means the Attorney General will retain the same authority to investigate, pursue, and penalize violations. Additionally, CPRA codifies the notion that the current Attorney General has expressed, that when assessing fines, courts may consider the good faith cooperation of the business.
The California Privacy Protection Agency is also authorized to seek “administrative fines” matching the same scheme as the Attorney General’s civil penalties. Fines assessed by the agency can be appealed, but courts are to give deference to the agency’s determinations. A business found to be in violation cannot face penalties from both the Attorney General and the California Privacy Protection Agency.
Additionally, consumers have an expanded avenue to bring a claim for violations under CPRA. Consumers may bring an action just as they could under the CCPA. But they can also bring a claim if their email address in combination with a password or security question and answer that would permit access to the account is breached. This right of action is available if the business violates the duty to maintain reasonable security procedures and practices. CPRA still allows businesses a 30-day timeframe from notice of the violation to cure the violation, when a consumer notifies them of the violation. This notice requirement does not apply if a consumer brings an action solely for their actual pecuniary damages suffered. The recoverable damages have not changed, meaning statutory damages ranging from $100 to $750 are available, as is injunctive relief and any other relief the court deems proper. Businesses should be shielded from liability if they fix the noticed violation and provide the consumer with a written statement expressing that the cure has been implemented and that no further violations will occur.
However, if a business violates the written statement it has provided to a consumer, then the private right of action expands. In that instance, the consumer may bring an action to enforce the written statement and pursue statutory damages for each breach of the statement as well as any additional violations of the CCPA that occurred after the written statement was executed. This new mechanism, which expands the scope of the private right of action, serves to penalize businesses that are either lax with security compliance or renege on the representations they made to the consumer.
Of note, the duty to adopt and maintain security practices and procedures is a prerequisite to be shielded from liability. Businesses that postpone the implementation of reasonable security measures until after they receive notice will not be shielded, even if they can cure the violation.
In conclusion, we still have some time before the majority of CPRA comes into effect, but compliance efforts are deceptively time consuming and may prove difficult to integrate into a business’s culture and practices. So plan ahead and begin laying the foundation for compliance now, rather than facing enforcement actions by the Attorney General, the California Privacy Protection Agency, or California consumers.