A Little Privacy Please? (Part 4)
California’s new consumer privacy law uncovered, Part 4
In this final installment of our four-part series on the California Consumer Privacy Act (“CCPA” or “Act”), we identify the Act’s enforcement framework and the penalties for violations.
Broadly speaking, the Act allows consumers to file a civil action against Covered Businesses for the unauthorized breach of consumer personal information (“PI”). The California Attorney General has exclusive authority to prosecute all other violations of the Act.
1. Private Action – Data Breach Liability
Under the Act, Covered Businesses have a duty to implement and maintain reasonable security procedures and practices to protect a consumer’s PI. A Covered Business may be held liable for the unauthorized access and exfiltration, theft, or disclosure of “nonencrypted or nonredacted personal information” resulting from the business’s breach of this duty.
The Act narrows the definition of PI for the purpose of data-breach liability only. PI is defined to mean an individual’s first name, or first initial and last name, in combination with one of the following:
Social security number;
Driver’s license or California ID number;
Account number, credit or debit card number, in combination with the requisite security code;
Medical information; or,
Health insurance information.
Notably, the consumer does not need to show harm caused by the data breach to assert a claim for damages. The consumer may seek damages between $100 and $750 per violation, or actual damages, whichever is greater.
The Attorney General may also bring a public enforcement action against the Covered Business (described below).
Before bringing an action against a Covered Business for a data breach, the consumer must provide the Covered Business with 30 days’ written notice to cure the breach. If the Covered Business does not cure the breach within 30 days, the consumer may file an action.
2. Public Enforcement
Except for data breaches, which can be enforced through a private action, the Attorney General has exclusive authority to prosecute all other violations of the Act. If a business fails to cure its noncompliance within 30 days of notice, it may be subject to statutory damages for each violation, which could be up to $7,500 if the noncompliance is found to be intentional. Proceeds of any settlement or award in an action brought by the Attorney General will be allocated to the jurisdiction on whose behalf the action was brought, and to a special fund called the “Consumer Privacy Fund.” This Fund is intended to offset any costs incurred by the state courts or Attorney General in connection with the Act.
Any business or third party may seek the Attorney General’s opinion for guidance on how to comply with or enforce a Covered Business’s duties under the Act.
If you have any questions concerning whether the Act applies to your business and the consumer information it collects, uses, sells or discloses, please reach out to an MLG attorney to assist you.
 The Act defines PI in this limited context pursuant to California Civil Code 1798.81.5(d)(1)(A).
Read the full series:
Part 1: Addresses businesses and consumers are covered under the CCPA.
Part 2: The CCPA’s expanded definition of “personal information”, and some of its limitations and exemptions.
Part 3: Covered Businesses’ obligations to consumers under the CCPA.
Part 4: The CCPA’s enforcement framework and penalties for violations.
Amendments: What you should know about the September 2018 Amendments to the CCPA.
Author: Caitie Emmett, Associate.
The Maier Law Group helps companies ensure that their policies and practices comply with the relevant workplace regulations. Please contact us at firstname.lastname@example.org for more information.
This article has been prepared for general informational purposes only and does not constitute advertising, solicitation, or legal advice. If you have questions about a particular matter, please contact the Maier Law Group directly.