Morgan Lewis Practical Advice on Privacy: Guide to the CCPA
The landmark California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, is the first privacy act of its kind in the United States and significantly alters the privacy and cybersecurity enforcement landscape. This article reviews one of the unique aspects of the CCPA: enforcement by the California attorney general (AG).
Scope of Civil Enforcement Actions and Penalties
Under the CCPA, the AG has the authority to enforce any violation against a “business, service provider, or other person.” In contrast, a limited private right of action for damages may be brought for the “unauthorized access and exfiltration, theft, or disclosure” of “nonencrypted or nonredacted personal information” resulting from the business’s failure “to implement and maintain reasonable security procedures and practices.” This article addresses the AG enforcement actions.
The civil enforcement penalties can be substantial and accumulate quickly. First, violations may result in an injunction mandating that the company comply with new requirements. Second, a civil penalty may also result up to $2,500 for each violation and up to $7,500 “for each intentional violation.” For example, if a CCPA violation involved 100 consumers, the civil penalty could be up to $250,000 or up to $750,000 for intentional violations for the same number.
New Consumer Privacy Fund
Where do the fines from AG enforcement go? The CCPA establishes a new Consumer Privacy Fund intended “to fully offset any costs incurred by the state courts and the Attorney General” in enforcement.
30-Day Period to Cure Alleged Violations
The CCPA provides an opportunity to cure alleged violations that might be subject to AG enforcement. A business violates the statute only if it “fails to cure any alleged violation within 30 days after being notified of alleged noncompliance.”
Details about the operation and scope of the notice and cure provision have yet to be provided and are not addressed in the proposed CCPA regulations. It is unclear what will constitute a “cure.” For example, there is no guidance as to whether and to what extent it is possible to cure actions that have resulted in the actual loss of control over consumers’ personal information, as distinguished from a technical violation of the statute that has not resulted in any loss of control over personal information.
During legislative consideration of amendments to the CCPA in 2019, SB 561 would have, among other provisions, “remove[d] language that allows companies a free pass to cure CCPA violations before enforcement can occur.” The legislation, which had AG support, was not passed.
The CCPA also provides for requests for AG opinions on CCPA compliance. Under the provision, “Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.”
While AG opinions may provide useful guidance on CCPA compliance issues, it is unclear when the AG will begin accepting such requests and how they may be submitted.
One CCPA amendment considered in 2019 would have removed this requirement. SB 561, among other provisions, would have “remove[d] requirements that the Office of the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel on CCPA compliance.” The legislation, which had the support of the AG, was not passed.
Timing of Enforcement
AG enforcement has been delayed “until six months after the publication of the final regulations” or “July 1, 2020, whichever is sooner.” The final regulations have yet to be issued, and consequently enforcement will begin on July 1, 2020. There is, however, nothing in the statute that prohibits the AG from issuing notices of alleged noncompliance prior to July 1, 2020.
In early December, California AG Xavier Becerra noted that AG enforcement will focus on company compliance efforts and that he intends to “make an example of” businesses that fail to comply.
In October, when the proposed CCPA regulations were released, AG Becerra noted that the gap between January 1, when the CCPA goes into effect, and July 1, when enforcement commences, should not be seen as providing a safe harbor. AG Becerra noted, “If that were [the case], then you could murder someone today and if we couldn’t figure out who did it for a month, would that mean you get to go scot-free? I don’t think so,” as “The law’s the law.”
Significantly, the AG’s enforcement authority is not limited to the CCPA. His office has relied on other California laws to address perceived violations of privacy to date, and can be expected to continue to do so before the CCPA is fully enforceable or if its remedies are deemed insufficient to address perceived privacy violations.
AG Becerra has made statements indicating that his office intends to aggressively enforce the CCPA. Businesses can prepare by addressing compliance in advance and seeking guidance on legal issues. From AG Becerra’s recent statements, it appears that an enforcement action brought on or after July 1, 2020, may take into account compliance deficiencies during the period from January 1 to July 1, 2020. Therefore, it is important that businesses move toward full compliance with the CCPA as soon as practicable, and continue to watch for the final regulations and further AG guidance.
In the event notice is issued regarding an alleged violation of the statute, the business will have a 30-day window to cure and should act expeditiously in response to any such notice. Morgan Lewis has been and will continue assisting companies in responding to California AG enforcement actions related to cybersecurity and privacy matters.
The California attorney general issued proposed regulations for the CCPA on October 10, 2019. As part of the rulemaking process, the California attorney general is deciding whether any modifications should be made to the proposed regulations before they become final based on public comments, which were due December 6. In the meantime, the proposed regulations provide useful guidance as businesses prepare for and comply with the CCPA, which took effect on January 1, 2020.