The California Consumer Privacy Act of 2018 (CCPA), goes into effect January 1, 2020, and is intended to protect the use, sharing and selling of consumers' personal information, amongst numerous other requirements. The CCPA has been amended once to date, with Senate Bill 1121 (signed into law in September 2018), for clarification and to address various technical issues.
Senate Bill 561 was introduced earlier this year and made a number of proposed modifications to the CCPA including the following: Providing consumers with a private right of action to enforce violations of the CCPA; and Eliminating the 30-day period in which businesses could cure an alleged violation of the CCPA after receiving notice of such alleged violation.
As of May 16, 2019, however, the California Senate has set Senate Bill 561 on hold.
Why Does This Matter?
This is good news for California businesses, at least for now. This decision precludes individual consumer suits for technical CCPA violations. Further, it allows a reasonable amount of time to respond and address alleged violations of the CCPA. However, it is important to understand that the CCPA is likely to evolve over the next several years following its enactment. And, additionally, the federal government is presently in deliberations over the establishment of a national privacy standard, with Congress reviewing the CCPA as part of that process.
While the details of the CCPA will develop further, it remains important to be prepared for compliance with all aspects of the CCPA as January 1, 2020 quickly approaches. All businesses remain obligated to protect against any breach of personal information and have a "duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information" in order to protect consumers' personal information.
While no specific guidance has been provided as to what security procedures and practices are required by the CCPA, all businesses have an affirmative obligation to establish security procedures and practices to protect any personal information maintained. Parties that do not comply remain subject to substantial penalties in the event of a violation as further described below.
Penalties and Enforcement
The Attorney General is authorized to enforce any technical violation of the CCPA. Enforcement by the Attorney General can consist of injunctive relief, civil penalties of $2,500-$7,500 per violation
for each affected consumer, or any other relief deemed proper. In case of a data breach, a private right of action exists, which includes recovery of damages in an amount not
less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per piece of personal information compromised or actual damages, whichever is greater. Note that no actual damage is required.
The allowed damages of $100 to $750 may sound reasonable at first, but keep in mind that these amounts are based on each consumer affected by a data breach incident. As an example, if your company maintains personal information for 50,000 consumers and such information is breached, potential penalties range from $5 million to a staggering $37.5 million for that specific incident.
What Should I Do Now?
Review and categorize all types of personal information being maintained about your customers. - Personal information is very broadly defined under the CCPA, and even includes inferences that may be drawn about a consumer's preferences. Examine existing security practices and procedures, then analyze whether these practices and procedures address all requirements of the CCPA.