The CCPA: California Consumer Privacy Act, in addition to providing consumers with a variety of rights pertaining to their personally identifiable information (“PII”), also provides consumers with the ability to file lawsuits directly against businesses under certain circumstances. Additionally, the California Attorney General may bring enforcement actions against noncompliant businesses. Depending on the degree of the offense, these enforcement actions could potentially result in substantial fines and penalties for businesses.
When performing risk assessments, businesses must be able to accurately identify potential costs associated with failing to comply with applicable state and federal laws. The CCPA, in the case of either lawsuits brought by consumers or the state itself, specifies the potential fines and penalties that may result from a business’s noncompliance with the law. This article will provide an overview of these potential costs of noncompliance so that your business may adjust and prepare your compliance program accordingly. To that end, this article will discuss the following two topics:
- Potential damages and relief for consumer lawsuits under the CCPA
- Potential fines and penalties for lawsuits brought by the California Attorney General
CCPA penalties: potential damages and relief for consumer lawsuits
Our previous article “Does the California Consumer Privacy Act include a private right of action” detailed the requirements for a consumer to bring a lawsuit directly against a noncompliant business under the CCPA. Generally, businesses must have violated their duty to maintain and implement “reasonable security procedures and practices” which subsequently resulted in the breach of consumers’ nonencrypted or nonredacted personal information. In short, the business suffered a data breach due to a security failure. However, the CCPA requires businesses to be notified of these alleged violations with an opportunity to “cure” or correct the violation to comply with the law.
Provided that the business fails to cure an alleged CCPA violation, consumers may file lawsuits directly against the business for either actual or statutory damages. “Actual damages” are assessed based on the measurable losses suffered by the aggrieved party. Because data breaches do not necessarily result in immediate, present injury, it is difficult for plaintiffs to assert what “losses,” if any, they have suffered as a result of the breach. This issue is largely tied to whether the plaintiff has sufficient “standing” to bring the lawsuit in the first place. Essentially, this means that plaintiffs must assert an “actual injury” that they have suffered as a result of the data breach. Some courts have stated that the threat of a future injury, such as the threat of identity theft following a data breach, is sufficient to establish standing to sue, while other courts have stated that the threat of a future injury is not sufficient.
The CCPA circumvents the difficulty of establishing actual damages in a lawsuit by allowing consumers to collect “statutory damages” under the law. The CCPA specifically states that consumers may collect damages in an amount not less than $100 and not greater than $750 per consumer “per incident,” meaning each data breach resulting in a business’s failure to implement reasonable security procedures and practices.
Because data breaches often involve a large number of consumers, statutory damages under the CCPA can be significantly high. Under the CCPA, courts may consider the following when assessing the amount of statutory damages to be granted:
- The nature and seriousness of the misconduct
- The number of violations
- The persistence of the busines’s misconduct
- How long the misconduct occurred
- The willfulness of the business’s misconduct
- The businesses assets, liabilities, and net worth
In addition to actual and statutory damages, consumers may also be entitled to injunctive or declaratory relief, meaning that the court orders the business to take a particular action or prohibits it from continuing a particular action. As of now, it is unclear what injunctive or declaratory relief would entail in the context of a CCPA lawsuit. A recently filed CCPA class action asserted several CCPA violations against a video chatting platform for failing to provide notice pertaining to the platform’s collection, use, and sale of PII to third parties. The complaint also asserted that the platform failed to disclose that users had the right to opt-out of the sale of their PII. Among other requests for relief, the complaint requested that the court issue an order preventing the platform from “continuing to violate the CCPA.” This order could potentially require the platform to make required disclosures under the CCPA as well as provide users with the ability to opt-out of the sale of their PII. Until this particular class action and other CCPA lawsuits are litigated in the near future, it is yet to be determined what will constitute injunctive or declaratory relief under the law.
For businesses preparing for the CCPA’s enforcement period beginning on July 1st, the information security team and the privacy team should be working hand in hand to conduct a comprehensive risk assessment of the business’s current information security system. Depending on the size of the business and the sensitivity of the information handled, this risk assessment will necessarily involve multiple stakeholders from a variety of departments in the business. Because of the potentially high statutory damages that may be assessed against businesses under the CCPA, those tasked with ensuring that the business is in compliance should have no trouble obtaining buy-in from management.
Potential fines and penalties for lawsuits brought by the California Attorney General
In addition to potential damages that may result from consumer lawsuits under the CCPA, civil actions brought by the California Attorney General can result in CCPA fines and penalties against businesses. In the same way that businesses must be provided with 30 days to cure alleged violations before a private lawsuit is filed under the CCPA, businesses must be provided with the same opportunity before the government files an enforcement action under the law.
If a business is found to have intentionally violated the law, CCPA fines for noncompliance can be up to $7,500 per violation for lawsuits brought by the California Attorney General. For businesses that have been notified of an alleged violation of the CCPA but fail to make any attempt to cure the violation (provided a cure is of the violation is possible), this could potentially amount to an “intentional” violation of the law. Other violations considered to be unintentional can result in penalties of up to $2,500 per violation.
Each “violation” would likely be calculated on a “per-capita” basis. Essentially, this means that each violation would depend on the amount of consumers impacted by a business’s non-compliance. For example, if 500 individuals requested that the business halt the sale of their PII to third parties, and the business subsequently failed to honor the requests in a timely manner, this noncompliance would result in 500 individual violations. On the other hand, if it is determined that a business failed to act on multiple requests from a single consumer to delete collected PII, this would likely result in one violation as opposed to multiple violations.
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.