Enforcement of the California Consumer Protection Act, as amended by the CPRA (collectively, CCPA), officially began on July 1, 2023 with one wrinkle. While the CCPA itself can now be enforced by both the California Attorney General and the California Privacy Protection Agency (CPPA), in addition to the private right of action for individuals, its regulations are not complete on all aspects of the law. Thus, the Superior Court of California of Sacramento County last week barred enforcement of the regulations that were issued in March 2023 until 2024. However, businesses must comply with all of the requirements of the CCPA now, taking guidance from the regulations as they now exist on 12 of the 15 areas of the CPRA and businesses must keep an eye out for the regulations to come in other areas of the law.
From inception to enforcement, the California Consumer Protection Act, as amended by the CPRA (collectively, CCPA), has presented unique characteristics that were either emulated or eschewed by other state legislatures in the recent uptick of comprehensive privacy laws passed by state legislatures across the United States the past couple of years. One such unique characteristic is the enactment of a state privacy agency (i.e., the CPPA) to enforce violations of the law in addition to enforcement by the California Attorney General.
Now with two enforcement entities, and no longer having the benefit of a 30 day cure period, if you are subject to CCPA, businesses must pay particular attention to:(i) robust security measures to ward off security breaches which raise the specter of individual and class action lawsuits and (ii) issues that the Attorney General has highlighted with its recent enforcement actions or press releases. Note that the Attorney General and the CPPA have discretion to offer offenders a cure period, depending on the offender's lack of bad intent and voluntary efforts to comply with the law. Thus, good faith efforts to comply with provisions of the CCPA can go far in terms of gaining a potential cure period and mitigating risk overall.
For clarity, the CPPA has administrative authority, while the California Attorney General retains its civil authority, but only one may take action at a given time for a particular violation. Both the Attorney General and the CPPA have the authority to enforce provisions of CCPA, including the power to issue subpoenas, conduct investigations, and impose penalties. At the same time, CPRA provides a limited private right of action in limited cases of a data breach, meaning an individual can sue in their own capacity.
Penalties for violations of CCPA are $2,500 per violation or $7,500 for violations that are intentional or involve children.It is worth highlighting that these violations are per individual not per occurrence. Thus, penalties can add up for one incident where each adversely impacted individual would be a violation.
To learn more about CCPA, you can click here to read our other Client Alerts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
