The California Consumer Privacy Act (CCPA) was enacted in June 2018 and effective on January 1, 2020. Although enforcement by the California Attorney General (AG) has been delayed until July 1, 2020, the AG has specifically advised that the gap between January 1 and July 1 should not be viewed as a safe harbor.
Before the current COVID-19 pandemic, the AG had indicated that his office intended to aggressively enforce the CCPA. Several industry groups and others recently sent written requests to the AG’s office to delay enforcement of the CCPA due to the current COVID-19 pandemic. A representative from the AG’s office responded in late March 2020 that enforcement actions will not be delayed due to pandemic.
In light of the AG’s aggressive enforcement stance, it may be a good time to review your financial institution’s CCPA compliance program to ensure it can survive scrutiny. It might also be a good time to review the civil liability and damages provisions under the CCPA to highlight the potential financial exposure your financial institution may face in an AG enforcement action or data breach-related litigation.
Statutory Liability Provisions
The CCPA permits the AG to recover a civil penalty of up to $2,500 per violation or $7,500 per each intentional violation in enforcement actions. Although financial institutions will be afforded the opportunity to cure any alleged violations within 30 days of notification of noncompliance, it may be difficult to stand up or remediate issues in a CCPA compliance program in only 30 days.
The CCPA also provides for a private right of action for certain data breaches and permits the recovery of damages of $100 to $750 per consumer per incident or actual damages, whichever is greater. The CCPA provides the same 30-day notification and cure period prior to the initiation of any individual or class action for statutory damages. Due to the increased focus on data privacy, the defense and plaintiffs’ bars are preparing for a wave of data privacy litigation under the CCPA. As of the date of this alert, four class action complaints alleging CCPA liability in data breach incidents had been filed and more such cases are likely on the horizon.
Crunching the Numbers
The following questionnaire will help you determine your financial institution’s potential financial exposure under the CCPA based on the scenarios outlined above. If you answer “no” to the first question, it may also be a good time to review the scope of the CCPA and your business footprint and data inventory to ensure your financial institution can defend that answer. Let’s get started with the questionnaire:
Are you subject to the CCPA? Yes or no.
- If no, stop.
- If yes, did you receive a notification of noncompliance giving you 30 days to cure the alleged violation(s) of the CCPA? Yes or no.
- If no, stop.
- If yes, did you cure the alleged violation(s) of the CCPA in that 30-day grace period? Yes or no.
- If yes, stop.
- If no, was the notification of noncompliance sent by the California AG? Yes or no.
- If no, move to the last dark square immediately below.
- If yes, determine your possible civil penalty using the following formula:
[Insert Number of Violations] X $2,500 = $________.
- If yes, and the violation or violations are deemed intentional, disregard the formula immediately above and use the following formula to calculate your possible civil penalty:
[Insert number of Violations] X $7,500 = $________.
- If no, was the notification of noncompliance related to a data breach and sent by a California resident (whether represented by an attorney or not)? Yes or no.
- If no, stop.
- If yes, use the following formula to calculate your possible liability for damages in a private right of action:
[Number of Impacted California Residents] X [$100 – $750 or actual damages, whichever is greater] = $________.
(Note: Add court costs and attorneys’ fees.)
There is no statutory cap on the amount of civil penalty that can be recovered by the AG in a civil enforcement action. For example, a business that is unable to timely respond to 50 “see my data” requests from California customers and cannot timely document to the AG that it has improved its CCPA compliance program to prevent such response delays could face a civil penalty of up to $375,000. As the AG begins to aggressively enforce the CCPA, including enforcement actions that “look back” to January 1, 2020, and more CCPA claims reach the courts, it will not be difficult to document the return on investment of maintaining an agile CCPA compliance program.