Unless you have been living off the grid for the past year, you likely know that we are now down to 13 days and counting to the effective date of the California Consumer Privacy Act (CCPA). We have received hundreds of questions and concerns from clients over the past few weeks in the preparations of compliance programs and thought we would share a question of the day (QOTD).
One of the most frequently asked questions:
What are the penalties for non-compliance with the CCPA (or what happens if we drag our feet)?
The California Attorney General is responsible for enforcement of the CCPA. Section 1798.185(c) of the CCPA provides that the Attorney General cannot bring an action until six months after publication of the final regulations (which are still pending) or July 1, 2020, whichever is sooner. Attorney General Becerra has made it clear, however, that actions brought after July 1 however may relate to conduct between January 1 and July 1, 2020. Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business is not liable if it cures any noncompliance “within 30 days after being notified of alleged noncompliance” (although some types of noncompliance – or a data breach – may not be capable of “cure”).
The CCPA also contains a private right of action that consumers can bring under certain circumstances if a business experiences a data breach. Importantly, the exemptions in the CCPA for personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), employee/applicant personal information or personal information collected by business to business transactions and interactions do not exempt the covered business from the CCPA private right of action for data breaches.
Tomorrow: What are the employee/applicant and “business to business” exemptions?