Enforcement of the California Consumer Privacy Act (CCPA) is set to begin on July 1, 2020. The global pandemic has many companies urging the California Attorney General (AG) to delay enforcement until 2021, since testing CCPA-compliant platforms can be much more difficult when IT teams cannot work on site. The California AG, however, has declined to delay enforcement at this point, and companies should continue with compliance as planned.
The regulation, which was implemented on January 1 of this year, applies to for-profit businesses that collect the personal information of California residents, determine the purpose or means of processing that information, and meet at least one of the following thresholds: (1) have annual gross revenue of $25 million or more; (2) annually buy, receive, or share the personal information of 50,000 or more consumers for commercial purposes; or (3) derive 50 percent or more of their annual revenue from selling the personal information of California residents.
The CCPA grants California residents new privacy rights in connection with their personal data, including: (1) the right to know what data is collected about them; (2) the right to know whether their data is sold and to whom; (3) the right to access their data; (4) the right to opt out of the sale of their personal information; and (5) the right to equal treatment if they exercise any of these rights.
As the regulation continues to evolve, many businesses have emphasized the difficulties in compliance. The most recent set of modifications to the proposed regulation was released on March 11. With the enforcement deadline now rapidly approaching and the comment period for the third draft of the regulation having closed on March 27, businesses are concerned that they will not have all the necessary measures in place by the July 1 deadline. Adding to this concern, the AG has stated that on July 1, when enforcement actions begin, the AG’s Office may take into account compliance deficiencies during the period from January 1 to July 1, 2020. With this in mind, it’s important that businesses move toward full compliance as soon as possible to the best of their ability.
Civil enforcement penalties associated with the CCPA are significant: fines range from $2,500 for each violation to $7,500 “for each intentional violation.” The law also provides a private right of action for victims of a breach involving their nonredacted and unencrypted “personal information.” Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater.
The first suit claiming a violation of the CCPA has already been filed. On February 18, 2020, a class-action lawsuit was filed against Ring, a security and smart home company. The plaintiff, on behalf of the class, alleged that the company had failed to implement adequate security and shared its consumers’ personal data with unauthorized third parties without their consent. There are a number of outstanding issues related to this case, and we are continuing to follow its progress closely.
As the year continues, we are sure to see more litigation surrounding the CCPA. Businesses should be doing all they can to ensure compliance because penalties under the CCPA could be costly. In addition, businesses with cyber insurance should take the time now to be sure that they understand their policy terms. Cyber insurance policies vary widely in terms of what they cover and exclude, and businesses are wise to verify what coverage may apply to CCPA-related risks. While cyber insurance won’t cover the costs of coming into compliance with the CCPA, some but not all policies cover aspects of enforcement, including fines and penalties, and some policies limit the coverage available for liability (claims by customers) under the private right of action. For more information on cybersecurity insurance, see our recent blog post: Your Business’s Data, and Cyber Insurance, Are More Important Than Ever.