California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
It’s becoming clear that the California Consumer Privacy Act (CCPA) has teeth. From the recent $1.2 million fine on Sephora to Samsung’s ongoing class-action lawsuit, (alleged) violations of the CCPA can be quite expensive for businesses.
One issue surrounding CCPA enforcement has caused confusion for some, however, and that is the difference between fines and damages from lawsuits, or more specifically, how the privacy law provides for both types of enforcement.
The CCPA is primarily enforced by the California Attorney General’s Office and, starting in July 2023, the California Privacy Protection Agency (CPPA). These offices have full authority to enforce any provision of the CCPA, and impose fines of up to $2,500 per violation ($7,500 for intentional violations, such as for repeat offenders).
If $2,500 doesn’t sound like much money, keep in mind that this is per violation. For example, if a business fails to implement Global Privacy Control on its website and has 10,000 visitors who tried and failed to opt out of targeted advertising via the GPC signal, that business could be fined up to $25 million.
One of the changes included in the California Privacy Rights Act (whose amendments to the CCPA go into effect in 2023) is that it allows the CPPA to impose administrative fines. This means that the Agency does not have to take a business to court in order to impose a fine, it can simply assess the fine on its own. A business can challenge the decision before an administrative law judge, but the process is much more streamlined than conventional court proceedings.
In some circumstances, the CCPA also allows for private citizens to take businesses to court for privacy violations. In legal terms, this is called a “private right of action.”
The main thing about the CCPA’s private right of action is that it is very limited. Consumers may only sue a business if certain sensitive types of personal information (such as ID numbers or account login credentials) are subject to unauthorized access following a security breach. Further, the breach has to have been caused by the business’s failure to implement and maintain reasonable security practices.
In these cases, each consumer can collect at least $100, and up to $750, without demonstrating actual damages.
As a result, any major data breach is likely to be followed by a class-action lawsuit alleging a CCPA violation. That is the case with the current lawsuit against Samsung, where the plaintiffs claim the company collected more personal data than was necessary and then failed to protect that data.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.