CCPA Enforcement Scheme: A Summary

Companies are preparing for implementation of California Consumer Privacy Act compliance at the end of the year but the focus will quickly turn from their compliance efforts to CCPA enforcement next year. So we thought that it was worth taking a look a quick look now at what has been said publicly about the Attorney General enforcement scheme.

The CCPA provides for enforcement by the Attorney General after it gives the covered business notification of noncompliance and the company has failed to cure during the thirty-day period that follows. It may then bring an enforcement action seeking up to $2500 per violation and up to $7500 per intentional violation. Although the scope of the penalty has not been defined, most people are expecting that the maximum fine could be applied for each violation of a consumer’s right under the law, which would result in significant monetary penalties if invoked.

On the other hand, there is nothing preventing the California AG from pursuing more reasonable enforcement in most cases where a company has made a good faith effort to comply with the law and there is no evidence of bad faith. The goal of the legislature in enacting the new California privacy law appears to be to bring businesses into compliance without creating substantial litigation and putting businesses into bankruptcy.

An interview with California Attorney General Xavier Becerra by NBC News published earlier this week indicated that the AG was concerned that they did not have enough staff to carry out the job and the CCPA law could collapse as a result.

The difference in staffing numbers between the European Data Protection Authorities (tasked with enforcing the General Data Protection Regulation) and US agencies (either the Federal Trade Commission or the CA AG) is significant. It has been pointed out several times in congressional hearings that Ireland’s DPA has more people staffing the regulator on privacy than the FTC despite a significantly smaller population.

In an April state Senate hearing in Sacramento, the supervising deputy attorney general on consumer protection told the Senate Judiciary Committee that even after her privacy team was expanded to 23 people, it would only have the ability to prosecute only three cases a year. The proposed budget for the team is currently $4.7 million.

Although the pursuit of significant litigation may be off the table until the AG privacy team is staffed up, this probably will not stop them from making significant CCPA enforcement efforts. The AG does not need to have a team of litigators and file a lawsuit in order to send a company a notice of noncompliance under the CCPA. Businesses will still need to respect and respond to the notices because they will not be able to risk that their company is given priority to pursue.

Additionally, it is unclear whether her use of the reference to prosecution also refers to settlements outside of the judicial system as more government investigations probably result in a settlement without the filing of a lawsuit then require actual litigation in court.

The California Attorney General has also been pushing for an expansion of the CCPA private right of action in order to allow consumers to achieve . The changes to expand the class action provision is contained in SB 561. However, at the moment it does not look like the SB561 amendment has enough support to make it out of the Senate Appropriations Committee.

Discussions of CCPA enforcement are going to heat up after the effective date of January 1, 2020 as we move closer to the start of AG enforcement – which will be six months after the final regulations are published or July 1, 2020 (whichever is sooner). We are closely following updates on the regulatory and enforcement process and will continue to publish them here as we learn more.