State Enforcement of Data Privacy Rights in the Face of Potential Federal Legislation

On February 25, 2020, California Attorney General Xavier Becerra sent a letter to Congress urging it not to enact federal legislation that would override state regulation of data privacy. The enactment of privacy laws such as the GDPR and CCPA have reflected the consumers’ interest in   privacy regulation and some level of control over personal information. As we have reported in our blog, many states have introduced their own privacy regulations following the California’s example.

There has also been a push by some legislators and large technology companies to create a superseding federal data privacy regulation that would preempt state laws and even potentially supplant federal sectoral laws such as HIPAA, GILBA, and FERPA, thereby bringing the issue of privacy under one umbrella instead of the patchwork of laws that exist now.

In his letter, Attorney General Becerra expressed hope that potential new federal legislation will use the California Consumer Privacy Act and the efforts of other states as a “floor” and not a “ceiling” in crafting the future federal guidelines.

The CCPA went into effect on January 1 of this year and is notable for the level of control it is granting consumers with a right to know what categories of their data are being collected and for what purpose, the right to access and delete that data, the right to opt-out of the sale of personal data.  The CCPA has the potential for robust enforcement as it includes two types of remedies.

First, the Attorney General can bring an action against a non-compliant business for up to $2,500 after the business has been given 30 days to cure the violation. For intentional violations the penalties are far higher with a $7,500 cap. Under the CCPA fines are applied on a per violation basis as opposed to a per customer basis and could add up rather quickly. If a business commits one violation under the CCPA across a 10 million customer base, that could amount to a potential $25 billion in fines.  If you change this scenario to an intentional violation, the resulting penalty may be three times higher.

Second, California residents are granted a private right of action when personal information that is not redacted or encrypted is exposed due to a business’s failure to properly safeguard that information. In such cases, the damages could range from $100 to $750 per violation to uncapped actual damages, and could be compiled in class action lawsuits. Again, the numbers begin to add up and the penalties are substantial.

These enforcement measures are essential pieces of the CCPA.   While Congress is contemplating creating privacy rules on a national level, proponents of the state laws are advocating for a federal regulation that will acknowledge and operate along with the state laws to maintain their enforcement efficacy. The California Congressional delegation has expressed in the past that it opposes any measures that seek to supplant state law.  Similarly, a recently introduced bill by New York Senator Gillibrand proposes to create a separate Data Protection Agency but reiterates the need for preservation of state laws, by granting consumers protections under the provision that afford them the greater protection.

Going forward, whatever federal initiative comes to the fore, it appears that the preemption of state law will continue to be a hotly debated issue between proponents of state laws and a superseding federal regulation.  In the meantime, companies should be prepared to comply with the emerging state regulations or face potential regulatory penalties and legal action.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653