Changes in Statutory Penalties and Private Right of Action under the California Privacy Rights Act
On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA, which will become operative on January 1, 2023, incorporates and significantly amends the existing California Consumer Privacy Act (CCPA) and expands privacy rights of California consumers as well as compliance obligations of covered businesses and their processors. Some of the changes will include statutory penalties, private right of action, and enforcement mechanisms.
Changes in Statutory Penalties
Currently, the CCPA provides for civil penalties of up to $2,500 per violation and of up to $7,500 per intentional violation of the statute. The CPRA will permit a new penalty of up to $7,500 for violations (even if unintentional) of the consumer privacy rights of minors. The CPRA further provides that service providers and contractors could be held liable for their own violations of the Act and would will be subject to the same administrative sanctions as the businesses. Finally, the CPRA eliminates the ability of businesses to avoid penalties by addressing violations within 30 days of being notified of the violation by the Attorney General.
Enhanced Private Right of Action
The CCPA provides for a limited private right of action, subject to a 30-day cure, in case of unauthorized access and exfiltration, theft, or disclosure, as a result of the business’s violation of the duty to implement and maintain reasonable security procedures, of certain nonencrypted or nonredacted personal information, such as consumer’s Social security number, government identification number, an account number (in combination with a security code or password), medical and health insurance information, and unique biometric data. With respect to these categories, the CPRA will authorize a private right of action only in cases of breach of nonencrypted and nonredacted information.
In addition, the CPRA will make data thefts of email addresses along with information that would permit access to an account (such as a password) subject to a private right of action. Furthermore, although businesses would presumably still be able to cure some breach-related violations within 30 days to avoid an action for statutory damages, the CPRA explicitly provides that implementation and maintenance of reasonable security procedures and practices following a breach would not constitute a cure for that breach.
New Enforcement Agency
While the California Attorney General is responsible for enforcing the CCPA, the CPRA establishes a new enforcement authority – California Privacy Protection Agency (CPPA). Among its other responsibilities, the CPPA will be empowered to investigate possible violations of the Act, make probable cause determinations of its violations, institute administrative proceedings upon finding of probable cause, subpoena documents and witnesses, conduct evidentiary administrative hearings, issue cease and desist orders, order payment of administrative fines, and bring civil actions to enforce payment of administrative penalties. Any CPPA decisions related to a complaint against a business or a penalty would will be subject to review by the state courts.
The Agency will be able to begin enforcement actions of the CPRA provisions on July 1, 2023 but only for violations occurring on or after that day.
Access Clarip’s Privacy Whitepapers Today
For assistance with Consumer Deletion Requests, call Clarip today at 1-888-252-5653 or contact us.
Privacy News
– Clarip Blog
Whitepapers
– What Your Company Needs to Know About Regulations of Biometric Data
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Verifiable Data Subject Requests under the GDPR and the CCPA
– Other Resources
California Consumer Privacy Act
– CCPA Text
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar
– SB-1121 Amendments
EU GDPR
– GDPR Text
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal