Originally Published February, 2021
The passage of the California Privacy Rights Act (“CPRA”) on November 3, 2020 will result in increased litigation and enforcement actions for companies doing business in California. Indeed, only months after the California Consumer Privacy Act (“CCPA”) became effective, California voters expanded on the CCPA’s already groundbreaking data privacy protections by passing the CPRA. Now, the creation of the California Privacy Protection Agency (the “Agency”) and the elimination of some of the more business-friendly provisions of the CCPA make clear that companies will suffer significant and costly consequences for data breaches and privacy violations in California.
The substantive provisions of the newly enacted CPRA go into effect January 1, 2023, but the regulatory implications may be felt much sooner. While many businesses are still navigating the emerging litigation and enforcement landscape created by the CCPA, they should also ramp up efforts to comply with the CPRA in order to avoid additional liability issues down the road.
The Creation of the Agency
The CPRA amends and expands the enforcement mechanism of the CCPA through the creation of the Agency, a newly formed California state government agency whose sole purpose is the regulation of consumer data privacy. Cal. Civ. Code § 1798.199.10 et seq. The CPRA describes the Agency as an “independent watchdog whose mission is to protect consumer privacy” to “ensure that businesses and consumers are well‐informed about their rights and obligations” and to “vigorously enforce the law against businesses that violate consumers’ privacy rights.” See CPRA SEC. 2, Findings and Declarations L. The Agency will replace the California Attorney General as enforcer of the CCPA no later than July 1, 2021 and will oversee enforcement of the CPRA effective July 1, 2023.
The creation of the Agency will undoubtedly result in increased attention and investigations into data breaches and privacy violations involving California residents. First, the sole responsibility of the Agency is to investigate these issues, and that hyper-focus is likely to lead to more intense scrutiny. Second, the Agency is funded through the Consumer Privacy Fund, which is made up of fines that the Agency collects in its enforcement actions, thus creating an incentive to enforce the provisions of the CPRA. Consequently, businesses should expect aggressive enforcement actions by the Agency.
Agency Enforcement under the CPRA
Not only does the CPRA change who is responsible for its enforcement, but it also eliminates the ability to cure a violation before any action is taken. The CCPA specifically allows companies to avoid an enforcement action and/or administrative fines by curing the violation within 30 days. Conversely, under the CPRA, the Agency is permitted to order substantial administrative fines (from $2,500 to $7,500 per violation) at the time that it issues a cease and desist letter, though it will look to the “good faith cooperation of the business” in determining the amount if any administrative fine. Because this change makes it more likely that businesses will be assessed fines, it is important to be in compliance. Notably, the CPRA has a “look back” provision to January 2022 for enforcement purposes. Thus, to avoid costly enforcement actions in the future, companies should review their procedures for compliance with the CPRA and take steps to remedy any issues as soon as possible.
Civil Liability under the CPRA
The CPRA may also result in increased litigation by California residents by expanding the narrow list of personal information giving rise to a private right of action. Under the CCPA, a consumer may bring an action if four elements are met: (1) the plaintiff is a consumer (defined as a California resident), (2) there was unauthorized access and exfiltration, theft, or disclosure of, (3) nonencrypted and nonredacted personal information, and (4) the disclosure was due to the business’s alleged failure to maintain reasonable security procedures and practices. Cal. Civ. Code § 1798.150(a)(1). Importantly, though, the types of personal information that were misappropriated is limited to a combination of the consumer’s name (first name or initial and last name) and a social security number, driver’s license number or identification card number, financial account number and security/access code or password, medical information, health insurance information, or biometric information. See Cal. Civ. Code § 1798.150(a)(1) (citing “personal information” defined under Cal. Civ. Code § 1798.81.5(d)(1)(A)). The CPRA expands this narrow list to include consumer login credentials (such as email addresses and passwords). See Cal. Civ. Code § 1798.150. Given the number of online transactions that require consumers to disclose their email addresses and passwords, this addition may result in increased litigation in the event of a breach.
Unlike enforcement actions based on compliance violations, the CPRA did not eliminate the 30 day cure provision with respect to consumer claims brought under the private right of action provision. This means that a business can still avoid statutory damages if it cures the violation upon 30 days’ written notice from the consumer – assuming a cure is possible. See Cal. Civ. Code § 1798.150(b). However, the CPRA clarifies that “the implementation and maintenance of reasonable security and practices…following a breach does not constitute a cure of that breach.” Id. Thus, a business cannot avoid civil liability under the CPRA simply by adopting reasonable security standards after the fact. Further, the notice and opportunity to cure provision does not apply if the consumer is just seeking actual pecuniary damages, and not statutory damages. See Cal. Civ. Code § 1798.150(b).
The enactment of the CPRA further muddies the privacy waters in California as many businesses are still waiting for guidance from the courts and/or the Attorney General regarding enforcement of the CCPA. The creation of the Agency makes increased attention and enforcement actions a near certainty. Particularly in light of the one-year look back provision included in the CPRA, it is important for companies to promptly begin reviewing their policies and practices for compliance with both the CCPA and CPRA in order to avoid liability issues in the future.