The California Consumer Privacy Act (CCPA) includes enforcement provisions that pose a real risk to in-scope companies. Under the act, consumers have a private right of action if their personal information is breached as a result of failing to implement reasonable security procedures and controls. Individual or class action suits can be brought, with potential recoveries of between $100 to $750 per consumer per incident, or any actual damages. With breaches potentially affecting millions of records, firms should be taking affirmative steps to avoid enforcement actions that could severely damage their bottom line.
17 Days of CCPA Enforcement and Lawsuits are Under Way
Enforcement for CCPA, which went into effect on January 1, 2020, has begun as of July 1, 2020. There has already been considerable activity on the class action front, much of it even before the enforcement date. ComplianceWeek reports multiple class action lawsuits are under way:
- The Minted online stationery and craft company is being hit with a class action lawsuit regarding a massive breach, in which over 73 million customer records were allegedly stolen. The company disclosed the breach information in late May. They allegedly failed to implement “reasonable security measures” to prevent the breach.
- Retail giant Walmart is being subjected to a class action suit, alleging that negligent company security led to breaches of Walmart’s website and access to Walmart information on personal computers. While the breach took place in 2019, the data continues to be available for sale on the dark web, i.e., on anonymous, untraceable sites where illicit commerce takes place.
- The Ring home security company is also facing a class action lawsuit, alleging that they shared consumer personal information to unauthorized third parties, without customer consent.
Although the private right of action under the CCPA is limited to personal data breaches, these cases indicate that California consumers will press CCPA claims in the courts even in cases where the offense occurred prior to the CCPA’s effective date, as with the Walmart suit and a similar suit against Salesforce and Hanna Andersson. Additionally, we are seeing cases where consumers are attempting to extend the private right of action to other violations of the CCPA (e.g., failure to provide notice, as in the Ring case). While the outcome of these cases is yet to be determined, including whether the consumers have standing to bring a suit, it is clear that consumers are availing themselves of this recourse mechanism and will likely continue to do so.
Further, it’s still early, but all indications are that the California Attorney General is aggressively enforcing CCPA regulation from day one. In the first two weeks since the 7/1 enforcement kickoff, numerous letters have been sent to companies that are not complying with the do-not-sell and opt-out requirements, which many consider the cornerstone of the CCPA. The AG has sent these firms notification of a 30-day cure period for these violations.
Based on these initial CCPA-related lawsuits, companies should be motivated to make sure that they are not exposed and review and ensure compliance with CCPA data privacy regulations, whether in terms of data security or privacy rights.
6 Actions to Take to Avoid CCPA Enforcement
Following are six actions firms should take to avoid a CCPA enforcement action or class action suit:
- Conduct data discovery – Prepare data inventories and maps that identify what personal data is collected, from whom the data is collected, where it is stored, where it is disclosed, what is sold, and where it is sold.
- Prepare a gap analysis – Closely review the requirements of the CCPA and compare them with the data discovery findings. Prepare a detailed delta assessment between the company’s current status and where it needs to be for compliance.
- Prepare notification and disclosure mechanisms – Update privacy notices. Build and test mechanisms for customer opt-in and opt-out requests, including toll free numbers, “do not sell my personal information” web forms, etc.
- Prepare consumer rights procedures – Create verifiable consumer rights procedures to receive and respond to consumers data rights requests such as access and deletion requests.
- Review vendor compliance – Assess current policies and practices as they relate to third-party vendor management.
- Implement reasonable security controls – Implement appropriate level of security controls to protect personal information and implement and test the firm’s incident response plan.
Lastly, firms should continue to monitor for additional guidance from the Attorney General on how businesses should meet CCPA requirements. As indicated by current class action lawsuits and Attorney General enforcement actions, the CCPA clearly has teeth. Best to be well-protected.
CCPA Resources for You
The CCPA’s sweeping legislation, which includes multiple consumer rights and company obligations regarding personal information, is being enforced by the California AG as of July 1, 2020. Scheduled fines for non-compliance can be hefty, ranging from $2,500 to $7,500 for each violated data record, and $7,500 for each intentional act of CCPA non-conformity.
ACA has put together the following resources for you.
OnDemand Webcast: Data Privacy Considerations for the Next Phase of CCPA and COVID-19
During this webcast, we discussed the landscape of privacy regulation in the U.S. and offered guidance to preserve the health and data privacy of employees as preparations are made to return to the office.
How We Help
Our CCPA compliance assistance service helps companies assess their privacy programs to ensure they comply with CCPA requirements as well as implement best practices for achieving broader privacy risk and compliance objectives across the enterprise. Please contact us to learn how we can help your company.
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.