California’s Department of Justice, headed by the state’s Attorney General, is the primary enforcer of compliance with the CCPA. Given that the office of the Attorney General is an elected position, the
approach to CCPA policy making and enforcement may shift over time.
The Attorney General can seek fines of up to $2,500 per non-intentional violation and up to $7,500 per violation for intentional violations of the CCPA. 1 “Per violation” can be understood as per consumer. The Attorney General will give a business a 30-day notice to “cure” compliance violations before initiating a lawsuit. 2 However, this window of time may not be enough to make major changes to a privacy and security program or to implement a new one. In addition, the statute does not state what activities or outcomes qualify as “curing” a violation.
The CCPA also contains a narrow private right of action that will allow California consumers to bring lawsuits, including class action suits, against companies that have suffered a data breach where that business’s own inadequate security practices exposed the personal information of those consumers. Section 1798.150(a)(1) states that
[a]ny consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
Actions brought pursuant to this section require the consumer to “provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated.” 3 Note that this requirement does not apply if the consumer initiates “an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title.” 4
The Regulations do not expand on or clarify issues related to enforcement or the private right of action, such as the nature of a “cure” for a violation of the statute or what qualifies as “reasonable security procedures and practices.” There is one tangential reference to providing record keeping information to the Attorney General, upon request. 5
1. Cal. Civ. Code §1798.155(b).
3. Cal. Civ. Code 1798.150(b).