Hero Starlight Image
View CCPA Act

Enforcement

The Statute

California’s Department of Justice, headed by the state’s Attorney General, is the primary enforcer of compliance with the CCPA. Given that the office of the Attorney General is an elected position, the
approach to CCPA policy making and enforcement may shift over time.

The Attorney General can seek fines of up to $2,500 per non-intentional violation and up to $7,500 per violation for intentional violations of the CCPA. 1 “Per violation” can be understood as per consumer. The Attorney General will give a business a 30-day notice to “cure” compliance violations before initiating a lawsuit. 2 However, this window of time may not be enough to make major changes to a privacy and security program or to implement a new one. In addition, the statute does not state what activities or outcomes qualify as “curing” a violation.

The CCPA also contains a narrow private right of action that will allow California consumers to bring lawsuits, including class action suits, against companies that have suffered a data breach where that business’s own inadequate security practices exposed the personal information of those consumers. Section 1798.150(a)(1) states that

[a]ny consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

Actions brought pursuant to this section require the consumer to “provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated.” 3 Note that this requirement does not apply if the consumer initiates “an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title.” 4

The Regulations

The Regulations do not expand on or clarify issues related to enforcement or the private right of action, such as the nature of a “cure” for a violation of the statute or what qualifies as “reasonable security procedures and practices.” There is one tangential reference to providing record keeping information to the Attorney General, upon request. 5

1. Cal. Civ. Code §1798.155(b).
2. Id.
3. Cal. Civ. Code 1798.150(b).
4. Id.

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →