The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and enforcement has been underway since July 1, 2020. For now, enforcement of the CCPA is reserved exclusively to the California Office of the Attorney General (OAG), though the newly created California Privacy Protection Agency (CPPA) will take over enforcement duties starting in 2023. Once an apparent violation comes to its attention, the OAG sends a 30-day cure notice to the business. If the business is able to fix those violations within the 30-day period, no further action is taken.
Of course, businesses that have made no effort at becoming CCPA compliant up to that point will find it difficult to fully implement a compliance system within 30 days. Short turnaround time aside, having the OAG looking over your shoulder is not the ideal environment for making complex changes to how your business handles thousands of pieces of personal data. Preparing in advance helps a business avoid costly mistakes.
Businesses that do not fix any alleged violations within 30 days of receiving a cure notice can face two different forms of enforcement actions: injunctions and civil fines.
The first tool available to the Attorney General is injunctive relief. An injunction is a court order telling a person or entity to perform or refrain from performing a specific act. In the context of the CCPA, the OAG could seek an injunction ordering a business to stop collecting California residents’ personal information or even to cease all operations in the state.
The CCPA makes specific mention of fines for businesses in non-compliance. For normal violations, businesses face fines of up to $2,500 per violation. Because businesses regularly collect personal information from large numbers of consumers, these fines could easily add up to hundreds of thousands of dollars.
For intentional violations, businesses can be fined up to $7,500 per violation. What is an intentional CCPA violation? The statute does not define the term, but the most likely example is where a business repeatedly violates the privacy law even after previous enforcement actions or complaints from consumers.
In November 2020, voters approved the California Privacy Rights Acts (CPRA), sometimes called CCPA 2.0. The CPRA makes a number of significant changes to the CCPA, many of which are meant to strengthen enforcement.
The CPRA establishes the California Privacy Protection Agency (CPPA), a first-of-its-kind government office specially tasked with enforcing Californians’ privacy rights under the CCPA. The CPPA will have regulation-making authority as well as provide guidance to consumers and businesses regarding their rights and responsibilities. Expectations are that enforcement will increase significantly when the CPPA takes over in 2023.
A critically important question for businesses is whether the CCPA creates a private right of action for consumers. That is, can consumers sue a business over violations of the CCPA? The answer is both no and yes.
Consumers cannot sue businesses for violations of the privacy rights created by the CCPA. For example, if a consumer opts out of the sale of their personal information but the business does not honor that request, the consumer cannot take the business to court over the violation. This is in contrast to the General Data Protection Regulation (GDPR) in the European Union. Under the CCPA, a consumer may file a complaint, but only the Attorney General has the authority to enforce privacy rights.
However, the CCPA does create a private right of action for consumers who have been affected by a data breach at a business. Consumers have this legal remedy when their nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.
Plaintiffs can recover statutory damages of $100 to $750 per incident, or actual damages, whichever is greater. This means that plaintiffs do not have to prove actual damages to prevail in court. The CCPA’s new private right of action is certain to lead to a new type of class-action lawsuit by consumers. In order to avoid liability, a business should:
Since the CCPA has gone into effect, many businesses have continued operating with the same data privacy practices as before. Some have adopted a wait-and-see approach to the California law; many others were simply unaware of its existence until they received a notice from one of their advertising partners or even the California Attorney General. Now executives and managers are asking themselves, “How will this affect my business?”
Businesses that are not in compliance with the CCPA can suffer hidden costs beyond civil penalties and class-action lawsuits, such as the effect on consumer goodwill. Even for those that are compliant, there are marketing implications associated with choosing one compliance strategy over another.
Maintaining consumer goodwill is more important than ever. A few negative online comments or customer interactions can quickly spiral out of control and lead to a negative brand reputation. This can damage everything from earnings to employee morale. The CCPA is part of a growing trend in consumer expectations: that businesses should be more respectful and responsive regarding privacy concerns. Businesses that fail to live up to these expectations do so at their own peril.
If a business has not provided an opt-out link or is unprepared to respond to consumers’ privacy requests in a timely manner, this can easily lead to the perception that the business is acting intentionally to deny people their privacy rights. These consumers might also file a complaint with the state. On the bright side, the opposite is also true. When a business is forthcoming with its consumers by providing transparent privacy policies, easy opt-out requests, etc., it can help build trust and positive feelings toward the company.
There can be multiple paths to CCPA compliance, and the path your company chooses can have a major impact on its marketing capabilities. Consider these two examples, in which both companies are CCPA compliant.
Company A is an online retailer. It has posted all required privacy notices and responds to consumers’ privacy requests as appropriate. Some of its transfers of personal information qualify as selling under the CCPA, so it has posted a “Do Not Sell My Personal Information” link on its homepage to allow consumers to opt out.
Company B is also an online retailer with all the required privacy notices and infrastructure to respond to consumer requests. Like Company A, it would have been required to post a “Do Not Sell” link on its homepage. Unlike Company A, it decided this link was not right for its brand, so instead Company B chose to stop all transactions that qualify as selling personal information. Because of this, the “Do Not Sell” link is no longer required.
Company B’s reluctance to include a “Do Not Sell” link on its website is certainly understandable. Many businesses worry that it could alienate consumers and give them the wrong impression as to what the business is doing with their personal information. After all, there are some transactions that qualify as selling under the CCPA that the average person probably wouldn’t consider to be a sale. Of these, the most important is using interest-based advertising, a.k.a. retargeting.
When a business uses an advertising platform like Facebook for retargeting, they have to disclose consumers’ personal information (e.g., online identifiers, online activities, etc.). Sharing that personal information is part of the bargain with the advertising company; they get to use the information and in return give your business access to their retargeting technology.
In the example above, Company A can continue taking advantage of interest-based advertising, because it gives consumers the choice to opt out. If a consumer submits an opt-out request, Company A must stop any sale of that particular person’s information, which includes using retargeting. In order to help businesses comply with their CCPA obligations, companies like Facebook and Google now offer advertising options that utilize a lower level of data sharing (called “limited data use” by Facebook, “restricted data processing” by Google) so they can be reclassified as service providers. These options switch off the companies’ retargeting features, but can be applied to specific consumers.
Company B is in a different situation. By electing not to have a “Do Not Sell” link, Company B has essentially chosen to opt out all of its consumers. This means the only way to stay CCPA compliant is to switch off retargeting for everyone in California and potentially for all consumers in the United States. Given that retargeting has proven to be such an effective marketing tool, Company B can expect a drop of up to 70% in customer conversions.
Not all CCPA compliance strategies are the same. Businesses that are in the process of planning their compliance should carefully consider the implications of their different options.
Effective January 1, 2023, disclosing personal information for purposes of interest-based advertising will be called “sharing” instead of “selling.” The change in terminology applies exclusively to this type of transaction, which the CPRA calls “cross-context behavioral advertising.”
Sharing personal information is still covered by a consumer’s right to opt out. In fact, the new law removes any ambiguity surrounding the issue. For most businesses, the only difference will be that “Do Not Sell My Personal Information” links must be changed to “Do Not Sell or Share My Personal Information.”
The CCPA is here to stay, and the costs of non-compliance are rising steeply. With enforcement efforts ramping up, class-action lawsuits looming on the horizon, and consumer expectations changing, the best move for businesses is to start the process of becoming compliant without any further delay.
The next chapter, “Becoming CCPA Compliant,” gives businesses a sense of the effort involved in that process by outlining the major steps they must take.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.