Locke Lord QuickStudy: Ready or Not, Here It Comes: Litigation and Enforcement Issues Under The California ‎Privacy Rights Act

The passage of the California Privacy Rights Act (“CPRA”) on November 3, 2020 will result in ‎increased litigation and enforcement actions for companies doing business in California.  Indeed, ‎only months after the California Consumer Privacy Act (“CCPA”) became effective, California ‎voters expanded on the CCPA’s already groundbreaking data privacy protections by passing the ‎CPRA.  Now, the creation of the California Privacy Protection Agency (the “Agency”) and the ‎elimination of some of the more business-friendly provisions of the CCPA make clear that ‎companies will suffer significant and costly consequences for data breaches and privacy ‎violations in California.‎

The substantive provisions of the newly enacted CPRA go into effect January 1, 2023, but the ‎regulatory implications may be felt much sooner.  While many businesses are still navigating the ‎emerging litigation and enforcement landscape created by the CCPA, they should also ramp up ‎efforts to comply with the CPRA in order to avoid additional liability issues down the road.‎

The Creation of the Agency

The CPRA amends and expands the enforcement mechanism of the CCPA through the creation ‎of the Agency, a newly formed California state government agency whose sole purpose is the ‎regulation of consumer data privacy.  Cal. Civ. Code § 1798.199.10 et seq.  The CPRA describes ‎the Agency as an “independent watchdog whose mission is to protect consumer privacy” to ‎‎“ensure that businesses and consumers are well‐informed about their rights and obligations” and ‎to “vigorously enforce the law against businesses that violate consumers’ privacy rights.”  See ‎CPRA SEC. 2, Findings and Declarations L.  The Agency will replace the California Attorney ‎General as enforcer of the CCPA no later than July 1, 2021 and will oversee enforcement of the ‎CPRA effective July 1, 2023. ‎

The creation of the Agency will undoubtedly result in increased attention and investigations into ‎data breaches and ‎privacy violations involving California residents.  First, the sole responsibility ‎of the Agency is to investigate these ‎issues, and that hyper-focus is likely to lead to more intense ‎scrutiny.  Second, the Agency is funded through the ‎Consumer Privacy Fund, which is made up ‎of fines that the Agency collects in its enforcement actions, thus creating an incentive to enforce ‎the provisions of the CPRA.  ‎Consequently, businesses should expect aggressive enforcement ‎actions by the Agency.‎

Agency Enforcement under the CPRA

Not only does the CPRA change who is responsible for its enforcement, but it also eliminates the ‎ability to cure a violation before any action is taken.  The CCPA specifically allows companies to ‎avoid an enforcement action and/or administrative fines by curing the violation within 30 days.  ‎Conversely, under the CPRA, the Agency is permitted to order substantial administrative fines ‎‎(from $2,500 to $7,500 per violation) at the time that it issues a cease and desist letter, though it ‎will look to the “good faith cooperation of the business” in determining the amount if any ‎administrative fine.‎ Because this change makes it more likely that businesses will be assessed fines, it is important to ‎be in compliance.  Notably, the CPRA has a "look back" provision to January 2022 for ‎enforcement purposes.  Thus, to avoid costly enforcement actions in the future, companies should ‎review their procedures for compliance with the CPRA and take steps to remedy any issues as ‎soon as possible. ‎

Civil Liability under the CPRA

The CPRA may also result in increased litigation by California residents by expanding the narrow ‎list of personal information giving rise to a private right of action.  Under the CCPA, a consumer ‎may bring an action if four elements are met: (1) the plaintiff is a consumer (defined as a ‎California resident), (2) there was unauthorized access and exfiltration, theft, or disclosure of, (3) ‎nonencrypted and nonredacted personal information, and (4) the disclosure was due to the ‎business’s alleged failure to maintain reasonable security procedures and practices.  Cal. Civ. ‎Code  ‎§ 1798.150(a)(1).  Importantly, though, the types of personal information that were ‎misappropriated is limited to a combination of the consumer’s name (first name or initial and last ‎name) and a social security number, driver’s license number or identification card number, ‎financial account number and security/access code or password, medical information, health ‎insurance information, or biometric information.  See Cal. Civ. Code § 1798.150(a)(1) (citing ‎‎“personal information” defined under ‎Cal. Civ. Code § 1798.81.5(d)(1)(A)).‎  The CPRA ‎expands this narrow list to include consumer login credentials (such as email addresses and ‎passwords).  See Cal. Civ. Code § 1798.150‎.  Given the number of online transactions that ‎require consumers to disclose their email addresses and passwords, this addition may result in ‎increased litigation in the event of a breach. ‎

Unlike enforcement actions based on compliance violations, the CPRA did not eliminate the 30 ‎day cure provision with respect to consumer claims brought under the private right of action ‎provision.  This means that a business can still avoid statutory damages if it cures the violation ‎upon 30 days’ written notice from the consumer – assuming a cure is possible.  See Cal. Civ. ‎Code § 1798.150‎(b).  However, the CPRA clarifies that “the implementation and maintenance of ‎reasonable security and practices…following a breach does not constitute a cure of that breach.”  ‎Id.  Thus, a business cannot avoid civil liability under the CPRA simply by adopting reasonable ‎security standards after the fact.  Further, the notice and opportunity to cure provision does not ‎apply if the consumer is just seeking actual pecuniary damages, and not statutory damages.  See ‎Cal. Civ. Code § 1798.150‎(b).‎

Conclusion

The enactment of the CPRA further muddies the privacy waters in California as many businesses ‎are still waiting for guidance from the courts and/or the Attorney General ‎regarding enforcement ‎of the CCPA.  The creation of the Agency makes increased attention and enforcement actions a ‎near certainty.  Particularly in light of the one-year look back provision included in the CPRA, it ‎is important for companies to promptly begin reviewing their policies and practices for ‎compliance with both the CCPA and CPRA in order to avoid liability issues in the future.‎