With the passing of the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (CCPA), California has become one of the strongest proponents of consumer data privacy protections, and your business needs to take note of the new rules, as failure to abide by them can result in significant fines, fees and penalties.
This article explains what the CCPA is, what the new rules it institutes look like, what happens if your business violates the new law, and how to appeal a CCPA breach in the event that you end up failing to comply with the new CCPA rules.
If you’re receiving CCPA breach notices, then it’s definitely time to consider hiring a data privacy protection specialist to help your business get into compliance as quickly as possible so you can prevent major fines, fees and penalties from being issued. Get the help you need by contacting MatrixPoint for a free consultation at 800-683-6983, or by filling out our contact form.
What is the CCPA?
The CCPA grants California consumers rights to their data, including:
- The right to know what information a business has collected about them
- The right to request that a business delete their personal information
- The right to opt-out of having their personal information shared and sold
The CCPA went into effect on January 1, 2020, and enforcement of the new rules by California’s Attorney General begins on July 1, 2020.
But before we talk about CCPA breaches, violations, fines, fees, and penalties, let’s make one thing clear: this new law doesn’t impact every single business, but only those businesses that satisfy some specific eligibility conditions.
In fact, only those businesses that satisfy at least one of the following conditions will be regulated by the new CCPA restrictions:
- The business must make at least $25 million in annual revenue
- The business must have personal data of at least 40,000 people or more
- The business must collect more than half of its revenues from the sale of personal data
If you’re not located within California, don’t think you can safely ignore the CCPA, because this law affects any company doing business in the state, even if they’re only doing it with a handful of Californians. Under CCPA guidelines, your business can still be impacted even if it doesn’t have a physical presence in the state!
However, an amendment to the new CCPA guidelines does exempt several types of organizations from being regulated by the CCPA rules, including insurance institutions, agents, and support organizations. These organizations have been let off the hook because they are already subjected to similar data privacy regulations under California’s Insurance Information and Privacy Protection Act.
Failing to adhere to the CCPA guidelines will result in extensive fines, fees and penalties. The fine for intentionally violating the CCPA can result in up to $7,500 per violation, but it doesn’t stop there, because the law also allows consumers to sue businesses who have violated CCPA policies. This is why it’s going to be incredibly important for businesses to ensure that they are 100% compliant with the new regulations.
Simply put, CCPA’s impact on businesses will be unprecedented. And this law will also affect companies in the courtrooms because previously, private litigants were made to prove injury in court in the case of data breaches, which typically proved difficult to do, and usually led to data breach lawsuits being dismissed in the early stages of the courtrooms, but that’s about to change as well.
The new CCPA regulations don’t require consumers to be materially or financially affected by a data breach to file for a lawsuit; all they have to do is prove that the data breach occurred and they automatically win. This means that many more data privacy protection lawsuits can go through the courts and cause a much larger burden on companies that have data breaches due to security vulnerabilities, mistakes, accidents or negligence.
While the fines and penalties can be large for CCPA breaches, simply being notified that your company has had a breach doesn’t mean the end of the world, because there are ways to get around a CCPA violation. But let’s make one thing clear, if your company receives a CCPA data breach notice, then you will need to take swift and specific action. Let’s talk about what that should look like next.
Can I appeal a CCPA complaint?
How to appeal a CCPA notice will become of the most common questions businesses ask themselves as soon as enforcement begins.
Fortunately, the CCPA does offer an avenue for appealing CCPA complaints. In fact, the CCPA rules offer a ‘Notice and Cure’ provision allowing businesses to correct CCPA data breaches, which was created to help prevent businesses from being buried in litigation before they can correct all their data privacy protection issues.
The way that CCPA complaints work is that private plaintiffs must provide the business with 30 days written notice before they can become a compliant. The plaintiff must provide a written notice “identifying the specific provisions of this title the consumer alleges have been or are being violated,” before they can file a lawsuit against a business.
This provision is thus a way for businesses to avoid “individual statutory damages or class-wide statutory damages” if the business “actually cures” the violations within 30 days of receiving the consumer’s notice of complaint. The business must also provide the consumer with “an express written statement that the violation has been cured and that no further violations shall occur[.]”
This is what we meant about taking swift and specific action; if the business gets hit with CCPA notices, and immediately corrects the misbehavior, then there is a chance to prevent getting hit with a lawsuit.
If a business ignores the complaint, fails to correct the issue, or violates the written statement, then at the end of the 30 day waiting period, the consumer will be allowed to initiate legal action against the business to enforce the written statement.
The consumer may then pursue statutory damages for each breach of the written statement. CCPA stipulations also allow consumers to pursue statutory damages for each other violation of the title that postdates the written statement.
Because of the way these rules work, it’s going to be incredibly important for businesses to remedy CCPA notices, complaints and issues as efficiently as possible. If your business is regulated by the new CCPA rules, then it’s important to begin laying the groundwork for complying with the new laws right now, as this will help bolster documentation and help secure your business against lawsuits, fines, fees and penalties.
What is a CCPA Cure?
The CCPA’s notice and cure provision will be one of the biggest allies businesses have on their side as they attempt to get compliant with the new CCPA restrictions. This is likely to be one of the most hotly contested areas of the CCPA laws, and it’s likely that it will be frequently used by businesses to continue regular operations for as long as possible. It’s also the only possible answer to the question of how to appeal a CCPA notice, so it’s important to pay close attention to these rules.
Because a business will likely have to find a cure at some point, it’s imperative to understand what constitutes a cure.
The definition of a “cure” has not yet been defined in the official CCPA regulations, so it’ll be up to the business to reach a reasonable understanding of the implementation before the mandated policy begins being enforced.
Data privacy experts recommend that businesses consider the range of possible responses to data privacy notices and breaches, and especially that they look at ways to enhance data security to alleviate the issue and ensure it doesn’t continue in the future. If data breaches continues to happen, your business will be left wide open for lawsuits and potentially lose a large amount of money over what could have been a simple fix.
It’s been speculated that consumers may claim that no cure can fix the issue after the loss of personal information has occurred, but that remains to be seen and will have to be tested in court once CCPA enforcement begins. If this idea is held up in court, it would render the cure provision useless—so many legal experts do not expect that to work out for consumers.
Who do I appeal a CCPA complaint to?
Once a notice of a CCPA breach has been received by the business, they must respond to the consumer with a written statement explaining how the issue has been resolved. The statement issued must also say that the violation will no longer occur.
After that notice has been sent, the consumer won’t be able to pursue action for individual or class-wide statutory damages if the business actually has put a cure in place within that 30-day grace period. It’s one of the most unique parts of the CCPA, and as we explained earlier, was created to help manage growth pains as businesses work to become compliant with all the new data privacy restrictions the law introduced.
Remember though, businesses will only be given 30 days to correct their mistakes and avoid litigation from the public. Because of that limited 30-day window, you’ll want to make sure to keep your data privacy protection guidelines up-to-date and ensure that you have a process in place for handling CCPA notices both quickly and effectively.
And you’ll also need to make sure that your business actually does fix the data privacy breach once you’ve alerted a consumer that a cure has been put in place, because failure to fix the issue after you issue written notice will result in extensive fines. In this case, the Attorney General’s office is almost certainly to rule that your business has made an intentional violation, and will fine you up to $7,500 for each infraction.
Furthermore, failing to enact a cure will open your business up to lawsuits from consumers, who will have the opportunity to pursue civil litigation against the business as well. In this case, they can sue for up to $750 per violation and they can ask to be awarded the money. This will be especially hard to avoid if the business continues to violate the CCPA after the written notice has been given to a consumer.
What is the timeline to file an appeal?
Businesses will have 30 days to respond to a consumer after receiving notice that a CCPA data breach has occurred. The CCPA appeal process is relatively simple, but it’s incredibly important to get it right on the first go since you don’t get a lot of wiggle room in terms of time.
During this time, the business must find a cure to the breach and implement it so that the breach won’t occur again in the future. Once that has been done, the response can be made.
This is important to note because the response must include a written explanation of the cure as well. This effectively gives businesses 30 days to not only respond to the consumer but to also implement a cure as well, which means, you better have the cure plan in place before you receive the notice because you probably won’t have time to start from scratch.
This is why it’s so important to take preventative measures now and ensure that your business has a team ready to handle CCPA notices when they begin getting issued. It’s speculated that businesses will begin getting flooded with CCPA violation notices as soon as the mandate takes effect on July 1, 2020.
Steps to Reduce the Risk of Litigation
One of the most important takeaways from the appeal process is that it’ll always be better to reduce the risk of litigation by putting real data privacy protections in place now, before you’ve received any CCPA notices of data breaches.
One of the first things you’ll want to take note of is the fact that a consumer can’t sue you if the data breach only affected redacted or encrypted personal data. This means that you should encrypt consumers’ data if possible.
There are other options for businesses as well. If a business modifies its terms and conditions to include an arbitration provision and a class action waiver, it’s possible to avoid CCPA class actions entirely. This is one of the easiest ways to reduce the liability of your business or organization. However, some legal experts claim that the Federal Arbitration Act is likely to preempt the provision, and the only way to find out for certain will be once lawsuits start working their way through the courts.
Businesses should work with internal and external counsels to assess the overall quality of cybersecurity programs and determine if they’re in compliance with the new CCPA restrictions. Businesses also need to consult with their third-party partners and vendors to ensure that everyone in the chain is compliant with the CCPA regulations. This should be done to ensure that businesses identify and find a cure for any security deficiencies.
Currently, the CCPA doesn’t define what a “reasonable security procedure” is, but it does refer to them and explain that having them in place will help protect your business from CCPA fines, fees and penalties. It’s likely that this phrase will be interpreted to mean utilizing industry norms for security protocols. Eventually, enforcement precedents will establish what an adequate security procedure actually entails.
Finally, all businesses should create and implement a security breach response plan to anticipate CCPA breach notices. Having this response plan will help a business find, establish, and implement a cure, then respond to the consumer complaint within the allotted 30-day timeframe.
This can quickly become a problem if your business is not prepared, because breaches may affect thousands, if not millions of consumers, so your business may quickly become overwhelmed with the number of notices it receives, and the number of responses it needs to issue.
That makes creating a scalable response plan a vital step in the process of responding to potential CCPA notices and avoiding resulting fines and penalties. Remember, failure to adequately respond to these types of consumer notices will result in extensive fines that can quickly rack up millions of dollars in losses, especially for large data breaches.
While it may not be feasible for every business to enact all of these steps to reduce the chance of litigation, it’s always a good idea to attempt to enact at least a few of them. Even the implementation of one of these ideas could end up saving your business millions of dollars by preventing you from being hit with fines for intentional breaches.
Potential Statutory Damages
California is one of the largest states in the U.S. with almost 40 million residents, so if you’re doing business in the United States, then you will probably be impacted by the CCPA restrictions.
The potential liability the new CCPA laws pose is staggering, as a successful plaintiff against a business will be awarded statutory damages at a minimum of $100 and a maximum of $750 per violation. This may not sound like a lot of money to a large business until you realize that security breaches can result in the loss of hundreds of thousands, if not millions of records.
And you can see how that scales quickly, because a breach impacting millions of individuals means that the responsible business could be on the hook for up to $750 million in damages.
This can become even more troublesome when businesses realize that consumers don’t even need to be affected by a data breach to sue for damages. They simply must have had their information accessed, regardless of whether the breach affected them in any way.
Thanks to the new CCPA guidelines, all businesses should review their data protection processes to determine if they’re impacted by the new rules, how they’ll be impacted by them, and what they need to do to avoid data breaches that could lead to consumer complaints, fines, fees and penalties.
The easiest way to get CCPA compliant will be to hire a data protection privacy expert who can review your business practices for you and inform you of exactly what needs to be done to ensure compliance with the new regulations.
Contact MatrixPoint for Assistance
If your business isn’t prepared to handle CCPA requests, then you’ll leave yourself open to legal repercussions in the form of major fines, fees and penalties, so it’s important to pay close attention to the new CCPA regulations and ensure that your business has a plan in place for dealing with all these new privacy protection requirements.
For assistance in ensuring that your company is able to quickly become CCPA compliant, schedule a free consultation with MatrixPoint.
Call us at 800-683-6983, or simply fill out our contact form.