The California Consumer Privacy Act (CCPA) took effect on January 1, enacting the broadest privacy protections in the US. The landmark law sets requirements for for-profit companies that collect data of California residents, with significant financial implications for noncompliance.
The law gives California residents the rights to know what information is collected; access, delete, and prevent the sale of that data; and not be discriminated against for invoking these rights.
Law Brings New Risks
Notably, the CCPA contains two provisions which could have material financial impacts:
- In the event of noncompliance with the privacy protections, the California attorney general can seek fines of up to $2,500 per privacy violation, or $7,500 per intentional violation.
- In the event of data breach, California residents can individually, or as part of class action, pursue a private right of action with statutory damages ranging from $100 to $750 per incident, per consumer; or actual damages, whichever is greater.
Since statutory damages and penalties apply on a per consumer basis, the ultimate costs for noncompliance could be significant, especially given the possibility of class-action suits: A data breach affecting 100,000 consumers could, in theory, result in damages of up to $75 million.
The CCPA also brings a meaningful change to data breach litigation. Until now, it has been difficult for consumers to prove actual damages resulting from data breaches. Statutory penalties under the CCPA eliminate that need, making California an attractive forum for data breach class actions.
Recommended Insurance Reviews
While the private right of action breach provisions are already effective, formal enforcement of the privacy protections will likely not begin until July, when California’s attorney general is expected to issue regulations defining rules for compliance. But organizations must become compliant now by taking “reasonable security procedures and practices” in their data controls and breach prevention and response efforts.
Companies should also review applicable insurance policies, with a particular focus on the insurability of potential fines, penalties, and financial liabilities. While the issue remains uncertain, there is a case for the insurability of statutory damages and awards for privacy protection violations, given that these would be on a per consumer basis and arguably are more akin to damages than penalties.
While the ultimate determination of insurability will likely be based on the final regulations and subsequent case law, organizations should seek policy wording that offers the best chance for recovery. Relevant policies should include most favorable jurisdiction language with regard to fines, penalties, and punitive damages.
Regulatory Momentum
The CCPA, along with the EU’s General Data Protection Regulation, is just the beginning of a growing privacy regulatory regime, globally and in the US. While the CCPA is limited to California, the Golden State has been a trailblazer when it comes to consumer privacy protections. Some states have similar regulations pending and other states are expected to enact comparable laws, making it essential for organizations to keep tabs on the evolution of privacy regulations in the US and other major markets.
