The CCPA is coming: Businesses Face Both Risks and Opportunities

By Guy Cohen - July 23, 2019

The California Consumer Protection Act (CCPA) goes into effect Jan. 1, 2020 and many organizations are already working to ensure compliance. Wisely so. 

Investing resources required to be fully compliant – particularly when it comes to safeguarding customers’ private personal information – mitigates the risk of regulatory penalties and brand erosion from loss of customer trust.

But what exactly are the risks of non-compliance? While many businesses are familiar with the large fines levied for violations of the UK’s year-old General Data Protection Regulation (GDPR), what’s the equivalent for the CCPA?  

There are two types of enforcement under the CCPA – enforcement action taken by the California Attorney General’s Office (AGO); and enforcement action taken by private individuals, in what is known as a private right of action (PRA).

Under the CCPA and existing California law, the AGO can fine up to $2,500 for an unintentional violation, and up to $7,500 for an intentional violation. As each individual affected constitutes a violation, this means the maximum CCPA fines could dwarf those of GDPR. 

For example, if a company were to “intentionally sell” the data of 1,000,000 people in contravention of the CCPA, they could face a penalty of up to $7.5 billion.

On the face of it this looks like a serious risk, and for those companies likely to be in the AGO’s crosshairs because of their previous privacy violations it may well be. But for most companies it’s unlikely to come up in the near term. That’s because the AGO doesn’t have the resources to enforce more than about three cases a year

For context, California’s economy is roughly the same size as the UK’s, but the California AGO has budget for just 23 staff working on the CCPA (and some of them 23 will be working on other regulatory issues) compared to the Information Commissioner’s Office which has over 700.

The Attorney General, Xavier Becerra, has repeatedly said he is under-resourced, and has described the CCPA as presenting ‘unworkable obligations and serious operational challenges’ on his office. So, although the impact is potentially very high, the likelihood of the AGO investigating any company is very low. 

But what about the Private Right of Action? The first thing to note is that the PRA, unlike the AGO’s powers, is restricted to just dealing with harms resulting from a data breach. More specifically:

Any consumer whose nonencrypted or nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices… may institute a civil action… To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater

This presents a much bigger issue for most organizations, as there is no limit on the number of private civil actions that might be launched, and the cost, while lower than that of the AGO, could still be very large. The Equifax breach affected roughly 15 million Californians, meaning that if there were a similar breach to happen under the CCPA, they could have been liable for over $11 billion in claims, just on the grounds of distress caused.

It’s worth noting that many people, including the AGO, are campaigning to have the PRA expanded to cover any violation of the CCPA. This amendment has been held for now but could come back next year. 

So, what proactive measures can organizations take to reduce their exposure to CCPA violations?

Importantly, effective de-identification can put data outside the jurisdiction of the CCPA. While this is also an area where amendments are being debated, as of now de-identified data is out of the CCPA’s scope, and if it is breached, there is no liability for the organization. Therefore, effectively anonymizing data wherever possible is an important part of a comprehensive risk-management strategy.

Additionally, effective de-identification and other date-privacy initiatives that protect customers’ sensitive, personal data can yield added benefits. Delivering uncompromised data privacy is essential for businesses to conduct safe, ethical data analyses that will provide the data-driven insights required to improve their products, services and outcomes.

The CCPA also addresses the concept of pseudonymization. While this is still within the scope of the CCPA, pseudonymous data poses a reduced risk to the individual and so in the event there is a breach the impact on the affected individuals, and therefore the likely level of distress and potential claim size, will be reduced. 

Additionally, using pseudonymization and other privacy-enhancing tools and techniques can help organisations to demonstrate they had taken reasonable security precautions, further reducing their potential liability.