In Part II of our series on CCPA Foundations, we will explore Enforcements & Fines associated with this new legislation. 

You can view Part I of this series here

California-Consumer-Privacy-Act-of-2018-03-1800x1049The Right to Opt-Out

Individuals may opt-out of having their information sold. 

Requirements

  1. At anytime, an individual can direct an organization or its third parties to not sell their PII
  2. When an individual opts-out of having their PII sold, the organization must:
    1. Respect that decision going forward
    2. Respect the individual’s decision for at least 12 months
      1. After 12 months, the organization may ask the individual if the organization may sell their PII
    3. Not use any PII collected to full the individual’s request

The Right to Opt-In

Minors must opt-in to having their data sold

Requirements

  1. Organizations may not knowingly sell the personal information of minors 
    1. A minor is anyone under 16 years old
    2. If the minor under 13 years old, explicit consent from the minor’s parent/guardian must first be obtained
  2. Organizations that willfully disregard an individual’s age will be considered to have had actual knowledge of the individual’s age

The Right to be Forgotten

Individuals may have their data deleted. 

Requirements

  1. Individuals have the right to request that an organization delete any or all of the individual’s PII that the organization has on the individual
    1. Organizations must disclose this right to individuals
  2. When an organization receives a verifiable request from an individual to have their PII deleted, organization must:
    1. Delete the individual’s PII from its records
    2. Direct any and all third-parties that had the individual’s PII to delete the individual’s PII from their records

Exceptions

Organizations are exempt from complying with an individual’s request to have their PII deleted if the PII is needed to:

  1. Do any of the following:
    1. Complete a transaction for which the personal information was collected
    2. Enable internal activities that are reasonably aligned with the consumer’s expectations of the business
    3. Provide a good/service either:
      1. Requested by the consumer
      2. Reasonably anticipated within the context of the business’s ongoing business relationship with the consumer
    4. Perform a contract between ta business and the consumer
    5. Detect security incidents
    6. Protect against activities that are:
      1. Malicious
      2. Deceptive
      3. Fraudulent
      4. Illegal activities
    7. Prosecute those responsible for the aforementioned activities
    8. Internally & lawfully use the individual’s PII for other purposes in which the consumer provided the information
  2. Identify & repair errors (e.g., debug) that impair existing, intended functionality
  3. Allow for the:
    1. Exercise free speech, either by the individual or another individual 
    2. Exercise of another right that’s provided by law
  4. Comply with the California Electronic Communications Privacy Act
  5. Engage in the scientific, historical or statistical public or peer-reviewed research if:
    1. The deletion of data is likely to seriously impair or make impossible the research
    2. The research is in compliance with all applicable ethics and privacy laws
  6. Comply with other laws & regulations

california-lawThe Right to the Same Services & Prices

Individuals are entitled to the same services and prices regardless of if they exercise their privacy rights or not.

Requirements

Organizations may not discriminate against individuals if they exercise any of their privacy rights, including but not limited to:

  1. Denying goods/services to the individual
  2. Charging the individual different prices or rates for goods/services, including through:
    1. Providing discounts or other benefits
    2. Imposing penalties
  3. Actually offering or suggesting that the individual will receive a different level or quality of goods/services
  4. Organizations may, however offer financial incentives (e.g., payments) to consumers for doing any of the following with a consumer’s personal information:
      1. Collecting
      2. Selling 
      3. Deleting
    1. Organizations offering financial incentives must notify individuals of these financial incentives
    2. Organizations may enter consumers into a financial incentive program only if:
      1. The individual:
        1. Chooses to opts-in
        2. Can opt-out at anytime
      2. The material terms of the program must be clearly described
    3. Businesses may not use financial incentive practices that are any of the following in nature:
      1. Unjust
      2. Unreasonable
      3. Coercive
      4. Usurious

Exceptions

Organizations may charge a different price/rate or a different level/quality of goods/services if that difference is reasonably related to the value provided to the individual by the individual’s data.

CCPA Enforcement & Fines

What Constitutes a Violation

  1. An organization is in violation of CCPA if it fails to cure any alleged violations within 30 days of being notified of the potential violation
  2. A “potential violation” is considered to have occurred when:
    1. Any individual’s unencrypted or non-redacted PII has been exfiltrated, stolen or disclosed in an unauthorized manner
    2. The unauthorized exfiltration, theft or disclosure was a result of the business not implementing and maintaining a security program that appropriately protects the types of PII the organization handled

How an Organization Can be Fined

Individuals may bring a civil lawsuit (individual or class-action) against organizations who have potentially violated CCPA. This lawsuit may only occur if all of the following conditions are met: 

  1. The individual has provided the organization with 30 days’ notice
    1. The notice must specifically identify how the organization is believed to have violated (or be violating) 
  2. Within 30 days of filing a suit, the individual instigating the lawsuit must notify the California Attorney General that action has been filed
    1. The Attorney General must do one of the following within 30 days of receiving the aforementioned notice:
      1. Notify the individual that the Attorney General intends to prosecute within 6 months
        1. If the Attorney General does not prosecute within 6 months, the consumer may proceed with their action
      2. Refrain from acting within 30 days, allowing the consumer to proceed with their action
      3. Notify the individual that the individual may not proceed with their lawsuit 

An organization may not be sued if all of the following conditions are met:

  1. A fix is possible 
  2. The business:
    1. Fixes the alleged issue within 30 days of the notice
    2. Notifies the individual that the violations have been cured and that no further violations will occur
  3. If an organization continues to violate CCPA, the individual may initiate action against the business

Fines

Fines are categorized into two types of violations - intentional and unintentional violations.

Fines for Intentional Violations

Any organization, service provider or person that intentionally violates CCPA is liable up to $7,500 per violation.

Fines for Unintentional Violations

The following civil actions may be imposed on a violating CCPA:

  1. Whichever is greater:
    1. A fine of $100 - $750/individual per incident
    2. Actual damages to the individual
  2. Injunctive/declaratory relief
  3. Any other relief the court deems proper

When assessing how much to fine, the courts are to consider any relevant information related to the case, including:

  1. The nature/seriousness of the misconduct
  2. The number of violations
  3. The persistence of the misconduct
  4. The length of time of the misconduct
  5. The willfulness of the defendant’s misconduct
  6. The defendant’s:
    1. Assets
    2. Liabilities
    3. Net worth

Other Info

Any organization or third-party can receive guidance from California’s Attorney General on how to comply with CCPA.

Sources