Only a few days before California's Consumer Privacy Act (CCPA) went into effect on July 1, 2020, a privacy advocacy group called "Californians for Consumer Privacy" (CFCP) stated it had collected close to one million signatures to get Proposition 24 placed on the November 2020 ballot.
Proposition 24 passed on November 3, 2020. Before anyone even knows how effective the CCPA will be, Californians voted to expand and modify it by passing the new California Privacy Rights Act (CPRA) which worked to amend the CCPA.
The CPRA's amendments went into effect on January 1, 2023. There are important changes made by the CPRA that businesses will need to do to ensure compliance.
Even if your business isn't physically located in California, if your company operates there, one of the major issues you'll have to take into account is the CPRA's expanded right of action.
The CPRA amends the law's current private right of action (CA Civil Code Section 1798.150(a)(1)). The law currently reads as follows:
(1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.
The CPRA changes this by giving consumers the ability to bring lawsuits against companies based on data breaches that involve new categories of personal information.
To be specific, the CPRA adds email addresses together with a security question and answer or a password, which permits access to an individual's account to the categories of personal information that, in case of a data breach, can be actionable under the law.
Currently, breach of login information on an account that doesn't give access to financial, payment, or health information (or similar categories of personal data) doesn't give a consumer the right to sue for statutory damages. However, once the CPRA goes into effect on January 23, that's going to marginally change.
The consequences of the CPRA's expansion to the CCPA of a consumer's right to private action is sure to be considerable. This is because a lot of data breaches consist of nothing more than the disclosure of email addresses and their associated security questions, answers, and passwords.
Under the unamended CCPA, that wasn't enough for a person to seek statutory damages. Remember, though, that lists of stolen information, such as that just mentioned, exist on onion sites throughout the dark web. Would-be hackers use this kind of data to make attempts at gaining access to commercial websites all the time.
Now that the CPRA amendments have gone into effect, there may be a marked increase in class action lawsuits once consumers and attorneys begin making claims based on CPRA's expanded provision.
Recall that data breaches often include the stolen data of potentially millions of users.
For example, in 2020 alone, there were several massive data breaches like that of OneClass. As Forbes noted, "An improperly-secured online database has left the private information of more than a million students exposed."
Another and even worse breach happened in June 2020 when BlueKai, a company owned by U.S. tech giant Oracle, left over two billion records exposed on a server without a password.
As Techdirt reported:
"Security researcher Anurag Sen found the database and reported his finding to Oracle through an intermediary -- Roi Carthy, chief executive at cybersecurity firm Hudson Rock and former TechCrunch reporter.
TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses, and other identifiable data in the database. The data also revealed sensitive users' web browsing activity -- from purchases to newsletter unsubscribes."
Consider for a moment that statutory damages could range from $100 to $750 per individual per data breach under the CPRA's right to private action expansion. In light of that fact, the ramifications for negligent companies may be more than distressing.
The CPRA both restricts and broadens the types of companies that are covered by the law. For example, along with businesses that buy or sell personal data, the CPRA increases the CCPA's range to include companies that share personal data.
On the flip side, the CPRA also restricts the CCPA's requirements to companies that buy, sell, or share the personal data of 100,000 households or consumers. This is an increase of the CCPA's 50,000 starting point.
The bottom line here is that the CPRA is limited as to how it applies to small and midsize entities.
The CPRA adds the right of consumers to opt-out of cross-context behavioral advertising. In other words, individuals can opt out of allowing a company to track their activities across various websites and devices for the purposes of targeted and personalized advertising.
Consumers can opt out whether or not a company's cross-context behavioral advertising actually comprises any sale of personal data.
Another big change made by the CPRA to the CCPA is the rule that companies must now reveal to their employees, independent contractors, and job applicants whether they are collecting personal data and the purposes for which they are doing so.
Moreover, the CPRA protects employees from potentially vindictive employers by extending anti-retaliation and anti-discrimination rights to those employees who exercise them.
Companies that violate the CPRA's new rules involving the information of children face fines that are three times higher than those leveled by the CCPA. Companies are currently fined $2,500 for every violation and $7,500 if those violations are intentional. However, beginning in 2023, all violations will be fined at the highest level, whether they are intentional or not.
The CPRA amendment calls for the setting aside of $10 million per year for the establishment and operation of a new state agency. That agency will be tasked with investigating violations and enforcing adherence to California's consumer privacy laws.
Additionally, the new state agency will receive a portion of the settlements and fines it collects from businesses that violate the CCPA/CPRA.
The CPRA updates and expands upon the CCPA's rules governing a consumer's private right to action.
California consumers are permitted to "institute a civil action" if their private information is subject to theft or disclosure, and when that theft or disclosure was due to a violation of the CPRA's data protection requirements.
In other words, this is when a company fails to "implement and maintain reasonable security procedures and practices."
Finally, under the CPRA, a consumer's right of private action does not extend past the overall context of a security breach.
However, the CPRA's definition of the type of personal information under which a lawsuit can be filed expands upon the CCPA's definitions to now include email addresses in combination with security questions, answers, and passwords that permit access to an individual's email account.