Shortly after California’s Consumer Privacy Act (CCPA) was enacted in January 2020, it imposed significant obligations on businesses in relation to the processing of personal data and also introduced an array of consumer rights. It was extensively amended by California voters on November 3rd, 2020, through the California Privacy Rights Act (CPRA), also known as Proposition 24.
As the CPRA goes into effect on January 1st, 2023, businesses must plan and prepare for some significant changes brought about by the amending legislation, such as an expanded ‘private right of action,’ to ensure compliance with the revised legal framework.
CCPA’s Private Right of Action
The private right of action is a fundamental component of the U.S. judicial system. It entitles individuals to bring legal actions against entities who have wronged them and to seek redressal and restitution for the harm that they have suffered through compensatory remedies.
The CCPA, through Cal. Civ. Code § 1798.150 read with Cal. Civ. Code § 1798.82, authorizes consumers to initiate legal proceedings against businesses in the event their non-encrypted and non-redacted personal information becomes subject to unauthorized access and exfiltration, theft, or disclosure, due to the lack of implementation and maintenance of appropriate security measures by a business.
As a result of such proceedings, the consumers could recover monetary damages ranging from $100 to $750 per consumer per incident, or actual damages, whichever is greater or obtain other relief from the court.
CCPA Private Right of Action Cure Period
The CCPA obligates consumers to provide 30 days' written notice to a business identifying the legal provisions being violated, prior to initiating any action for statutory damages. In the event the business cures the violations within 30 days and provides the consumer with an express written statement to this effect, while also certifying that no further violations shall occur, no action for statutory damages can be initiated against the business.
It is important to note here that the implementation and maintenance of reasonable security measures by a business following a breach do not constitute a cure for such a breach.
A consumer is not obligated to provide the foregoing notice where they initiate a civil action solely to recover actual pecuniary damages suffered due to the violations of the CCPA by a business.
Moreover, if a business continues to violate the CCPA in breach of the express written statement provided to the consumer, the consumer may initiate an action against the business to enforce the written statement and pursue statutory damages for not only the breach of the statement but also any other CCPA violation that postdates the statement.
CPRA’s Amendment of CCPA’s Private Right of Action
The CPRA expands the scope of Cal. Civ. Code § 1798.150, and further authorizes consumers to bring legal action against businesses if their email address in combination with a password or security questions and answers (that would permit access to an online account), is subject to unauthorized access and exfiltration, theft, or disclosure, as a result of a business’s failure to implement and maintain appropriate security measures to protect their personal information.
Secondly, the CPRA clarifies that the implementation and maintenance of reasonable security procedures and practices pursuant to Cal. Civ. Code Section 1798.81.5 following a breach will not constitute a cure with respect to that breach - this really then leaves a big unanswered question: how can a business cure a data breach?
CPRA Data Types and Litigation
The comprehensive breakdown of personal data categories for which data breach litigation will be allowed under the CPRA as of January 1, 2023, and for which it is currently allowed under the CCPA, is shown below.
| Data Types | Permitted As Subject of Breach Litigation under CCPA | Permitted As Subject of Breach Litigation under CPRA (Beginning January 1, 2023) |
|---|---|---|
| Social Security Number (with name) | ✓ | ✓ |
| Driver’s license number (with name) | ✓ | ✓ |
| California identification card number (with name) | ✓ | ✓ |
| Tax identification number (with name) | ✓ | ✓ |
| Passport number (with name) | ✓ | ✓ |
| Military identification number (with name) | ✓ | ✓ |
| Other unique identification number issued on a government document used to verify identity. (with name) | ✓ | ✓ |
| Financial account number (which permits access to the account) (with name) | ✓ | ✓ |
| Credit card number (with required security code or password) (with name) | ✓ | ✓ |
| Debit card number (with required security code or password) (with name) | ✓ | ✓ |
| Medical information (with name) | ✓ | ✓ |
| Health insurance information (with name) | ✓ | ✓ |
| Unique biometric data (with name) | ✓ | ✓ |
| Email address along with password or security question and answer that would grant access to an online account | ✓ |
The Impact of CPRA’s Private Right of Action
Undoubtedly, the enforcement of the CPRA will significantly broaden the scope of consumers’ right to private action against businesses for breach of their personal information. This legal amendment is expected to cause a substantial increase in the number of legal actions initiated against businesses, due to the fact that many data breaches only include the exposure of email addresses and the relevant passwords or security questions and answers, ultimately providing access to a user account.
The CPRA emphasizes that businesses collecting consumers’ personal information should implement reasonable security procedures and practices appropriate to the nature of the information, so as to protect the information from unauthorized or illegal access, destruction, use, modification, or disclosure.
Therefore, it is essential for businesses to keep accurate records of the personal data they process, conduct regular risk assessments, and implement and maintain appropriate security measures to protect personal data.
How Businesses Should Improve their Security Posture
The following are a few ways in which businesses can start to improve their security posture and protect the personal data of consumers:
Conduct Regular Security Audits
The objective of security audits is to eliminate risk. Businesses must regularly examine their data protection measures by planning ahead and conducting regular audits to identify weaknesses in their existing security framework and infrastructure.
Develop a Security Strategy
The explosion of internet-enabled devices has brought forth many opportunities and challenges in relation to digital privacy and security. Businesses must appropriately retain records of the massive influx of personal data and adopt appropriate security strategies, including robust encryption and secure backup systems to provide security safeguards that are reasonable and proportionate to the level of risk related to the personal information in question.
Appoint a Security Professional
Businesses subject to the CPRA’s regulations must appoint a dedicated resource that administers their data security posture.
Provide Training
The amendment of the CCPA through the CPRA is evidence that data privacy rules are continually changing. Businesses should aim to regularly train their staff on the evolving privacy laws, the value of data security, current and upcoming security trends, and appropriate preventative measures.
How Securiti Can Help Businesses Ensure CPRA Compliance
Statutory damages under the CPRA may range from $100 to $750 per consumer per occurrence. Moreover, consumers could also be awarded the actual damages they suffered due to a breach of their personal data. As breaches frequently involve hundreds of thousands or even millions of user’s data, the quantum of pecuniary penalties could be catastrophic for businesses.
Securiti can help enterprises in achieving CPRA compliance. Securiti’s AI-driven Data Controls Cloud, among other functionalities, enables organizations to implement automated controls around data mapping, generating reports of processing activities, and risk assessments to assist them in keeping accurate records of all personal data processed by them and the risks posed by any such processing activities. This helps organizations in devising appropriate security measures catered to the protection of personal data owned, maintained, or licensed by them.
Request a demo of Securiti's tools to see them in action.
Learn more about how to comply with CPRA.
