November 27, 2020

Volume X, Number 332


November 25, 2020

Subscribe to Latest Legal News and Analysis

CCPA QOTD: What Are the Penalties for Non-Compliance with the CCPA?

Unless you have been living off the grid for the past year, you likely know that we are now down to 13 days and counting to the effective date of the California Consumer Privacy Act (CCPA).   We have received hundreds of questions and concerns from clients over the past few weeks in the preparations of compliance programs and thought we would share a question of the day (QOTD).

One of the most frequently asked questions:

What are the penalties for non-compliance with the CCPA (or what happens if we drag our feet)?

The California Attorney General is responsible for enforcement of the CCPA. Section 1798.185(c) of the CCPA provides that the Attorney General cannot bring an action until six months after publication of the final regulations (which are still pending) or July 1, 2020, whichever is sooner. Attorney General Becerra has made it clear, however, that actions brought after July 1, however, may relate to conduct between January 1 and July 1, 2020. Civil penalties can range from $2,500 for a non-intentional violation to $7,500 for an intentional violation. A business is not liable if it cures any noncompliance “within 30 days after being notified of alleged noncompliance” (although some types of noncompliance – or a data breach – may not be capable of “cure”).

The CCPA also contains a private right of action that consumers can bring under certain circumstances if a business experiences a data breach. Importantly, the exemptions in the CCPA for personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), employee/applicant personal information or personal information collected by business to business transactions and interactions do not exempt the covered business from the CCPA private right of action for data breaches.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume IX, Number 352



About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...