Potential Obstacles with the CCPA Regulations

For complex, trail-blazing pieces of legislation, the passage of the law often represents the beginning of a long process of interpretation by the courts, clarifying amendments, and compliance challenges. The passage of the California Consumer Protection Act (CCPA) means businesses operating within or serving California consumers have to make adjustments to the way they handle and share consumer data. We’ve identified some of the key challenges with the CCPA below:

1.  Determining Who Has to Comply

With new CCPA regulations in effect as of January 1, 2020, the predominant question businesses are asking remains: Who must comply? As the law is written today, the CCPA affects:

• For-profit businesses with annual gross revenue of $25 million or more.
• Companies who buy, receive, sell, or share consumer data from 50,000 or more consumers, households, or devices.
• Enterprises that gain a majority of their revenue from the selling of personal data.

It’s a common misconception that a business must be physically located in California. In fact, the law defines a consumer as “a natural person who is a California resident,” so if you have even one piece of information from someone living in California, your business must comply.

2.  Understanding the Broad Definition of Personal Data

The CCPA takes a much broader view of personal data than the European Union’s General Data Protection Regulation (GDPR). According to the CCPA, personal information is “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

The collection of personal data can come from far more than websites – including smart thermostats, smart appliances, smartwatches, mobile apps, voice-activated shopping assistants, and anything included in the Internet-of-Things.

3. Dealing with Consequences of Noncompliance (The Private Right of Action)

If a California consumer’s data gets hacked on your watch, he or she may initiate a civil action seeking to recover damages from $100-$750 per incident or actual damages, whichever is greater. On top of the damages paid to individuals who suffered financial loss from a data breach, there are CCPA fines of $2,500 per accidental violation and $7,500 per intentional violation. It’s important to note a “violation” is that affecting just one person, not a group of people in one security breach incident. One “incident” could include thousands of fines added on top of one another to represent a catastrophic loss. In addition, the courts can mandate “any other relief the court deems proper” – in other words, punitive damages, to which the sky’s the limit.

4. Adapting to Change

Businesses are given 30 days to right the wrong of an alleged violation of privacy rights. Failure to remedy noncompliance opens the door to lawsuits. Affected businesses should be proactive to avoid these situations. A class action can arise from more than just a breach – but, rather, any non-adherence to CCPA requirements – like the failure to delete personal information or the lack of a “Do Not Sell My Personal Information” opt-out on the website. Defending these actions represents a substantial financial loss, not to mention a loss of consumer confidence and reputation.

Contact Heffler Claims Group to learn more about the enactment of the CCPA and to request a proposal regarding our comprehensive in-house services. With more than 50 years as a leader in consumer class action settlement administration, we are prepared to meet the challenge of any new legislative hurdle.