Having compared scope, individual rights and business obligations, let’s compare the enforcement mechanisms found EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA aka “Version 2.0” of the CCPA that is likely to be on the November 2020 ballot).
All three provide the ability for violators to face administrative civil fines and for consumers to initiate private actions. The GDPR and CPRA provide an independent and dedicated “supervisory authority” to enforce the law, while the CCPA is enforced through the offices of the California Attorney General.
Let’s drill down on each.
Dedicated Supervisory Authority
In the case of regulatory authorities, in the EU each Member State has a dedicated and independent “Supervisory Authority” (SA) that is responsible for enforcement of the GDPR, with the European Data Protection Board providing oversight across all SAs.
In the case of the CCPA, enforcement is through the office of the California Attorney General and there is not a dedicated agency to enforce the CCPA. The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. The AG can issue civil fines (see below). Any proceeds from civil actions will go into a dedicated Consumer Privacy Fund.
The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to “protect the fundamental privacy rights of natural persons with respect to the use of their personal information” and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. The PPA would create a 5-member board who would appoint an executive director. The PPA enforces the CPRA through administrative actions and is also tasked to “promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information.” The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. The regulations associated with the CPRA will be adopted by the California Attorney General with “broad public participation” but once the PPA is operational will assume ownership of the regulation process.
The backers of the CPRA — Californians for Consumer Privacy — are heavily messaging the PPA as a major selling point of the ballot initiative, as also shown in screenshots below.
Penalties (Civil Fines)
With the GDPR, a range of penalties can be issued each Member States’ Supervisory Authorities including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether.
The CCPA states that “a business shall be in violation … if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance…” and can “be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.” This will be assessed and recovered in a civil action brought by the Attorney General.
The CPRA enables the PPA to “investigate possible violations of this title relating to any business, service provider, contractor, or person.” Violators of the CPRA will be given 30 day notice by the PPA, and when the PPA “determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred.” If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to “pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state.” So note that the CPRA really puts more teeth into fines for violations involving minors’ personal data as compared to the CCPA.
Penalties (Private Rights of Action)
With the GDPR, data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims. Data subjects can also lodge complaints with Supervisory Authorities.
CCPA enables a consumer’s private right of action only in the narrow context of their “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Damages may be “not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater.” There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of “personal information” is from a narrower definition of personal information found in existing California law [§ 1798.81.5]. Note that “actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.”
The CPRA enables a consumer’s private right of action if their “nonencrypted and nonredacted personal information” and “whose email address in combination with a password or security question and answer that would permit access to the account” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” The damages and definition of personal information are the same as the CCPA, as well as the 30 day notices but the key differences with the CCPA are (a) the inclusion of the email address/password combo being part of the breach that could trigger a right of private action; and (b) “implementation and maintenance of reasonable security procedures and practices … following a breach does not constitute a cure with respect to that breach.”
Next up will be a cheat sheet for the CPRA ala my cheat sheets for GDPR and CCPA.
[…] provided comparisons of the scope, individual rights, business obligations and enforcement provisions of the GDPR, CCPA and CPRA, and having provided nitty-gritty detailed GDPR vs. CCPA, […]
[…] As you can see form the summary below, again the CPRA puts California on par with the EU and the GDPR with respect to enforcement. […]
[…] me wrong, CCPA and CPRA are great, giving us California residents a bunch of consumer rights and enforcement mechanisms. And CPRA gets California on par with the gold standard of privacy legislation, Europe’s […]
[…] and have done detail comparisons of the scope, consumer privacy rights, business obligations and enforcement of data protection and privacy laws such as the European Union’s General Data Protection […]
[…] With the passing in 2018 of the CCPA, the California Attorney General was tasked with both enforcement of the law as well as tasked with the adoption of the CCPA regulations based on public participation (and the corresponding enforcement of those regulations). So the Cal AG was interestingly tasked by the CCPA to be a regulatory body (which it was not previously) while also an acting as an enforcement arm (with the capabilities to issue civil fines). […]
[…] is a summary comparing GDPR vs. CCPA vs. CPRA as it relates to additional business obligations and enforcement. If you want the nitty-gritty details, which I detail in the links in the last sentence, the […]
[…] Data Protection Regulation (GDPR) in terms of consumer privacy rights, business obligations and enforcement. Clearly the most critical lynch pin is a new administration who would likely prioritize […]
[…] this is false. As I documented here in a comparison of enforcement between GDPR vs. CCPA vs. CPRA, the CPRA is slightly more putative when it comes civil fines than CCPA (e.g. when it comes to […]
[…] Europe’s privacy law (the General Data Protection Regulation or GDPR) requires businesses to report breaches to their country’s “supervisory authority” (an EU member state’s regulatory agency akin to California’s PPA), so having enforcement of breach notification under CalPPA would also parallel standard operating procedures for countries that have a comprehensive privacy law. i.e., it is best practice to have breach notification and privacy enforcement under the same regulatory body. […]