Latimer LeVay Fyock, LLCLatimer LeVay Fyock, LLC

The Implications of the California Privacy Rights Act to Non-Ccalifornia Companies Part 3

Colin T.J. O'Brien

My prior blog posts discussed the triggers that will determine which businesses will be obligated to abide by the terms of the California Consumer Privacy Act (“CCPA”) California Privacy Rights Act (“CPRA”), collectively referred to as the “CCPA” and the potential private causes of action. These posts can be found here:

The Implications of the California Privacy Rights Act to Non-Californian Companies Part 1
The Implications of the California Privacy Rights Act to Non-California Companies Part 2

Given the complexity of the CCPA, a rational business owner may wonder if it is even necessary to spend the money to comply with the California law, particularly if their business does not conduct many sales in that state.

As outlined below, business owners should make compliance with the CCPA a priority as there can be both state and private causes of action available against a business deemed to have violated the CCPA.  This post focuses on the California Privacy Protection Agency which will become operational on January 1, 2023 but have the authority to look back on the collection of consumer information gathered by businesses since January 1, 2022.

Section 1798.199.10)(a) of the CCPA states:

There is hereby established in state government the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act. 

Section 1798.199.40 lays out the functions of the California Privacy Protection Agency which are which a particularly broad including:

  • Administer, implement, and enforce through administrative actions the CCPA
  • Carry out the purposes and provisions of the CCPA, including regulations specifying record keeping requirements for businesses to ensure compliance with this title.
  • Protect the fundamental privacy rights of natural persons with respect to the use of their personal information.
  • Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments
  • Provide guidance to consumers regarding their rights under this title.
  • Provide guidance to businesses regarding their duties and responsibilities under the CCPA
  • Conduct audits of businesses to ensure compliance with this title pursuant to regulations adopted
  • Cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.
  • Establish a mechanism pursuant to which persons doing business in California may voluntarily certify that they are in compliance with the CCPA.
  • Perform all other acts necessary or appropriate in the exercise of its power, authority, and jurisdiction, and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.

Additionally, if the California Privacy Protection Agency finds a violation of the CCPA it can order businesses to pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor. 

Conclusion

The California Privacy Protection Agency will be a major factor for businesses- even those not based in California – will have to address in the near future when it comes to protecting their customers data.  Now is the time for businesses to begin the process of complying with the CCPA before they run afoul of the California Privacy Protection Agency.   The final post in this series which focus on what businesses should start doing to make sure they will be in compliance with the California laws and regulations.

Let Us Help

If you are a business owner who needs assistance ensuring that your business complies with the CCPA or other data privacy regulations, we welcome the opportunity to help. Please contact one of our data protection attorneys Colin O’Brien at cobrien@llflegal.com, John Ambrogi at jambrogi@llflegal.com Brian LeVay blevay@llflegal.com or Avery Buffa abuffa@llflegal.com if you have any questions or comments.