The CCPA only provides a private right of action to any consumer whose unencrypted sensitive-category information has been breached as a result of a business’s violation of its duty to “implement and maintain reasonable security procedures and practices.”1 But the California Attorney General may bring a civil action against any entity violating the act. Specifically, the CCPA provides that “[a]ny business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.”2 The same section provides that these civil penalties may be assessed and recovered exclusively by the California Attorney General.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA, § 1798.150(a)(1) (referring to those categories of personal information specified under Cal. Civil Code 1798.81.5(d)(1)(A).
2. CCPA, § 1798.155(b).
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.