The California Attorney General Commences CCPA Enforcement

The California Attorney General Commences CCPA Enforcement

A look at enforcement measures and how to leverage ServiceNow to protect your organization.

On July 1, California Attorney General (AG) Xavier Becerra announced that his office had begun enforcing the California Consumer Privacy Act—the new state law that took effect on January 1. In his announcement, AG Becerra urged California consumers to exercise their rights:

“Today we begin enforcement of the California Consumer Privacy Act (CCPA), a first-of-its-kind data privacy law in America. We encourage every Californian to know their rights to internet privacy and every business to know its responsibilities. The website of every business covered by the law must now post a link on its homepage that says, ‘Do Not Sell My Personal Information.’ Click on it. Remember, it’s your data. You now get to control how it’s used or sold.”

He also encouraged Californians to report violations to his office by submitting complaints online at www.oag.ca.gov/report.

While this announcement marked the start of enforcement by the AG’s office, enforcement by California consumers had already started and has been in full effect. Under the CCPA, covered businesses face two types of enforcement actions: 1. Actions brought by the Attorney General; 2. Actions brought by private citizens are referred to as ‘private rights of action.’

Here is a look at the differences between these CCPA enforcement actions along with ways you can leverage your investment in ServiceNow to better protect your organization.

Attorney General Enforcement

Under the CCPA, the California AG may impose and recover civil penalties of up to $2,500 for each non-intentional violation of the law and up to $7,500 for each intentional violation.  While these amounts individually may seem low, they can accumulate quickly. For example, if the AG finds that a business failed to provide adequate notice as required by the law, and it collected personal information from 10,000 consumers, the total statutory penalty could skyrocket up to a whopping $25 million.

To reduce your risk of enforcement action by the AG, as well as these types of fines, make sure you understand the law as well as the regulations the AG’s office uses to enforce the law. Then you can establish and monitor processes to ensure your organization adheres to those requirements.

• Pro Tip: The ServiceNow Governance, Risk, and Compliance (GRC) suite is ideally suited for managing your CCPA compliance policies, privacy notices, and consumer request intake and fulfillment processes as well as for continually monitoring and evidencing compliance with the law.

Please note: At the time of this writing, the regulations are still under review by the California Office of Administrative Law and won’t be finalized until filed with the California Secretary of State, but the AG can enforce the regulations retroactively, going all the way back to January 1^st, 2020, if warranted.

Private Right of Action

While the California Attorney General can pursue enforcement actions and impose fines for any CCPA violation, California consumers can only bring private rights of action for specific types of data breaches, namely those where the breach results in the unauthorized access, exfiltration, theft, or disclosure of their unencrypted and unredacted personal information resulting from a business’s failure to “implement and maintain reasonable security procedures.”

Victims of a data breach may sue for actual damages or statutory damages. While actual damages are not limited, statutory damages are set at $100 to $750 per consumer, per incident (whichever is greater).  Since victims can sue for statutory damages without needing to demonstrate actual harm,[1] businesses that suffer a breach face significant liability. To provide some level of protection for businesses, the CCPA requires victims to first notify the offending business of their intent to file a complaint with the AG. The business has 30-days to respond to the complaint, cure the fault, and provide evidence of the cure. Following that 30-day period, if the problem isn’t fixed, the AG can start enforcement actions.

To reduce your risk of exposure to these types of civil actions, you need to first know what personal information (as defined by the CCPA) you have, where it resides, and how it is ‘touched’ throughout its lifecycle. Then you need to make sure you have implemented a level of security that is appropriate to the types of information you collect, process, or sell, and continually monitor your security processes to ensure protection is continuous.

• Pro Tip: The ServiceNow Security Incident Response, Vulnerability Management, and Threat Intelligence modules as well as the ServiceNow GRC, Vendor Risk Management, and Customer Service Management (CSM) modules can help you significantly reduce this risk, optimize your breach notification response, as well as assist with responses to victim complaints.

Examples of CCPA Lawsuits

Below is a sampling of lawsuits that have been filed since the CCPA was passed. These provide deeper insight into the basis on which civil actions are being brought as well as the broad exposure businesses face as a result of the CCPA.

• Barnes v. Hanna Andersson LLC and Salesforce.com Inc
• Burke v. ClearviewAI, Inc.
• Carol Johnson and Lisa Thomas v. Zynga, Inc.
• Cullen v. Zoom Video Communications, Inc.
• Fuentes v. Sunshine Behavioral Health Group LLC
• Hurvitz v. Zoom Video Communications, Inc., et al., No. 2:20-cv-03400
• C., a minor by and through his natural parent, Nasim Chaudhri and Amy Gitre v. Zynga, Inc.
• Saint Paulus Lutheran Church et al. v. Zoom Video Communications, Inc.
• Sheth v. Ring LLC
• Sweeney v. Life on Air, Inc. et al..
• Taylor v. Zoom Video Communications, Inc.

How Milestone Can Help

Although the California Attorney General just announced that his office is starting to enforce the CCPA, the wave of litigation filed by and on behalf of California consumers drives home the point that is already in effect and opens the door to new potentially significant risks to businesses since these actions assert such a broad variety of requirements. Milestone can help you convert any forthcoming CCPA legal and regulatory requirements into ServiceNow implementation requirements and provide you with a robust privacy compliance program that not only shortens your time to compliance, but also ensures your solution is effective, efficient, and scalable.

Contact us to learn more about how you can leverage your investment in ServiceNow to ensure your organization remains continually compliant and audit ready.

Disclaimer: The author is a technologist, not an attorney. Nothing in this article constitutes or should be construed as legal advice. Always check with your legal, compliance, and privacy teams when designing, implementing, or optimizing any privacy compliance processes or programs.

About the Author

Mike DeAndrea, GRC Practitioner and Advisory Solution Architect, Milestone

With more than 20 years of applied expertise in Governance, Risk, and Compliance, Mike helps Milestone customers understand how they can leverage the power of ServiceNow to meet their regulatory compliance needs in the shortest time.  Mike has extensive experience both as a practitioner and a consultant.  As a practitioner, he managed the compliance efforts of a large enterprise-wide IT operations department of a multi-billion-dollar, multi-national company for several years.  As a consultant, Mike has been helping high-profile customers deploy GRC solutions in ServiceNow for over five years.  He maintains a number of ServiceNow and industry certifications and specializes in designing compliance solutions that are not only effective but also highly efficient, that minimize the time to value, and that drive down the cost, burden, and impact of compliance on your organization. Connect with Mike on LinkedIn.

[1] CCPA Section 1798.150(a)(1): “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to unauthorized access and exfiltration, theft, or disclosure” due to a business’s failure to “implement and maintain reasonable security procedures” may commence a civil action to recover either: 1) actual damages; or 2) statutory damages between $100 and $750 per consumer per incident (whichever is greater).