Comparing Enforcement: GDPR vs. CCPA vs. CPRA
Having compared scope, individual rights and business obligations, let’s compare the enforcement mechanisms found EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA aka “Version 2.0” of the CCPA that is likely to be on the November 2020 ballot).
Executive Summary
All three provide the ability for violators to face administrative civil fines and for consumers to initiate private actions. The GDPR and CPRA provide an independent and dedicated “supervisory authority” to enforce the law, while the CCPA is enforced through the offices of the California Attorney General.
Let’s drill down on each.
Dedicated Supervisory Authority
In the case of regulatory authorities, in the EU each Member State has a dedicated and independent “Supervisory Authority” (SA) that is responsible for enforcement of the GDPR, with the European Data Protection Board providing oversight across all SAs.
In the case of the CCPA, enforcement is through the office of the California Attorney General and there is not a dedicated agency to enforce the CCPA. The California Attorney General (AG) is tasked with adopting regulations re: the CCPA based on public participation. The AG can issue civil fines (see below). Any proceeds from civil actions will go into a dedicated Consumer Privacy Fund.
The CPRA establishes Privacy Protection Agency (PPA), whose primary mission is to "protect the fundamental privacy rights of natural persons with respect to the use of their personal information" and is vested with full administrative power, authority and jurisdiction to implement and enforce the California Consumer Privacy Act. The PPA would create a 5-member board who would appoint an executive director. The PPA enforces the CPRA through administrative actions and is also tasked to "promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale and disclosure of personal information." The PPA is funded through the Consumer Privacy Fund, with annual budget of $10 million from the State’s General Fund. The regulations associated with the CPRA will be adopted by the California Attorney General with "broad public participation" but once the PPA is operational will assume ownership of the regulation process.
The backers of the CPRA — Californians for Consumer Privacy — are heavily messaging the PPA as a major selling point of the ballot initiative, as also shown in screenshots below.
Penalties (Civil Fines)
With the GDPR, a range of penalties can be issued each Member States’ Supervisory Authorities including: (1) fines up to €20 million or 4% of annual worldwide turnover; (2) requiring entities to change how they process personal data; and/or (3) stopping entities from processing data altogether.
The CCPA states that "a business shall be in violation ... if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance…” and can “be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.” This will be assessed and recovered in a civil action brought by the Attorney General.
The CPRA enables the PPA to "investigate possible violations of this title relating to any business, service provider, contractor, or person." Violators of the CPRA will be given 30 day notice by the PPA, and when the PPA "determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred." If the PPA determines a violation has occurred, it can issue a cease and desist order, as well order an entity to "pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state." So note that the CPRA really puts more teeth into fines for violations involving minors’ personal data as compared to the CCPA.
Penalties (Private Rights of Action)
With the GDPR, data subjects have private rights of actions that be filed against controllers and processors. These private rights of actions can be for material or non-material damage. Furthermore, there is mechanism spelled out how to enable a not-for-profit body, organization or association to bring class action claims. Data subjects can also lodge complaints with Supervisory Authorities.
CCPA enables a consumer's private right of action only in the narrow context of their "nonencrypted and nonredacted personal information" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices." Damages may be "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater." There is not another right of action beyond a breach occurring (e.g. no private right of action if a business is not deleting their information upon request). Furthermore, the definition of "personal information" is from a narrower definition of personal information found in existing California law [§ 1798.81.5]. Note that "actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business."
The CPRA enables a consumer's private right of action if their "nonencrypted and nonredacted personal information" and "whose email address in combination with a password or security question and answer that would permit access to the account" was "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices." The damages and definition of personal information are the same as the CCPA, as well as the 30 day notices but the key differences with the CCPA are (a) the inclusion of the email address/password combo being part of the breach that could trigger a right of private action; and (b) "implementation and maintenance of reasonable security procedures and practices … following a breach does not constitute a cure with respect to that breach."
Next up will be a cheat sheet for the CPRA ala my cheat sheets for GDPR and CCPA.