A Legal Guide to PRIVACY AND DATA SECURITY 2024

online. Consumers must be able to actually opt out of the sale of their personal information by clicking a link and businesses are forbidden from discriminating against consumers for exercising this right. The CCPA also gives consumers the right to request the deletion of their personal information. Businesses must honor these requests except for in certain circumstances. The CCPA is enforceable by the California Attorney General and authorizes a civil penalty of up to $7,500 per violation. The law has a private right of action. This private right of action allows lawsuits in the event of a data breach and the failure of a business to have maintained reasonable data security. The CCPA private right of action includes statutory damages of up to $750 per incident in the event of a data breach. If 50,000 records of a California resident are involved in a data breach and the business failed to have reasonable data security in place, a potential claim under the CCPA may exceed $37.5 million. With statutory damages the plaintiff’s lawyer does not need to show any actual harm to the individual caused by such data breach. Final regulations for the CCPA were approved and enforcement by California’s Attorney General commenced July 1, 2020. The first of its kind private right of action and statutory damages allowed in the CCPA has resulted in numerous class action lawsuits and other CCPA related litigation. The first major enforcement action taken by the California Attorney General under the CCPA resulted in a $1.2 million settlement with Sephora, a French cosmetics brand. Sephora allegedly failed to disclose to consumers it was selling their personal information; failed to honor user requests to opt out of sale via user-enabled global privacy controls; and did not cure these violations within the 30-day period allowed by the CCPA.

113

Made with FlippingBook - Online Brochure Maker