Skip to content

Many modern data privacy statutes rely heavily on regulatory enforcement. The amount of civil penalty that a regulator can see for violations differs between and among the states. It should also be noted, there may be ambiguity within certain states regarding how violations are “counted.” For example, a business might consider the inadvertent selling of personal information found within its database to a third party after an individual has opted-out as “one” violation. A regulator might argue, however, that a separate violation was committed for each data subject whose information was sold to the third party. Ultimately, courts will have to determine whether one act, that might have occurred multiple times, constitutes a single violation or multiple violations. The following chart compares the regulator that is authorized to bring enforcement actions, as well as the civil penalties that the regulator may seek:

Enforcement agency.  Which agency is authorized to enforce the statute. Civil penalty authorized per violation.  What is the maximum civil penalty permitted per violation? Enhanced civil penalty for intentional acts.  What is the maximum civil penalty permitted per violation if the act was intentional?

California 2022

CCPA

Attorney General[1]

Up to $2,500[7]

Up to $7,500[13]

 

California 2023

CPRA

California Privacy Protection Agency or Attorney General[2] Up to $2,500[8]

Up to $7,500[14]

 

Colorado 2023

CPA

Attorney General or District Attorneys[3]

Up to $2,000[9]

($500,000 maximum for related violations)

N/A

Conn. 2023

CTDPA

Attorney General[4] Up to $5,000[10] N/A

Utah 2023

UCPA

Attorney General[5] Up to $7,500[11] N/A

Virginia 2023

VCDPA

Attorney General[6] Up to $7,500[12] N/A

1 Cal. Civ. Code §1798.155(b) (West 2020).

2 Cal. Civ. Code § 1798.199.90(a) (West 2021) (authorizing the attorney general to bring enforcement actions); § 1798.199.55 – 75 (authorizing CPPA to bring enforcement actions).

3 C.R.S. § 6-1-1311(1)(a).

4 Connecticut Substitute Bill No. 6 at § 11(a).

5 Utah Code Ann. §13-61-402.

6 Va. Code § 59.1-580(A).

7 Cal. Civ. Code § 1798.155(b) (West 2020).

8 Cal. Civ. Code § 1798.199.90 (West 2021).

9 C.R.S. § 6-1-1311(c).

10 Connecticut Substitute Bill No. 6 at § 11(e).

11 Utah Code Ann. §13-61-402(3)(d).

12 Va. Code § 59.1-580(B).

13 Cal. Civ. Code § 1798.155(b) (West 2020).

14 Cal. Civ. Code § 1798.199.90 (West 2021).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).