(a) An entity that negligently discloses or shares nonpublic personal information in violation of this division shall be liable, irrespective of the amount of damages suffered by the consumer as a result of that violation, for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. However, if the disclosure or sharing results in the release of nonpublic personal information of more than one individual, the total civil penalty awarded pursuant to this subdivision shall not exceed five hundred thousand dollars ($500,000).
(b) An entity that knowingly and willfully obtains, discloses, shares, or uses nonpublic personal information in violation of this division shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) per individual violation, irrespective of the amount of damages suffered by the consumer as a result of that violation.
(c) In determining the penalty to be assessed pursuant to a violation of this division, the court shall take into account the following factors:
(1) The total assets and net worth of the violating entity.
(2) The nature and seriousness of the violation.
(3) The persistence of the violation, including any attempts to correct the situation leading to the violation.
(4) The length of time over which the violation occurred.
(5) The number of times the entity has violated this division.
(6) The harm caused to consumers by the violation.
(7) The level of proceeds derived from the violation.
(8) The impact of possible penalties on the overall fiscal solvency of the violating entity.
(d) In the event a violation of this division results in the identity theft of a consumer, as defined by Section 530.5 of the Penal Code, the civil penalties set forth in this section shall be doubled.
(e) The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following:
(1) The Attorney General.
(2) The functional regulator with jurisdiction over regulation of the financial institution as follows:
(A) In the case of banks, savings associations, credit unions, commercial lending companies, and bank holding companies, by the Department of Business Oversight, Division of Financial Institutions or the appropriate federal authority; (B) in the case of any person engaged in the business of insurance, by the Department of Insurance; (C) in the case of any investment broker or dealer, investment company, investment adviser, residential mortgage lender or finance lender, by the Department of Business Oversight, Division of Corporations; and (D) in the case of a financial institution not subject to the jurisdiction of any functional regulator listed under subparagraphs (A) to (C), inclusive, above, by the Attorney General.
(Amended by Stats. 2015, Ch. 190, Sec. 35. (AB 1517) Effective January 1, 2016.)
Last modified: October 25, 2018