If your business operates from California or offers services and products to Californians, you need to be aware of the CCPA fines. California has multiple consumer data privacy laws, and you’ll get a fine if you violate them. Learn about CCPA penalties here.
If your business operates from California or offers services and products to Californians, you need to be aware of the CCPA fines. California has multiple consumer data privacy laws, and you’ll get a fine if you violate them.
As stated under Section 1798.155 of the CCPA, violations that lead to fines are not limited to data breaches, as in many other US states. CCPA regulations have far more requirements, including CCPA rights, consumer requests, deletion requests, opt-out requests, privacy notices, and others.
We have a CCPA course to introduce you to the CCPA and other privacy regulations and what they require from your business to stay away from enforcement action by the California Attorney General and pay fines.
Explore more privacy compliance insights and best practices
California Consumer Privacy Act (CCPA) is California’s most comprehensive privacy law that regulates how private companies should handle the personal information of individuals and households.
It was passed in 2018 and came into effect on 1 January 2020.
Since then, the for-profit companies that operate in California and meet at least one of the following criteria must comply:
Unlike the GDPR and many other privacy laws worldwide, the California law on consumer data protection does not apply to all companies. It applies only to those that meet the criteria.
Although the thresholds may seem as if they were made to target only large companies, in reality, many small companies could easily fall under the scope of the CCPA. For example, these days, it is not hard for a retailer to collect the personal data of 50,000 California residents through Google Analytics or Meta Pixel, so you need to be careful and determine whether the CCPA applies to you and whether you are under the scrutiny of CCPA penalties.
If the CCPA applies to you, then you need to be aware of the following requirements for your business:
Violations of the CCPA will trigger enforcement action by the California Attorney General. That may end up in paying hefty fines.
California Privacy Rights Act (CPRA), also commonly known as CCPA 2.0, is a new law built on the CCPA provisions. It is a separate regulation, but the provisions are made in a way that looks like an amendment to the CCPA.
Both laws do not contradict each other. They complement each other, creating rules that some businesses operating in California need to follow.
CPRA requirements that complement CCPA obligations include:
Simply put, CPRA expands some of the CCPA legal requirements. It also establishes an agency specialized in tackling consumer privacy violations and removes the remedy period for businesses.
Any violation of the law can lead to a CCPA (and CPRA) penalty. The most common violations include the following:
Any company to which CCPA applies may e be hit by a CCPA penalty.
As long as the CCPA applies to your business and you violate the law, Attorney General may knock on your door at any time.
CCPA penalties have an upper cap of $7,500 per intentional violation or $2,500 per non-intentional violation. It may seem like a small penalty, but it can eventually grow massive.
The penalties can quickly add up because one consumer equals one violation.
Let’s say you sold the personal data of 300,000 individuals without allowing them to opt-out. In CCPA terms, you’ve committed 300,000 violations. That means a possible CCPA penalty of $2.25 Billion.
On top of that, if the violation results from a data breach due to failure to take proper security measures, consumers have a private right of action that could lead to civil penalties. The amount of civil penalties depends on the specifics of each violation.
The General Data Protection Regulation (GDPR) of the European Union shocked the world with the huge penalties it prescribed and, many times now, the hefty GDPR fines it imposed on global companies.
GDPR fines are capped at EUR 20 Million or 4% of annual revenue, whichever is higher. That is the absolute cap for a GDPR penalty.
CCPA takes a different approach to the determination of penalties. It does not determine an absolute cap for a penalty, but there is a cap for each violation. Depending on the number of persons affected and other circumstances, that amount can grow infinitely and hit the business hard.
Another big difference between the CCPA and the GDPR is the remedy period allowed in California. That doesn’t exist anywhere else.
The CCPA Enforcement procedure follows these steps:
In some situations, the case may go to court.
CCPA allows a private right of action for data breaches where the business has not taken appropriate data security measures. Only consumers whose non-encrypted and non-redacted personal information is breached (i.e., unauthorized access and exfiltration, theft, or disclosure) due to a lack of proper measures can initiate a civil action to recover damages. Before initiating the lawsuit, however, the consumer must notify the business with a 30-day remedy period. Only if the violation is not removed in such a period can the consumer initiate a civil action.
The private right of action allows consumers to recover either statutory or actual damages, whichever is greater.
French retailer Sephora is the first company to be fined for CCPA violations. California Attorney General Rob Bonta settled the case at $1.2 Million.
There were two main infringements:
The AG gave Sephora the obligatory 30-day remedy deadline, but they did not remedy the violations.
The fine is part of a settlement between the AG and Sephora, so we don’t know how many consumers have been involved in the case. Anyway, it shows that CCPA fines can easily reach millions of dollars.
CCPA fines can quickly get out of control, so it is better to take a proactive approach and protect your business’ budget from fines and damages compensation. Here are steps how to prepare for CCPA compliance:
Schedule a call to learn more
