October 28, 2022

CCPA Fines

If your business operates from California or offers services and products to Californians, you need to be aware of the CCPA fines. California has multiple consumer data privacy laws, and you’ll get a fine if you violate them. Learn about CCPA penalties here.

If your business operates from California or offers services and products to Californians, you need to be aware of the CCPA fines. California has multiple consumer data privacy laws, and you’ll get a fine if you violate them.

As stated under Section 1798.155 of the CCPA, violations that lead to fines are not limited to data breaches, as in many other US states. CCPA regulations have far more requirements, including CCPA rights, consumer requests, deletion requests, opt-out requests, privacy notices, and others.

We have a CCPA course to introduce you to the CCPA and other privacy regulations and what they require from your business to stay away from enforcement action by the California Attorney General and pay fines.

What is CCPA?

California Consumer Privacy Act (CCPA) is California’s most comprehensive privacy law that regulates how private companies should handle the personal information of individuals and households.

It was passed in 2018 and came into effect on 1 January 2020.

Since then, the for-profit companies that operate in California and meet at least one of the following criteria must comply:

  • Have annual gross revenue of more than $25M
  • Processes personal information of at least 50,000 California residents annually
  • Earns at least 50% of the annual income from selling consumers’ personal information.

Unlike the GDPR and many other privacy laws worldwide, the California law on consumer data protection does not apply to all companies. It applies only to those that meet the criteria.

Although the thresholds may seem as if they were made to target only large companies, in reality, many small companies could easily fall under the scope of the CCPA. For example, these days, it is not hard for a retailer to collect the personal data of 50,000 California residents through Google Analytics or Meta Pixel, so you need to be careful and determine whether the CCPA applies to you and whether you are under the scrutiny of CCPA penalties.

If the CCPA applies to you, then you need to be aware of the following requirements for your business:

  • Provide users with a privacy notice on data collection
  • Provide users with a “Do Not Sell My Personal Information” button on your website in case you sell their data
  • Respond to consumer requests related to CCPA consumer rights
  • Obtain consent for the processing of children’s personal information
  • Do not share personal information with third parties if you are a service provider, i.e., process data on behalf of another company, etc.

Violations of the CCPA will trigger enforcement action by the California Attorney General. That may end up in paying hefty fines.

What is CPRA?

California Privacy Rights Act (CPRA), also commonly known as CCPA 2.0, is a new law built on the CCPA provisions. It is a separate regulation, but the provisions are made in a way that looks like an amendment to the CCPA.

Both laws do not contradict each other. They complement each other, creating rules that some businesses operating in California need to follow.

CPRA requirements that complement CCPA obligations include:

  • Moving the applicability threshold from 50,000 persons and households to 100,000
  • Including data sharing to the applicability thresholds on top of selling data
  • Adding sensitive personal data explicitly into the definition of personal information
  • Expanding the legal requirements on what a privacy notice should say
  • Explicitly prohibits service providers from sharing data or using it for their business purposes
  • Requires freely given, informed, specific, and unambiguous consent for opt-in the sales of personal information of children
  • Expands the requirements on sales of data to sharing of data as well
  • Requires risk assessments
  • Removes the 30 days for violation remedy
  • Establishes a data protection agency to enforce the law

Simply put, CPRA expands some of the CCPA legal requirements. It also establishes an agency specialized in tackling consumer privacy violations and removes the remedy period for businesses.

What Are the Possible Reasons for CCPA and CPRA Penalties?

Any violation of the law can lead to a CCPA (and CPRA) penalty. The most common violations include the following:

  • Failing to provide consumers with a privacy notice
  • Failing to comply with “Do Not Sell My Personal Information” requests
  • Failing to obtain consent for child’s data
  • Failing to comply with consumer access or deletion requests
  • Not reporting unauthorized access to consumer data or another form of a data breach, etc.

Who Can Get CCPA Penalties?

Any company to which CCPA applies may e be hit by a CCPA penalty.

As long as the CCPA applies to your business and you violate the law, Attorney General may knock on your door at any time.

How Much Are the CCPA Penalties for Non-Compliance?

CCPA penalties have an upper cap of $7,500 per intentional violation or $2,500 per non-intentional violation. It may seem like a small penalty, but it can eventually grow massive.

The penalties can quickly add up because one consumer equals one violation.

Let’s say you sold the personal data of 300,000 individuals without allowing them to opt-out. In CCPA terms, you’ve committed 300,000 violations. That means a possible CCPA penalty of $2.25 Billion.

On top of that, if the violation results from a data breach due to failure to take proper security measures, consumers have a private right of action that could lead to civil penalties. The amount of civil penalties depends on the specifics of each violation.

What is the Difference Between CCPA Fines and GDPR Fines?

The General Data Protection Regulation (GDPR) of the European Union shocked the world with the huge penalties it prescribed and, many times now, the hefty GDPR fines it imposed on global companies.

GDPR fines are capped at EUR 20 Million or 4% of annual revenue, whichever is higher. That is the absolute cap for a GDPR penalty.

CCPA takes a different approach to the determination of penalties. It does not determine an absolute cap for a penalty, but there is a cap for each violation. Depending on the number of persons affected and other circumstances, that amount can grow infinitely and hit the business hard.

Another big difference between the CCPA and the GDPR is the remedy period allowed in California. That doesn’t exist anywhere else.

How Does CCPA Enforcement Work?

The CCPA Enforcement procedure follows these steps:

  • The California Attorney General’s Office gets information about the violation. Anyone can inform them about a CCPA infringement. It can be some of your customers or maybe a competitor. It doesn’t matter. As long as the information reaches the AG, there will likely be an investigation.
  • The AG investigates the case. They will check if the business infringed CCPA requirements and if the alleged violations exist. If there are no violations, the procedure ends in this phase. But, if there are any infringements, it goes to the next stage.
  • In the case of a violation, the Attorney General gives the business a 30-day remedy period. CCPA allows for a cure period for any CCPA violation. This means that the business found to violate the law will be given time to bring their work into compliance. If you reach this stage and remedy the violation on time, the procedure ends here. For example, if the AG notifies you about a non-compliant CCPA privacy notice, you’ll have 30 days to adjust it. If you do so, you have nothing to worry about.
  • There is no remedy period for CPRA violations. Remember that in most cases, CCPA violations also mean CPRA violations.
  • If there is no progress, the business gets fined. You’ll get fined if you don’t remedy the infringement in the 30-day remedy period. For CPRA violations, you get fined immediately.

In some situations, the case may go to court.

CCPA Private Right of Action

CCPA allows a private right of action for data breaches where the business has not taken appropriate data security measures. Only consumers whose non-encrypted and non-redacted personal information is breached (i.e., unauthorized access and exfiltration, theft, or disclosure) due to a lack of proper measures can initiate a civil action to recover damages. Before initiating the lawsuit, however, the consumer must notify the business with a 30-day remedy period. Only if the violation is not removed in such a period can the consumer initiate a civil action.

The private right of action allows consumers to recover either statutory or actual damages, whichever is greater.

Why Was Sephora Fined So Heavily?

French retailer Sephora is the first company to be fined for CCPA violations. California Attorney General Rob Bonta settled the case at $1.2 Million.

There were two main infringements:

  • Sephora failed to inform consumers about the sale of their personal information
  • Failed to respect users’ Global Privacy Controls (GPC) for opt-out of the sale,
  • Failed to conform its service providers with the CCPA requirements.

The AG gave Sephora the obligatory 30-day remedy deadline, but they did not remedy the violations.

The fine is part of a settlement between the AG and Sephora, so we don’t know how many consumers have been involved in the case. Anyway, it shows that CCPA fines can easily reach millions of dollars.

How to Achieve CCPA Compliance?

CCPA fines can quickly get out of control, so it is better to take a proactive approach and protect your business’ budget from fines and damages compensation. Here are steps how to prepare for CCPA compliance:

  • Assess your privacy practices.
  • Refresh your privacy policy. Make sure that it contains everything it needs to disclose to your customers. The non-compliant privacy notice will trigger several other CCPA violations.
  • Reassess your contracts with service providers. Make sure that they won’t get you into non-compliance.
  • Provide consumers with an opt-out. It is a must if you sell their personal information. Ensure to honor the opt-out and inform your service providers about that should a user signal it to you.
  • Comply with consumers’ rights requests. Consumers have the right to know, access, and delete personal information, and you have no choice but to honor the requests.
  • Have a data breach notification procedure in place. When it happens, you’ll know exactly what to do and reduce the risks of fines.
  • Train your personel about CCPA and CPRA. You must provide training to persons who respond to consumer requests, but it is better to train all your personnel about the privacy regulations they need to know about.