Fines & Penalties for Non-Compliance with the CCPA
The California Consumer Privacy Act was drafted to protect an individual’s personal data. This Act was designed to make organizations responsible custodians of the data they hold. If an organization fails to protect this data, it can face serious penalties and fines. This article will talk about all the potential penalties and fines an organization may face.
The California Attorney General’s Office deals with any violations of the CCPA. It holds the power to levy civil penalties of up to $2,500 for each violation or $7,500 for repeated intentional violation after due notice and a 30-day cure period.
Table of contents
- Who can get fined?
- Penalties under the CCPA
- Notice and Cure Period
- The Cost of Non-Compliance
- How to Avoid Fines?
- Refresh Your Privacy Policy
- Conduct Internal Assessments
- Provide Consumer Notices
- Honor CCPA Consumer Rights
- Data Mapping Automation
- Breach Incident Response
- Conclusion
Who can get fined?
The CCPA applies to for-profit organizations that operate in California and meet one of the following criteria:
- Having annual revenues of $25 million or more
- Buying, selling, receiving, or sharing for commercial purposes the personal data of more than 50,000 consumers per year, or,
- Deriving more than 50 percent of annual revenues from the sale of California consumers’ personal information
Under the CCPA at section 1798.155, any business, service provider, or individual that violates the conditions of CCPA will be subject to fines and penalties.
Penalties under the CCPA
Civil penalties are the mechanism by which organizations are held accountable for showing non-compliance with the CCPA.
The Office of the Attorney General of California has been exclusively authorized under the CCPA to bring forth civil actions to enforce the law. Some examples of violations that can make businesses liable to pay the civil penalties are:
- Failing to maintain a CCPA-compliant Privacy Policy
- Failing to respond to consumers’ requests under the CCPA rights
- Failing to provide adequate notice when collecting personal information
- Selling consumers’ personal information without providing an opt-out
- Discriminating against consumers who exercise their CCPA rights
On the other hand, consumers under the CCPA have also been empowered with the private right to action — it is the consumer’s ability to take an organization to court and pursue civil legal claims against them for violating the law. However, it is important to note that as per the CCPA, the private right of action available to consumers is limited to only when their unencrypted or unredacted personal information is breached and not to any other violation of the law.
Notice and Cure Period
CCPA mandates that businesses must receive a 30-day notice before a CCPA violation action is brought against them.
Businesses can take steps to resolve and rectify the violation within 30 days of receiving the notice. They can provide a statement to the California Attorney General or the aggrieved consumer which confirms the violation has been resolved to avoid the statutory civil penalty altogether.
However, during a penalty is easier said than done, and it might prove to be operationally difficult for businesses to correctly fulfill hundreds of pending DSRs within a strict 30 day time period and may even be impossible in certain cases, such as when consumers personal information has been breached and is used for identity theft fraud.
The Cost of Non-Compliance
Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses that fail to comply. The penalties are:
- Maximum civil penalties of $7,500 for intentional violations of the CCPA brought by the State of California through the Attorney General’s Office. Businesses will have only 30 days to resolve the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to resolve the violation within that time.
- Maximum civil penalties of $2,500 for unintentional violations brought by the State of California through the Attorney General’s Office. Businesses will have only 30 days to resolve the violation upon being notified by the Attorney General’s office. Businesses will face financial penalties if they fail to resolve the violation within that time.
- Consumers can file private lawsuits for between $100 to $750 damages or for actual damages (whichever are higher) for each incident of breach of their unredacted and unencrypted data stored in a businesses’ server. Companies will have only 30 days to resolve the violation upon being served a notice by the consumer or will face civil penalties.
Stacked Violation
At face value, the aforementioned fines for violation may not seem considerable, especially for multi-billion dollar organizations such as Facebook and Google. However, when one considers the multiplying factor and the fact that there is no upper cap on penalties (unlike the GDPR), it becomes clear that CCPA violations should be clearly avoided.
The CCPA states that the maximum civil penalty is $2500 for every unintentional violation and $7,500 for every intentional violation of the law. Therefore the CCPA considers a penalty per violation — which is a costly risk for businesses who must comply with the CCPA.
Let’s consider the following example: If a company like Facebook is not adhering to CCPA requirements by not honoring consumer access or deletion requests, say of at least 100,000 individual requests made in total, and the AG determines the violations were intentional in nature, the civil penalties can potentially be up to $750 million.
In the case of a data breach leading to consumers undertaking the private right of action, damages are even more exorbitant. Consumers may sue and receive $100-$750 statutory damages or actual damages — whichever are greater — from the court (along with costs). Thus even a consumer who cannot prove any actual damage from the breach incident can receive a maximum of $750 in compensatory damages.
When we consider the multiplying factor of these damages due to the sheer volume of records that are breached in modern-day incidents, they added up to astounding figures, i.e., in the Equifax breach in 2017, the records of over 15 million Californians were compromised — with the CCPA, if California consumers had sued Equifax, without having to prove any actual damages, consumers could have been awarded a potential $1.5 billion in damages.
How to Avoid Fines?
Complying with the CCPA as quickly as possible will help ensure your organization stays clear of compliance violations, penalties, or reputational harm.
If the law has been violated unintentionally, your organization has 30 days to rectify its mistake from a position of preparedness.
Here are some key steps your organization can take to ensure CCPA compliance:
Organizations must ensure that their Privacy Policy meets CCPA requirements. The law requires organizations to update their Privacy Policy every 12 months to communicate how they have collected and shared consumers’ personal information.
Organizations must understand how personal information flows to and from their systems. This will help ensure you are not inadvertently disclosing or “selling” consumers’ personal information. To do this, organizations need to conduct internal assessments on all their stored data.
CCPA requires organizations to provide a notice to their consumers identifying what personal information they collect and how consumers can opt out of the sale of their personal information. This is usually when an organization uses cookies on its websites to track and collect consumer data.
Consumers have rights over their data under the CCPA. Organizations must ensure that these rights are honored and set up designated methods by which consumers can exercise their rights. This is where DSR fulfillment automation comes into play as organizations have a 45-day deadline to fulfill the consumer’s request.
In order to maintain compliance, organizations need to know where all their information is and link it back to its owner. This is where data mapping comes into play. Data mapping can help organizations map stored information to the owner, which can help them fulfill data subject requests, an integral part of compliance.
In order to stay in compliance with privacy regulations, organizations will need to manage their entire incident and data breach management lifecycle. With the help of automation, organizations can improve their incident response process by gathering incident details, identifying the scope, and optimizing notifications to comply with global privacy regulations.
Conclusion
The CCPA is in effect, and organizations are trying to stay compliant with the regulation to avoid heavy fines. Securiti helps organizations simplify their compliance processes by automating key aspects of the compliance process. Securiti’s solution helps organizations with Data Mapping, Consent management, DSR fulfillment, Assessments, Privacy Policy & Notice management, and Breach Notification management.
The CCPA’s penalties can be detrimental for organizations and may lead to monetary losses and erode customer trust. Don’t wait until it’s too late. Request a demo now and see how Securiti can help you meet CCPA compliance.