In September 2022, online retailer Sephora agreed to pay $1.2 million for breaching the California Consumer Privacy Act (CCPA) – the first time public enforcement action was taken by the California Attorney General since the law’s introduction in 2020.
The move signalled an end to the settling in period for the data law, and the start of a tougher approach to enforcement. If you’re not confident that your organization complies with CCPA, it’s time to step up – or you could face a penalty.
Let’s look at the consequences of violating the CCPA and the best way to meet CCPA compliance requirements.
CCPA Penalties
CCPA applies to for-profit businesses that collect or process the personal data of California residents.
CCPA sets out mechanisms to penalize non-compliance with the California law. A violation might include:
– Not having a CCPA-compliant privacy policy
– Not responding to a consumer request for data disclosure as required by CCPA
– Not providing the right notification of personal data being collected
– Not allowing users to opt out of the sale of their personal information
– Having discriminatory policies against users who exercise CCPA rights
It is important to note that a ‘cure’ period applies to CCPA violations. The Attorney General is required to give businesses 30 days to achieve CCPA compliance. If problems are not rectified in this period, penalties may be applied. There has been some criticism of this provision, so stay alert for possible changes in future.
CCPA distinguishes between intentional and non-intentional violations of the law. Once a business has been given official notice by the Attorney General, non-compliance after the 30 day period may be interpreted as an intentional violation.
CCPA Fines
CCPA sets out penalties for non-compliance. The California Attorney General is authorized to take action against those who breach the CCPA.
The maximum civil penalty for an unintentional CCPA violation is $2,500 per breach. For intentional violations, the maximum fine is $7,500 per breach. There is no cap set on the total amount of fines that can be levied.
The maximum fine amounts might sound fairly modest, but if a company was found to have intentionally committed thousands or even hundreds of thousands of intentional breaches, for example by not meeting CCPA opt out requirements, the total amount could be huge.
It should be noted that $2,500 and $7,500 are the maximum levels set for penalties. In considering what penalties should be applied, the court will consider multiple factors such as the nature, seriousness and persistence of the conduct, whether it was intentional, the period over which the violations took place, the number of violations and the defendant’s means to pay.
Citizens also have a private right of action where a CCPA violation rights takes place that results in unauthorized access, theft or disclosure of personal data, where that breach is the result of a failure to maintain reasonable security procedures and practices. What counts as ‘reasonable’ is judged in relation to the nature of the consumer’s personal information concerned.
CCPA permits consumers to claim $750 per consumer, per incident, or to seek actual damages where loss can be shown to have occurred as a result of the breach. Again, this is a relatively new law and lawyers are likely to seek to challenge these provisions, especially around the possibility of bringing class action lawsuits, so watch out for developments.
Again, where private individuals serve notice of a violation, the business has 30 days to resolve the issue without facing further action.
How to avoid Fines & Penalties
The simplest way to avoid having to pay CCPA penalties is to understand and comply with the requirements of the law. Penalties for violating CCPA are only one consequence of non-compliance – a data breach could result in much more serious damage to your business through lost customers, negative publicity, reduced credit rating, lack of investors and so on.
To ensure you comply with CCPA, consider these steps:
1. Refresh your privacy policy – this should be CCPA-compliant, with annual reviews to ensure it stays up to date
2. Carry out an internal review – map out how personal information flows through your organization to flag up any issues
3. Check your consumer notices – do you provide enough information about how and when you collect personal information?
4. Ensure you can uphold CCPA rights – for example, can you meet the 45-day deadline for complying with personal data disclosure requests?
5. Maintain a robust data inventory – you need to know exactly when and where data enters your systems – an automated inventory can help with compliance
6. Prepare for data breaches – mistakes happen and data breaches can happen despite an organization’s best efforts. Preparing a response can help to minimize the damage if a breach does occur
Check out our handy CCPA compliance checklist for more information.
Cookie notifications are an important part of CCPA compliance – do you need help to make sure yours are up to the job? Get in touch with CookieHub to discuss your needs.