The California Consumer Privacy Act (CCPA) can be expensive to break, with several ways that regulators and the public can bring actions seeking financial damages against a company that has violated the law’s terms.
The CCPA is the nation’s most stringent data privacy law, designed to protect California residents’ control over their personal information. The CCPA applies to for-profit businesses that collect personal information from California residents and meet other specific criteria, such as having at least $25 million in annual revenue.
How Does the CCPA Work?
The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) in that both laws give consumers certain rights over how their personal data is used. Unlike the GDPR, however, the CCPA grants consumers the right to sue a company that mishandles their data. In addition, consumers may qualify for statutory damages if they can show that the breach occurred because of a lack of “reasonable security procedures” such as encryption or redacting identifying data.
Many of the CCPA’s details govern how companies acquire and share personal information gathered through websites or other digital techniques. For example, consumers can contact a company and demand to see whatever personal information the company has collected about them. The company must then comply and share that information (with several narrow exceptions, such as data involved in law enforcement investigations).
The CCPA mandates that businesses to respond to user requests for:
- All consumer data captured and saved;
- Each type of personal data (for example, financial, medical, or contact data);
- The commercial reason for gathering and selling user data;
- A list of third-party entities with access to the user’s data.
Businesses must also be ready to respond to the following user requests:
- That the user’s data be removed;
- That the user’s data not be shared or resold to others;
- That the user receives the same treatment as other customers, even when the user forbids data sharing;
- That the data be transferred to another entity.
What Counts as a CCPA Violation?
Section 1798.155 of the CCPA states that any business, service provider, or individual that breaches the CCPA’s terms and conditions shall face fines and penalties based on a “private right of action” – meaning, the aggrieved consumer can take the company to civil court directly, rather than wait for the state attorney general or other prosecutors to act.
Under California law, the damages for CCPA violations may include the following:
- $100 to $750 per consumer per incident, or actual damages, whichever is greater;
- Injunctive or declaratory relief;
- Any other relief the court deems proper.
When assessing damages, the CCPA directs a court to consider the following:
- The nature, seriousness, and persistence of the misconduct;
- The number of violations;
- The length of time over which the misconduct occurred;
- Whether it was an intentional violation;
- The defendant’s assets, liabilities, and net worth.
The law gives businesses a chance to right any wrongs before paying. For example, if a consumer files a complaint against the organization that was breached, the accused company has 30 days to take corrective action before the lawsuit can progress. This notification, however, is optional if the consumer has suffered financially because of the breach.
What Are the Penalties for CCPA Violation?
Even if no breach has happened, the California Attorney General (AG) can prosecute a business for general violations of the CCPA. Examples include a business’s failure to respond to consumer requests to view or delete personal information or the unauthorized sale of their personal information (or sharing of that data).
The attorney general, too, must give business 30 days to come into CCPA compliance. If a company does not rectify any problems during that time, the attorney general may impose a civil penalty of up to $2,500 per violation (that is, even an accidental violation) or $7,500 for each intentional violation.
The Cost of CCPA Noncompliance
But fines could become the least of your problems if you become non-compliant with CCPA, as there are more prominent and costlier consequences for violating this regulation:
If a company fails to correct its alleged violations during the cure period, it will face injunction and civil sanctions. An injunction indicates a court order compels the company to stop engaging in specific actions.
The CCPA does not specify what an injunction would entail. Nonetheless, it may force the company to halt operations (or, at the very least, stop collecting and processing consumers’ personal information) until it becomes CCPA-compliant.
Private Right of Action
Under Section 1798.150 of the legislation, the CCPA creates a private right of action. That is, it allows California residents to sue companies that fail to follow the security regulations outlined in Section 1798.81.5.
According to the CCPA’s private right of action, a Californian may seek either statutory damages ranging from $100 to $750 per consumer per incident or actual damages (i.e., the substantial losses suffered by the consumer as a result of the breach), whichever is greater.
Impact on Customer Relationships
In addition to disputes, organizations that fail to comply with CCPA standards may damage consumer relationships. Consumers have become more aware of their rights due to GDPR and the increasing number of documented data breaches. They also have higher expectations of businesses in terms of data privacy.
A data privacy study from IBM and The Harris Poll found that 65 percent of consumers consider a company’s data security practices when deciding whether to do business with them. Companies that fail to secure personal data risk losing customers and the money and insights they provide.
How to Avoid CCPA Fines
To avoid CCPA penalties, here are a few best practices:
- Assess and examine your activities thoroughly. Consider the data you gather, the reasons for your collection, the third parties engaged in the processing, and so on. This assessment will assist you in determining which legal papers you may require and how to handle user requests.
- Ensure you respect the user’s choice not to have their personal information sold or shared. While the CCPA does not need users’ opt-in or prior authorization before sharing or selling personal data, you are still required to notify them of the sale activity and give them a quick means to opt out. You must display a “Do Not Sell My Personal Information” (DNSMPI) alert to users when they first access your app or website.
Compliance Management With ZenGRC
Reciprocity ZenGRC, a compliance and audit management system, provides a quicker, simpler, and smarter way to compliance by reducing time-consuming manual procedures, expediting onboarding, and keeping you informed about the status and performance of your programs.
Optimize your teams’ skills by freeing them from manual tasks and allowing them more time to create great results. The ZenGRC platform generates connections and corresponding work assignments automatically. In addition, evidence requests may be entirely automated using pre-built connectors and APIs, reducing tedious labor and expediting the process.
Reciprocity ZenGRC provides the visibility you need to analyze the progress and success of your compliance activities and their influence on risk reduction. An audit overview report summarizes the frameworks, requirements, and controls in scope, the activities to be done, and the present audit status.
ZenGRC removes ambiguity and gets you up and running quickly, allowing you to arrive at your first audit conclusion and achieve immediate gains.
Schedule a Demo today and start the path to worry-free compliance!