The California Consumer Privacy Act (CCPA) can be an expensive law to break, with several ways that regulators and the public can bring actions seeking financial damages against a company that has violated the law’s terms.

The CCPA is the nation’s most stringent data privacy law, designed to protect California residents’ control over their personal information. The CCPA applies to for-profit businesses that collect personal information from California residents and also meet other specific criteria, such as having at least $25 million in annual revenue.

How Does the CCPA Work?

The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR), in that both laws give consumers certain rights over how their personal data is used. Unlike the GDPR, however, the CCPA grants consumers the right to sue a company that mishandles their data. In addition, consumers may qualify for statutory damages if the consumer can show that the breach occurred because of a lack of “reasonable security procedures” such as encryption or redacting identifying data.

Many of the CCPA’s details govern how companies acquire and share personal information gathered through websites or other digital techniques. For example, consumers can contact a company and demand to see whatever personal information the company has collected about them. The company must then comply and share that information (with several narrow exceptions, such as data involved in law enforcement investigations).

The CCPA mandates that businesses to respond to user requests for:

  • All data was captured and saved;
  • Each type of personal data (for example, financial, medical, or contact data);
  • The commercial reason for gathering and selling user data;
  • A list of third-party entities with access to the user’s data.

Businesses must also be ready to respond to the following user requests:

  • That the user’s data be removed;
  • That the user’s data not be shared or resold to others;
  • That the user receive the same treatment as other customers, even when the user forbids data sharing;
  • That the data be transferred to another entity.

What Counts as a CCPA Violation?

Section 1798.155 of the CCPA states that any business, service provider, or individual that breaches the CCPA’s terms and conditions shall face fines and penalties based on a “private right of action” – meaning, the aggrieved consumer can take the company to civil court directly, rather than wait for the state attorney general or other prosecutors to act.

Under California law, the damages for CCPA violations may include the following:

  • $100 to $750 per consumer per incident, or actual damages, whichever is greater;
  • Injunctive or declaratory relief;
  • Any other relief the court deems proper.

When assessing damages, the CCPA directs a court to consider the following:

  • The nature, seriousness, and persistence of the misconduct;
  • The number of violations;
  • The length of time over which the misconduct occurred;
  • Whether it was an intentional violation;
  • The defendant’s assets, liabilities, and net worth.

The law gives businesses a chance to right any wrongs before paying. For example, if a consumer files a complaint against the organization that was breached, the accused company has 30 days to take corrective action before the lawsuit can progress. This notification, however, is optional if the consumer has suffered financially because of the breach.

What Are the Penalties for CCPA Violation?

Even if no breach has happened, the California attorney general (AG) can prosecute a business for general violations of the CCPA. Examples include a business’s failure to respond to consumer requests to view or delete personal information, or unauthorized sale of a consumer’s personal information (or sharing of that data).

The attorney general, too, must give business 30 days to come into CCPA compliance. If a company does not rectify any problems during that time, the attorney general may impose a civil penalty of up to $2,500 per violation of any kind (that is, even an accidental violation), or $7,500 for each intentional violation.

Compliance Management With Reciprocity ROAR

Reciprocity ROAR, a compliance and audit management system, provides a quicker, simpler, and smarter way to compliance by reducing time-consuming manual procedures, expediting onboarding, and keeping you informed about the status and performance of your programs.

Optimize your teams’ skills by freeing them from manual tasks and allowing them more time to create great results. The Reciprocity® ROAR platorm generates connections and corresponding work assignments automatically. In addition, evidence requests may be entirely automated using pre-built connectors and APIs, reducing tedious labor and expediting the process.

Reciprocity ROAR provides you with the visibility you need to analyze the progress and success of your compliance activities and their influence on risk reduction. An audit overview report summarizes the frameworks, requirements, and controls in scope, the activities to be done, and the present audit status.

Reciprocity ROAR removes ambiguity and gets you up and running quickly, allowing you to arrive at your first audit conclusion and achieve immediate gains.

Schedule a Demo today and start the path to worry-free compliance!