What is CCPA Compliance?
If your for-profit business processes personal information of California residents and falls within the material jurisdictions, it will need to comply with the California Consumer Privacy Act (CCPA). In §1798.140 (d)(1), the CCPA defines material jurisdiction as involving a threshold analysis and only applies to organizations that:
- Have annual gross revenues in excess of $25,000,000; or
- Annually buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50 percent or more of its annual revenues from selling consumers’ personal information.
Non-compliance with the CCPA can result in the business being subject to regulatory and civil enforcement actions, which can cause the business to incur substantial monetary penalties. If a consumer can prove the lack of “reasonable security procedures and practices appropriate to the nature of that information” caused the breach of their data, damages may include:
- $100 to $750 per consumer per piece of data compromised, or actual damages, whichever is greater
- Injunctive or declaratory relief
- Any other relief the court deems proper
In other words, if a business had 1,000 records stolen during a data breach, it might pay as much as $750,000 plus other damages.
Additionally, the California Attorney General may bring a civil action against any entity violating the act. Specifically, the CCPA provides that “any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional violation.”