CCPA Fines Overview: Everything You Need to Know
Does your company have consumers in California? If so, you'll want to listen up, because we've got a lot packed in for you today.
If your business violates the CCPA, you may need to pay CCPA fines. CCPA fines are monetary penalties imposed on businesses violating the California Consumer Privacy Act of 2018.
Let's learn more about this.
CCPA is a data privacy law that provides guidelines for how businesses should collect, store, and use personal information.
For a more detailed answer, we have Anderson Lunsford, the CEO and Co-Founder of BreachRx. He says:
"CCPA is the California Consumer Privacy Act. It is a privacy law for the state of California that was passed in June 2018, shortly after the European Union's landmark privacy law, the General Data Protection Regulation (GDPR), went into effect in the EU (May 2018).
The CCPA is similar to GDPR in that it takes a much broader and more comprehensive view of privacy rights for consumers, but there are also key differences in the requirements each imposes on businesses and their use of consumer's personal information."
Under this act, consumers have a right to know the kind of personal data a business collects about them. In addition, they have a right to know how this data is processed and shared.
Consumers also have the right to demand that their personal information be deleted. However, it is essential to note that there are some exceptions to this law that you must know. For example, employee data, financial data, and health data do not apply to this law.
CCPA Fines Overview
If a business violates the California Consumer Privacy Act, it will receive a CCPA fine. Initially, CCPA violations were dealt with by the California Attorney General's Office. However, CCPA violations are currently being handled by the California Privacy Protection Agency.
The agency is governed by a five-member board. The governor appoints the chairperson and one member of the board. In addition, the Attorney General appoints one member, and the Speaker of the Assembly and the Senate Rules Committee select one each.
CCPA enforcement is done using a combination of various mechanisms, such as regulatory enforcement, civil action, and private rights of action.
Once an offense has been committed, the California Privacy Protection Agency will investigate the violation, issue a subpoena and bring an enforcement action against the business.
Alfred Brunetti, Principal at Porzio, Bromberg and Newman PC says:
"A business, service provider or other person found to violate the CCPA as amended by the CPRA is subject to an injunction and a civil penalty of not more than $2,500 per violation and not more than $7,500 per intentional violation."
This is only the tip of the iceberg, though; there are many nuances to this that we'll cover below.
Types of CCPA Fines
There are several types of CCPA fines that businesses and consumers need to know about. This section discusses fines such as the private right of action, civil penalty, and fines for violating children's rights.
Knowing these fines is essential so businesses can create robust compliance strategies to prevent these fines.
One strategy that can be implemented is having a data mapping and inventory system. This way, businesses can identify the type of personal data being collected and track how it is used.
Some of the fines that businesses need to know about are:
The California Privacy Protection Agency enforces civil penalties. However, a lawsuit can only be filed after a 30-day notice elapses.
The amount of civil penalties that can be enforced will depend on the nature and severity of the violations. A civil lawsuit is triggered when a business violates any CCPA law.
Examples of violations that can result in civil penalties are:
- Failure to inform the consumer that their data is being collected
- Failure to have a CCPA opt-out policy
- Discriminating a consumer for exercising their CCPA rights
Civil penalties include $2,500 for each violation and $7,500 for each intentional violation. However, the amount might be lower if businesses prove that they have taken steps to guarantee the privacy of consumers as required by the CCPA act.
Do Not Sell My Personal Information Button Penalty
Businesses that fail to provide this link can be fined up to $2,500 per violation. If it is proven that the breach was intentional, the fine can be as high as $7,500.
Fines for Failure to Disclose Data Collection Practices
This CCPA fine is enforced when businesses fail to disclose the data they are collecting and its intended purpose. In addition, CCPA enforcement will be done if a business fails to inform consumers that their data will be shared with third parties.
A business that fails to disclose this information will be fined $2,500 per violation and $7,500 per intentional violation.
Fines for Violating Children's Privacy
According to the CCPA, it is illegal for a business to sell the personal information of a minor (Under 16) without the parent or guardian's consent. If a business wants to sell a minor's personal information, it must have opt-in consent from the guardian.
When opt-in consent is available, the business should verify the guardian's identity and maintain proper records.
Businesses that sell a minor's data without the consent of a guardian will be fined $7,500 per intentional violation and $2,500 per violation.
Private Right of Action
A private right of action is a legal lawsuit that allows consumers to sue a business for CCPA violations. These violations occur when a business fails to implement reasonable security measures that protect consumers' data.
However, a consumer can only initiate a private right-of-action lawsuit if they establish that the business failed to encrypt their personal information, resulting in a breach. Consumers can also file a private right-of-action lawsuit if a business fails to comply with a request to know, opt out, or delete personal information.
A private right of action allows consumers to recover statutory damages. However, before filing the claim, the consumer must report the violation and give the business 30 days to remedy the problem.
If, after 30 days, the business is still non-compliant, CCPA penalties of $100 - $750 will be imposed per violation.
- Want to avoid these CCPA fines? Contact us for a complimentary consultation with one of our experts.
Recent CCPA Fines and Enforcement Actions
Though CCPA fines might appear small, businesses have paid a hefty price for failing to implement reasonable data security measures. Below, we will look at recent high-profile CCPA fines to date and briefly analyze what led to the business being fined.
In 2021, Zoom agreed to a settlement of $85 million after the state sued it for being non-compliant. The class action lawsuit alleged that Zoom violated CCPA laws by selling personal information to companies such as Google and Facebook without consumers' knowledge.
Other CCPA violations alleged to have been committed by the company include failure to provide an end-to-end encryption video conference as advertised. In addition, it was also alleged that Zoom collected personal information without the user's consent.
Lastly, Zoom was also accused of failing to implement adequate security measures that resulted in the information of its customers being breached and sold on the dark web.
In 2022, Sephora, a global cosmetics retailer, hit the headlines after the court slapped it with a fine of $1.2 million through an enforcement action under the CCPA.
They were found guilty of not disclosing to consumers that their data and activities would be recorded and sold to third parties for monetary gain.
It is important to note that before the enforcement action, the petitioners notified Sephora of the offense and gave the business 30 days to rectify the violation. In addition, Sephora was also accused of failing to provide an opt-out service to consumers.
T-Mobile is another business that faced a class action lawsuit for violating the CCPA. T- mobile is accused of failing to protect consumer data after a data breach exposed the information of millions of its customers.
The data breach exposed private information such as Social Security Numbers and IDs. T-Mobile has agreed to a $350 million settlement.
Several online retailers and data brokers were found to be non-compliant with the CCPA regulations.
After an enforcement sweep, it was established that some online retailers secretly used web tracking technology to sell consumers' data to third parties. This was done in exchange for advertising. In addition, it was also proven that these online retailers did not provide an opt-out mechanism as required.
The identified retailers were notified of the violations, after which they reviewed and updated their service provider contracts. They also used technology to send a 'restricted use' signal to third-party buyers of private information.
The California Privacy Rights Act (CPRA) is a privacy law passed that was enacted in January 2023 and is considered to be an expansion of the CCPA.
The CPRA was enacted to strengthen privacy protections that existed under the CCPA, and it comes with additional privacy rights such as:
- The right to restrict the use of sensitive personal data
- The right of consumers to correct wrong personal data that a business may have
- The right of consumers to request businesses to provide a copy of their data
It is also important to note that the CPRA law created a new enforcement body known as the California Privacy Protection Agency (CPPA).
Fines under the CPRA are higher than those of the CCPA. For example, businesses can be fined up to $7,500 per CPRA violation and up to $2,500 for violations involving minors.
The CPRA also introduced a new category known as negligent violations, which affects businesses that fail to take reasonable precautions to protect consumers.
Avoiding CCPA Fines
Businesses that are operating in the State of California must be CCPA compliant to avoid hefty fines. The law applies to all for-profit entities and those that meet any of the following qualifications:
- Have a gross annual revenue of more than $25 million
- Sells or shares personal information of more than 50,000 California consumers
- The business derives more than 50% of its annual revenue from selling the personal information of California consumers
Besides monetary fines, businesses also face other consequences of the CCPA non-compliance, such as loss of consumer trust. Loss of consumer trust affects a business's brand and loyalty.
Businesses found guilty of being CCPA non-compliant also risk damaging their reputation and getting negative media and social media coverage. This can result in a loss of trust and credibility with consumers.
Violating CCPA laws can also result in expensive legal lawsuits, as seen with companies such as Zoom and Sephora. Zoom agreed to an $85 million settlement, while Sephora was fined $1.2 million.
- Want to mitigate the risk of CCPA fines? Contact Captain Compliance for a complimentary consultation with one of our experts.
CCPA Compliance Requirements
One of the essential CCPA compliance requirements for businesses operating in California is to notify their consumers of the type of data being collected and shared. If a business is collecting the personal data of minors, it must have consent from the guardian. Other compliance requirements include:
- Providing information about the purpose of the collected data
- Ensuring that third-party buyers of private data are CCPA-compliant
- Providing consumers with the right to opt-out
- Implementing reasonable security measures to protect against data breach
- Providing a clear and conspicuous "Do Not Sell My Personal Information" link or button on the homepage
Achieving CCPA Compliance
The best way for a business to comply is to develop a CCPA/CPRA compliance checklist. A checklist is a tool that you can use to check if a business is compliant. Other things to do to ensure you are compliant are:
- Train your employees on CCPA and CPRA laws
- Update privacy policies and notices to be CCPA-compliant
- Conduct a data inventory to know the type of data collected, how it is shared and stored
- Give consumers the right to opt-out and put a mechanism in place for consumers to retrieve their data easily
- Implement reasonable security measures to protect the privacy of consumers
- Review agreements with third-party services to ensure they are CCPA-compliant
- Appoint a data protection officer to be responsible for ensuring the business is CCPA-compliant
- Ensure CCPA and CPRA laws are updated regularly to ensure compliance.
Responding to CCPA Fines
Before a business is fined, it will be given 30 days to come up with remedial strategies. If the violations still happen after 30 days, the Attorney General's Office will take legal action. The best ways to respond to CCPA fines are:
Review the Fine
Businesses need to review the reason for the fine to understand the offense that was committed. This should be done with lawyers to ensure that the fine falls within the confines of California law.
Create a Course of Action
Once the business understands why it was fined, it needs to create a course of action to address the violations that caused the fine. The plan can include training your staff and updating procedures and policies.
Consider Legal Options
Businesses can consider legal options if they feel the fine imposed is unjustified or too severe. The legal action can be for the agency to reduce the penalty or to challenge the findings.
Create a Compliance Checklist
The business should develop a compliance checklist to ensure they do not get another fine in the future. In addition, it should have a compliance officer to ensure all laws are followed.
What Are The Highest CCPA Fines?
The highest CCPA fines are $7,500 per intentional violation and $2,500 per unintentional violation. $7,500 for thousands of consumers can stack up very fast, resulting in millions of dollars in fines due.
The exact amount depends on whether the business has a history of violating CCPA laws and whether it took prompt action to remedy the contravention after being notified.
What is an Example of a Personal Data Breach?
An example of a personal data breach is when unauthorized individuals hack or access a consumer's private information. For instance, if hackers steal your data from a bank, such as your ID, Credit number, email address, and password, that is a personal data breach.
When Did GDPR Come Into Force?
GDPR came into force on May 25, 2018.
Are There Exceptions to The CPPA?
Yes, CCPA laws do not apply if the collected personal information is used in an employment context. This means that the data collected is from an employee or job applicant.
Another CPPA exception is if the data collected is publicly available from government records and registries.
What Rights Do I Have Under The CCPA?
California residents have the right to request a business to provide any personal information that they may have about them. In addition, you have a right to request that they delete the information they have about you.
Lastly, consumers have a right under CCPA to instruct businesses not to sell their data to third parties.
Does The CCPA Apply to Companies Outside California?
CCPA applies to companies outside of California if they conduct business in the state or meet one of the following criteria:
- Has an annual gross revenue of over $25 million
- Commercially sells or shares personal information of more than 50,000 California residents
- Receives at least 50% of yearly revenues from selling the personal information of California residents
How Can Captain Compliance Help?
Businesses collecting data from California residents must engage with a compliance expert to ensure they operate within the CCPA (now amended to CPRA).
Failure to comply with the CCPA can result in huge losses, as seen by T-Mobile. T-Mobile was forced to make a $350 million settlement.
To protect your businesses from such losses, get in touch with Captain Compliance. We have years of experience in Californian data privacy law and can ensure your company becomes compliant.