The potential reach of penalties and risks involved with noncompliance of data privacy laws

In the past, many organizations have been able to evade severe penalties associated with noncompliance. Those times of evasion are coming to a close, and organizations must rectify compliance issues. Penalties for noncompliance with data privacy laws can vary depending on multiple jurisdictions and the specific laws violated. In this article, we focus on organizations doing business within the US.

California cure period is gone.

Under the California Consumer Privacy Act (CCPA), businesses were given the opportunity to cure any violations within 30 days after being notified of alleged noncompliance. The state’s Office of Attorney General (OAG) began sending notices of alleged noncompliance to companies on July 1, 2020, the first day CCPA enforcement began. A year into the enforcement of the CCPA, the state’s OAG had focused its attention on inadequate notices about consumer rights, compliance with “do not sell my personal information” requests, and missing provisions in contracts with service providers.

No public fines were charged, and according to AG Rob Bonta, 75 percent of its complaints have been cured — including about 30 examples listed on the OAG’s website. This list included companies from nearly every industry, from social media, dating, entertainment, and data brokers to grocery retailers and car sellers.

However, as 2022 came to a close, the OAG’s determination that businesses must honor global privacy controls (GPC) came to light. 30 day Cure period to resolve statutory violations expired as of January 1, 2023.

Do other US states have cure periods for alleged violations?

The California Privacy Rights Act (CPRA) eliminates the thirty (30) day cure period originally permitted under the California Consumer Privacy Act (CCPA). However, the CPRA allows the California Privacy Protection Agency (“CPPA”) to choose not to investigate a complaint or provide a business with a time period to cure the alleged violation.

The Colorado Privacy Act (CPA) provides a sixty (60) day cure period for alleged violations. This will remain in effect until January 1, 2025.

The Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA) provides a thirty (30) day cure period for alleged violations. The VCDPA and UCPA require that Companies provide an express written statement that the alleged violations have been cured and that no further violations will occur.

The conclusion, cure periods for most US regulations only last 1 – 2 months, and most states will eventually remove cure periods all together. For others, like CCPA, the choice whether to enforce a violation is up to the whim of the regulators.

Some common consequences for noncompliance:

• Civil lawsuits and monetary damages
• Fines and penalties imposed by government agencies
• Criminal liability in cases of intentional or reckless violations
• Requirements for companies to implement remediation measures, such as changes to data handling practices and regular audits and assessments
• Loss of consumer trust and business opportunities
• Months tied up in legal battles and courts
• Reputational harm
• Negative media coverage

These risks affect the corporation’s ability to do business effectively. The enterprise is not in the business of managing regulation compliance. So, they hire and appoint directors and corporate officers. On paper, fines can be in the millions. In reality, and in the long term, it’s 10s of millions in loss for the shareholders. Shareholders point to these directors and COs for answers.

Breach of oversight for failure to comply with data privacy laws

A breach of oversight occurs when a company fails to comply with data privacy laws and regulations. This can occur in a variety of ways, such as:

• Failing to properly secure personal information
• Collecting and using personal information without consent
• Sharing personal information with unauthorized third parties
• Failing to properly dispose of personal information.
• Failing to provide individuals with access to their personal information
• Failing to properly notify individuals of a data breach
• Failing to comply with data retention and deletion policies

Like noncompliance, consequences of a breach of oversight can include civil lawsuits, fines, penalties, and reputational harm, as well as a loss of consumer trust and business opportunities. In some cases, individuals responsible may face criminal liability. In January 2023, the Delaware Court of Chancery has recognized that corporate officers owe the company a legal duty of oversight, which has traditionally been an obligation solely of directors, and can be sued by shareholders for breach of that duty.

It is important for companies to regularly review and assess their compliance with data privacy laws and regulations, and to have systems in place to detect and prevent breaches of oversight. This may include conducting regular risk assessments, implementing data protection measures, providing privacy training for employees, and having incident response plans in place.

Click here to learn more about our Preference and Consent Management Platform! Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.

Email Now:

Mike Mango, VP of Sales
mmango@clarip.com

Related Articles:

Clarip 2023 Privacy Readiness: CCPA to CPRA
The California Consumer Privacy Act and Regulations
Clarip Readiness 2023 Privacy Law Changes
Enable Transparency with Global Privacy Controls