What We Know So Far About the CCPA and Penalties
As of July 1st, 2020, the California attorney general began enforcing the California Consumer Privacy Act (CCPA). The attorney general can pursue a civil penalty from any for-profit entity doing business in the state of California that fails to comply with the CCPA. These fines could add up quickly, into hundreds of millions of dollars in some cases and could apply to a violation of any section of the CCPA.
Any “Business” Can Receive a CCPA Penalty
The CCPA focuses on any for-profit business that operates in the state of California and meets at least one of the following thresholds:
- Has an annual revenue of $25 million or more.
- Buys, sells, receives, or shares the personal data of more than 50,000 consumers per year for commercial purposes.
- Derives more than 50 percent of annual revenue from the sale of consumer’s personal information.
The CCPA can also apply to Service Providers (companies that process personal information on behalf of a business pursuant to a written contract.)
Any CCPA Violation Can Lead to A Penalty
There are two types of enforcement mechanisms in the CCPA
- Civil Penalty – The California Attorney General can pursue penalties from businesses that violate any part of the CCPA. Examples of reasons for civil penalties include:
- Failure to respond to consumers’ requests under the CCPA rights
- Failure to provide adequate notice when collecting personal information
- Selling consumers’ personal information without providing an opt-out
- Discriminating against consumers who exercise their CCPA rights
- Private Right of Action – Can only be triggered by a data breach
Service providers and third-party vendors may be liable for a penalty if they use, retain, or disclose personal information for purposes outside of their contract with a business. For example, the unlawful sale of personal information received from a business.
Businesses Have a 30-Day Notice to Cure
The California Attorney General can pursue a civil penalty from a business, service provider or third-party vendor that has been notified of a CCPA violation and has failed to cure within 30 days. This notification can either come from the California Attorney General or the California Privacy Protection Agency (CPPA). A privacy right of action notification can be submitted directly from a consumer (even if the violation does not amount to a data breach).
Under the California Online Privacy Protection Act (CalOPPA), the AG has required businesses to submit “Compliance Plans” detailing how businesses will cure alleged violations within the 30-day notice period.
Rectifying violations within 30 days can minimize or completely avoid a civil penalty.
Privacy Violations Can Be Costly
The amount for businesses found liable for a civil penalty under the CCPA:
- Up to $7,500 per intentional violation
- Up to $2,500 per unintentional violation
A “violation” takes place each time a consumers’ rights are violated by a non-compliant business. A business with online transactions may have hundreds of thousands of transactions daily. The California law considers one violation per consumer, and this adds up.
There’s hope through proper data privacy compliance and early preparation.
As scary as this sounds, the CCPA is designed to encourage businesses to take reasonable steps towards compliance. Working towards CCPA compliance (as well as other emerging State Data Protection legislation) at the earliest possible opportunity will help ensure your organization is not subject to allegations of violation. Regular intervals of data mapping and categorization can identify unintentional violations of the CCPA, and it will become easier to cure these violations within the 30-day period.
Some key steps to take towards data privacy compliance include:
- Review your Privacy Notices and Policies: Fulfill commitment of transparency with a plain language written document. Inform consumers about personal information the organization collects, the purposes for collection and use of the information.
- Preform Data Mapping and Categorization: Data mapping will provide the “roadmap” for the organization’s data collection, processing, storage, and transfer of data.
- Conduct a Vendor Audit and Management: As apps, software and website features rely on third-parties, proper monitoring can reveal early detection of violations.
- Implement Privacy and Security Controls: Selecting and implementing appropriate information security controls will help an organization reduce data security risk to acceptable levels.
- Designate a method to Carry out consumer rights requests: Provide an easily accessible Data Subject Rights method, like a form on your website, for submitting data subject requests to access, delete, and opt out of the sale of personal information.
Clarip’s patented Hybrid AI Software takes enterprise privacy governance to the next level and helps organizations reduce or avoid violations of the CCPA, and gain customers’ trust! For more details on best privacy practices and guidelines to develop and operationalize a privacy program, download Clarip’s whitepaper: Understanding Privacy Governance.