The California Consumer Privacy Act (CCPA) calls for responsible handling of personal information. Its strict approach and non-compliance penalties protect the consumer interest in their data. Unlike GDPR, CCPA fines are limitless, making it expensive to transgress.
What is the California Consumer Privacy Act (CCPA)?
CCPA, the Californian data privacy regulation was enacted in 2020 to safeguard consumer data by promoting accountability among businesses and granting privacy rights to consumers. It stipulates privacy practices such as being transparent, fulfilling consumer requests, contractual relationships with service providers, and maintaining confidentiality.
The CCPA was amended by CPRA which came into effect in 2023.
Who does CCPA apply to?
The Californian privacy law typically applies to for-profit businesses that meet the following criteria:
- Have a gross annual revenue of more than $25 million
- Buy/sell/share personal information of more than 100,000 consumers
- Derive 50% or more of annual revenue from the sale of consumer personal data
Non-profit organizations and government agencies are generally not required to comply with the CCPA requirements.
Know that CCPA also applies to businesses outside California if they collect Californian personal data.
What are the consumer rights under CCPA?
Businesses must respond to consumer requests promptly. The law confers the following consumer rights to California residents:
Right to know
A Consumer under the CCPA has the right to know the categories and sources of information you have collected about them, the purpose of collection, third parties with whom you share or sell their information, and the categories of information sold/shared.
Right to correct
They can also request the correction of any inaccuracies in the personal information you handle.
Right to delete
Consumers can request a business to delete their information from the database. This is bound by some exceptions such as legal compliance or for internal use reasonably expected by the consumer.
Right to opt-out
The law allows consumers to opt out of the sale or share of their personal data. Businesses cannot sell/share personal data if the consumer opts out of it. They can also use universal opt-out signals for this purpose.
Right to limit
CCPA does not follow an opt-in model for the use of sensitive data. Instead, consumers can limit the use and disclosure of sensitive data to the extent necessary to provide the product/service.
Right to non-discrimination
CCPA protects individuals from any discrimination that may arise due to the exercise of rights granted to them. This includes denial of products/services, increasing the price, or reducing the quality.
What are the fines for CCPA violations?
The California Attorney General and the California Privacy Protection Agency (CPPA) are the enforcement authorities of CCPA.
Civil penalties for violations of CCPA range between $2500 to $7500 for a single violation. This might seem negligible when compared to GDPR, but it can easily go from thousands to millions depending upon the number of people violated.
The California law also grants a limited private right of action to consumers. They can sue businesses for data breaches like the disclosure of encrypted data. The civil action can be filed for:
- Compensation of $100 to $750 per person per incident or the cost of the damage caused (actual damages)
- Injunction/ declaratory relief
- Any other relief that the court finds reasonable
The enforcement agency can now exercise discretion on whether to provide a cure period for violators. Before CPRA, a 30-day cure period was the norm.
What are the types of CCPA violations?
CCPA violations can occur due to many reasons including not providing a privacy policy, ignoring consumer requests, or concealing CCPA rights.
The CCPA fines and penalties depend on the seriousness and nature of the misconduct, frequency of violations, assets, liabilities, and net worth of the infringer. Intentional violations can get higher CCPA fines than unintentional ones.
Let us analyze a few types of CCPA violations.
Violations involving consumer privacy rights
Businesses must respond to consumer requests promptly. For this, the law prescribes 45 days. However, if necessary it can be extended to another 45 days after notifying the consumers of the delay. Failure to respond gives rise to enforcement action.
CCPA enforcement can also arise if you do not disclose the consumer rights or due to broken opt-out links such as “Do not sell my personal information” or “Limit the use of my sensitive personal data”.
Make the consent request mechanisms more convenient than complicated. Try not to involve too many steps such as multiple and tedious verification processes.
Violations involving data security breaches
If you handle Californian personal information, you cannot miss security safeguards. If this happens, which we hope it doesn’t, you can be subjected to fines of up to $7500 per violation. A data breach occurs when an unauthorized individual gains access to personal data or sensitive personal data.
Consumers can sue businesses in case of data breaches after giving them a 30-day cure period.
Violations involving non-transparency
Having a privacy policy and notice at collection are significant steps to CCPA compliance. There’s more to just having them. You must post it conspicuously, include the required information as prescribed by the law, and also update it at least once a year or whenever there is a change. Acts such as concealing information and not making the notices easily accessible are CCPA violations.
Violations involving opt-out non-compliance
Contrary to the General Data Protection Regulation, the CCPA follows an opt-out model and requires businesses to provide opt-out links such as “Do not sell my personal information”. This can be challenging as you have to deploy opt-out banners, respect global privacy control signals, and geo-target consumers.
How can businesses avoid CCPA fines?
By being vigilant in data processing and complying with the CCPA requirements, you can avoid enforcement actions arising due to non-compliance. Here is a checklist for CCPA compliance.
Data minimization and purpose limitation
- Collect only the personal information necessary for the specific purpose of collection or for a disclosed purpose within the context of the collection process.
- Limit the use of the collected data for the specific purpose for which it was collected.
For this, understand the requirements and determine the required personal data.
Transparency
Provide clear and conspicuous notices to consumers. This includes a privacy policy, opt-out notice, and notice at collection.
A privacy policy is a written document containing information regarding personal data processing. It is long when compared to the notice at collection. Both documents must be provided to the consumers.
Need a CCPA-compliant privacy policy?
CookieYes can simplify the process with its privacy policy generator
Create Privacy Policy for FreeNo signup required
Opt-out banner
To comply with the CCPA opt-out requirements, you also implement an opt-out banner that pops up whenever a Californian visits your website. This means customizing your banners based on geo-location and honouring universal opt-out signals. Many businesses find it difficult to comply with these requirements as it requires a lot of resources, coding, and time. Using consent management platforms like CookieYes simplifies the process.
Fast-track your CCPA compliance
Display CCPA opt-out notice in 3 simple steps
Sign up for a free trial14-day free trialCancel anytime
Consumer requests
Designate two or more convenient methods for submitting CCPA requests. Respond to them promptly, for example, requests for deletion or correction.
In case of necessities due to a large number of requests or complexity, notify the consumers before extending the response time.
Security safeguards
Establish security procedures such as encryption, strong passwords, regular backups, and more to prevent unauthorized access. Train your employees on cybersecurity including how to recognize and avoid phishing emails.
Impact assessments
Conduct regular data protection impact assessments to analyze risks and mitigation measures associated with data processing.
Contract
Have a contractual relationship with third parties including service providers and ensure their CCPA compliance.
What are some real-world examples of CCPA fines issued to companies?
Being CCPA-compliant should be a culture rather than a mere obligation. Understanding real-time examples can offer valuable insights, identify potential pitfalls, and curate compliance strategies.
Sephora
The office of the Attorney General announced a settlement of $1.2 Million with Sephora in 2022 for violating CCPA. The alleged violations include failure to disclose the sale of personal data and not recognizing global opt-outs. Sephora was given a 30-day cure period but still failed to comply.
Along with the settled amount, Attorney General Rob Bonta also required the company to follow these requirements:
- Disclose information about the sale of personal information in their privacy policy
- Provide opt-out methods and recognize global opt-out signals
- Ensure that their service provider agreements comply with the CCPA requirements
- Report to the AG about the efforts taken for compliance
Anthem
California AG slashed a fine of $8.69 Million against Anthem for data breach.
The disclosure of personal data in California, including sensitive health information, was allegedly caused by the failure to implement necessary security measures. The attackers conducted the data breach by utilizing malware-infected emails to gain entry into the system.
Anonymous technology provider
Now that we understand the possible expenses of breaking the law, this case will demonstrate how to avoid CCPA fines.
A tech company failed to give consumers notices regarding their rights and neglected to specify the ways to exercise those rights. Additionally, they did not provide a “do not sell my personal information” link or disclose whether they sell personal information.
Despite these violations, the company did not receive any fines because it took prompt action. They managed to rectify the violation within the specified cure period.
FAQ on CCPA Fines & Penalties
Unlike GDPR, there is no cap for penalty under CCPA. This means that it can go higher with the number of violations, seriousness, frequency, and more. The penalty prescribed by CCPA for a single violation ranges from $2500 to $7500.
Though CCPA and GDPR share similarities like granting consumer rights, they also exhibit differences.
The EU’s GDPR emphasizes privacy by default, while the CCPA prioritizes transparency. GDPR operates on an opt-in model, requiring consent before processing, while the CCPA requires individuals to opt-out. Unlike the CCPA, GDPR applies to all businesses collecting European personal data, regardless of size, without specifying a numerical threshold.