The CPRA has set the stage for some of the steepest fines in data protection, hitting companies where it hurts the most- the bottom line. This privacy legislation brought about a major change in how personal data is used in the State of California. The law’s exacting standards and stringent fines make it unfeasible to overlook. Explore further to get an overview of the latest CPRA fines, case studies and fundamental tactics to avoid the risk of substantial financial repercussions.
What is CPRA?
The California Consumer Privacy Act (CCPA) which came into effect in early 2020, is a landmark piece of legislation in the privacy-legal landscape. The law was expanded by the California Privacy Rights Act (CPRA) amendments which became effective three years later in 2023.
The scope of CPRA is based on monetary and numerical thresholds and generally applies to for-profit businesses that meet any of the following:
- The annual gross revenue is greater than $25 Million
- Handles the personal data of 100,000 consumers
- Generates more than 50% of annual revenue from personal data sales
The California privacy law requires covered businesses to be vigilant about their data practices and have a transparent relationship with consumers. The law also gives consumers the right to be informed, make corrections, delete information, opt out of sales, and restrict the use of sensitive data. In addition to these rights, the law ensures that consumers will not face discrimination for exercising them.
CPRA authorises the California Attorney General and the California Privacy Protection Agency (CPPA) to take enforcement actions against violators. The prescribed fines range from $2500 to $7500 per violation depending on the nature, impact, frequency and other factors.
Unlike the GDPR, the enforcement agency can pursue an unlimited amount of civil penalties. Generally, the fines are higher for intentional violations than unintentional ones.
The law also grants a private right of action to consumers in the event of a data breach.
Who can get a CPRA penalty?
Any business that operates in California or collects Californian personal data and meets CPRA thresholds can face penalties for non-compliance if they fail to meet the law.
Small businesses collecting personal data from enough consumers, or using third-party cookies with 100,000 Californian visitors a year, may be subject to CPRA regardless of revenue.
Furthermore, CPRA’s territorial scope is unlimited. Therefore, even if your business is outside California, the law applies to you if you meet the numerical thresholds.
Now, let us analyse some of the non-compliance scenarios.
#Scenario 1
An online shopping website with more than 100,000 Californian visitors annually does not provide any links that allow consumers to opt out of the sale of their personal information or have any mechanisms to exercise consumer rights.
#Scenario 2
A mobile application that collects precise geolocation data of consumers does not provide a privacy policy disclosing the same and also has no opt-out links.
Overview of the top CPRA fines you should know about
Each real-world example of CPRA fines is a wake-up call for businesses that handle Californian consumers’ personal information. It gives them insights to proactively achieve CPRA compliance and protect their bottom line.
This section provides a comprehensive overview of the top 3 CPRA fines you should know.
Fine #1: Tilting Point Media LLC
This year, Tilting Point Media LLC, a well-known gaming company, was fined $500,000 for failing to comply with the CPRA requirements in a suit initiated by the California Attorney general.
The company was accused of breaching children’s privacy under the CPRA and COPPA by not obtaining verified parental consent to sell children’s personal information. It was also alleged that the platform did not encourage children to provide their actual ages and was engaged in data sales.
Along with the huge fine, the enforcement agency also required the company to implement measures to prevent such violations in the future.
Some of the instructions include:
- Provide a notice at collection informing them of the collection of personal information and that consent is required for the sale of children’s personal information
- Obtain opt-in consent from parents/legal guardians before selling or sharing the personal information of children below 13 years of age
- In the case of minors between the ages of 13 and 16 years, obtain opt-in consent from them
- Provide a clear and detailed privacy policy including information regarding the data sales in the previous year
Fine #2: Doordash
An online food delivery platform, Doordash was slashed with a fine of $375,000 for violating CPRA’s opt-out provisions.
The alleged violation was that the company sold consumer data without providing them an opportunity to opt out of it. Doordash shared customer data as part of a marketing cooperative to allow businesses to advertise to each other’s customers.
The agency also pointed out that the company violated the disclosure requirements under CalOPPA by not revealing that it would share personally identifiable information with third parties.
Doordash also had to follow these compliance instructions:
- Comply with CalOPPA in connection with privacy policy requirements
- Include in its privacy policy information regarding the data sales in the previous year
- Inform consumers of the company’s participation in marketing cooperatives
- Explain in its privacy policy and notice at collection that the consumers have the right to opt out of the sale of personal information
- Provide mechanisms for consumers to exercise their opt-out rights
Fine #3: Sephora
The agency fined $1.2 million on Sephora, a multi-national online retailer for data privacy violations, including the failure to recognise global opt-out signals.
The alleged breaches include the unauthorized sale of customer data, inability to recognise global opt-out signals, and third-party tracking of consumers. Though the company was given a cure period of thirty days, they failed to address the issue.
In addition to the fine, Sephora was also instructed to do the following to comply with CPRA.
- Inform consumers about the data sales through its privacy policy and notice at collection
- Establish effective consumer request mechanisms such as an active email address, toll-free number or online portals
- Provide a “Do not sell my personal information” link conspicuously on the website
- Implement mechanisms for recognising universal/global opt-out signals from consumers
Case Studies of businesses that avoided CPRA fines with timely action
Analysing case studies of CPRA fines certainly assists a business’s compliance journey. It gives them an overview of what to do and what not to do to avoid hefty penalties. Here are some of them.
Case study #1
A Telehealth portal was found to have a non-compliant privacy policy and notice at collection
What was the violation?
The link to the notice at collection of a virtual health platform was directed towards the beginning of its privacy policy rather than the relevant section. Furthermore, the privacy policy was incomplete and did not describe the categories of personal information sold and the third parties to which the data was shared in the past 12 months.
However, the business was able to rectify the violation within the cure period, thereby evading hefty fines.
The company did the following to cure the violation:
- Deep linked the notice at collection to the relevant section of the privacy policy
- Updated the privacy policy with the required disclosures
Case study #2
An online clothing business provided a misleading “Do not sell my personal information link”.
What was the violation?
The online clothing retailer’s link to opt out of the sale of personal information did not comply with the Californian data privacy law in this instance. The “Do not sell my personal information link” only addressed cookie preferences and did not allow consumers to stop the personal data sale.
The business offered a separate mechanism for the consumers to opt out of the sale of personal data explicitly.
How to avoid CPRA fines and penalties?
The California Privacy Rights Act strives to protect the privacy of Californians by empowering them with rights over their personal data. The law also sets data protection standards and imposes obligations on businesses.
Given the potential for substantial fines for non-compliance with CPRA, it is advisable to take the following measures and become CPRA-compliant.
Conduct data mapping
In your data collection processes, you employ diverse methods to gather information from individuals, necessitating record-keeping to ensure the traceability and accountability of the collected data.
Data mapping helps in achieving this by tracing the journey of data flows within your organization. The process involves identifying the types of data you collect, their sources, the purpose of collection, the estimated time for which they will be stored in your database, etc.
Update your privacy policy
Review and determine whether your privacy policy contains all the necessary information as required by CPRA.
If you do not already have one, create a privacy policy that represents how you handle your customers’ personal data. This is not only a legal obligation but also a great step towards cultivating trust with your customer base.
Also, provide other CCPA notices such as a notice at collection and notice of the right to opt-out.
A notice at collection is a shorter version of a privacy policy and is given right before or at the point of collection of data. It informs consumers of the categories of personal data that will be collected, the purposes for which they are collected, whether they will sell the data, etc.
The Notice of Right to opt out informs consumers of their right to opt out of data sales or limit the use of sensitive personal data.
Additionally, if your website uses cookies, you must also display a cookie notice.
Consent management
Managing and recording users’ consent preferences is important to CPRA compliance.
Since CPRA follows an opt-out model, you can collect personal data without obtaining consent from consumers. However, you must allow them to opt out of the sale/share of personal data.
Personal data also includes online identifiers such as cookies, and IP addresses. This means you must allow consumers to stop the third-party cookies from being deployed to user devices. You can display cookie banners to comply with the above requirements.
Here are some key considerations for consent management:
- Do not use dark patterns or confusing buttons to obtain consumer consent
- Geo-target Californians and deploy opt-out banners
- Keep the consent log documented and updated
When it comes to targeting Californians based on their location, showing cookie notifications, or collecting and handling consent preferences, it may appear to be a laborious task. However, there are tools available, such as Consent Management Platforms (CMPs), that can assist you with this.
CookieYes is a CMP that is ideal for businesses seeking compliant solutions for managing consent. Trusted by over a million businesses worldwide, CookieYes is a Google CMP gold partner and is certified by IAB TCF.
Protect your bottom line
Manage consent with CookieYes and avoid fines
Get your free trial14-day free trialCancel anytime
Provide opt-out links
Provide a “Do not sell my personal information” and “Limit the use of my sensitive personal information” link on your website. Ensure that links are functioning properly and that once a consumer opt-outs, you must respect their decision and take necessary action to fulfil it.
Implement data security measures
Establish cybersecurity measures to protect the confidentiality of the customer data you handle. Use strong passwords, enable two-factor authentications, limit access to the database, conduct impact assessments, and train your employees on data protection.
Have contracts with service providers and third parties
The CPRA compliance of your service providers and other third parties with whom you share personal data is as important as yours. Therefore, have a contractual relationship with them and ensure their compliance. The contract must determine several factors including the nature of the processing, the rights and duties of each party, and the duration of the processing.
Honour consumer rights
Consumer/data subject rights revolve around the ability of individuals to have control over their data. Almost all privacy laws including CPRA require businesses to honour their rights.
Establish convenient consumer request mechanisms. This can be an active email address, a toll-free number or a dedicated online portal.
Respond to the requests within 45 days. If necessary, this period can be extended to another 45 days. When verifying requests, it’s important to strike a balance between the need to verify the request and the verification process. Do not make the process too complicated and exhausting for consumers.
FAQ on CPRA fines
The CPRA fines for non-compliance range from $2500 to $7500 per violation. This means the fines can go higher depending on various factors including the frequency, nature, compliance efforts and revenue.
The CPRA removed the requirement for a 30-day cure period to address violations before taking legal action. Now, the enforcement agency has the authority to decide whether or not to allow a cure period.