Legal and data protection research writer at TermsFeed.
On this page
- 1. A Brief Outline
- 2. What is the CCPA (CPRA)?
- 2.1. What Businesses are Regulated by the CCPA (CPRA)?
- 2.2. Penalties for Violating the CCPA (CPRA)
- 3. Key Provisions of the CCPA (CPRA)
- 4. How Consumers Can Report CCPA (CPRA) Violations
- 5. How CCPA (CPRA) Complaints Affect You
- 7. Summary
Reporting a violation is an important way to help ensure that companies are held accountable for their actions and comply with the law. By reporting a violation of the California Consumer Privacy Act of 2018 (CCPA), consumers may be able to protect themselves and others from being harmed by that company in the future.
This article will review the major points of the CCPA (as amended by the CPRA), its key provisions and demands on businesses, get into specifics on how consumers can report CCPA violations, and provide a quick checklist of necessary points companies should include in their Privacy Policies to ensure CCPA (CPRA) compliance.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
A Brief Outline
It is easier than ever to report CCPA (CPRA) violations following a press conference held by California Attorney General Rob Bonta. During that press conference, California's AG highlighted the CCPA's effectiveness and unveiled a Consumer Privacy Tool for individuals to report missing or unclear "Do not sell my personal information" buttons on company websites.
According to the AG, 75% of businesses reported for violations responded and made efforts to comply within the 30-day window allowed by CCPA (CPRA) regulations. Bonta said that the rest of the companies were notified and are still in the time frame to "cure the situation" or under active investigation.
Specifically, Bonta stated that:
"Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We're happy to announce that we are seeing great progress with our CCPA enforcement, but there's more work to be done.
Plain and simple: Exercise your rights under the CCPA. Any Californian is empowered to opt-out of selling their personal information online. Consumers can also join our enforcement efforts with our new Data Privacy Protection Tool that allows anyone to notice a business that appears to be out of compliance with CCPA."
What is the CCPA (CPRA)?
The CCPA (CPRA) is a privacy law that regulates how companies share and sell private, personal consumer data.
With its goal of protecting consumers' privacy leading much of its design, this act aims to limit how a consumer's personal information can be collected and used by both online businesses as well as brick-and-mortar stores.
It was enacted in 2018 and went into effect on Jan. 1, 2020, and the CPRA amendments took force on January 1, 2023.
What Businesses are Regulated by the CCPA (CPRA)?
The law applies to all companies that provide services to California residents and generate at least $25 million annually.
The law also applies to companies of any size, regardless of their size, that possess personal data on more than 100,000 individuals or make more than half of the revenue from selling or sharing personal data. The law doesn't require companies to be located in California or to have a physical presence. They don't even need to be located in the United States.
An amendment added later exempts "insurance agents, support organizations, and insurance institutions" since they are already regulated under California's Insurance Information and Privacy Protection Act.
Penalties for Violating the CCPA (CPRA)
The CCPA (CPRA) gives the California Privacy Protection Agency the power to enforce the CCPA.
It also allows consumers to file a lawsuit to seek actual or statutory damages, whichever may be greater, for the failure to enact reasonable procedures and measures that result in a data breach where unencrypted personal data is taken.
Intentional violations of California's Consumer Privacy Act may result in civil penalties of up $7,500 per violation. This is in addition to any lawsuit filed by the California Attorney General for the benefit of Californians. For other offenses, the maximum penalty is $2500.
Key Provisions of the CCPA (CPRA)
California residents have enhanced rights regarding their personal data. They can find out what information is being collected and how it is being used. They can also know whether or not their data has been sold to third parties and to whom. They can even oppose any sale of their information.
The CCPA (CPRA) is a significantly different piece of legislation from the GDPR. Companies that are affected by the CCPA (CPRA) should not assume their GDPR compliance efforts meet the requirements of the CCPA (CPRA).
Having said that, here is a list containing some of the key CCPA (CPRA) provisions which have an impact on your compliance efforts:
- Right to opt out - The most essential rights consumers have under the CCPA (CPRA) are the right to deny third parties permission to sell their personal data. However, it's important to remember that the CCPA/CPRA's definitions of "sale" are extremely broad. They include any communication or transfer of a customer's personal data to another business or third parties for monetary "or any other valuable consideration." This includes situations where a business receives any type of benefit in exchange for accessing personal information. You can have mutual access to the marketing lists of each other, information or insights about consumers, and the ability to target specific consumers for advertising purposes.
- Right of access - The consumer also has the right to ask for and receive information regarding their personal data collected by businesses. This includes information about the categories of personal information that were collected, disclosed, or sold, the sources from which it was obtained, the categories of recipients, and the purpose of collecting and selling the information. Consumers have the right to see the categories and the individual pieces of personal data that a business has collected.
- Right of portability and deletion - Consumers who request access to their personal data have the right to know which pieces the business has collected and also to obtain their information in a "readily useable format" that can be easily transferred, free of charge, and delivered within 45 calendar days. They can also request the removal of personal information they have collected, with certain exceptions. Businesses are also required to provide two separate ways for consumers to request deletion or portability.
- The right to equal prices and services - Businesses are prohibited from discriminating against CA residents in retaliation for exercising their rights. However, companies are allowed to offer different prices and levels of service, provided that they are reasonably related to the consumer's value through their personal information.
- Private Right of Action - California's CCPA (CPRA) requires that California businesses protect Californian consumers' personal information. This gives consumers the right, through the CCPA (CPRA), to sue a company if they are not adequately protected.
- Disclosures of personal information made - According to the CCPA (CPRA), businesses that sell or divulge personal information for business purposes must inform consumers when they receive a verifiable request. They must maintain separate lists for data that is collected, shared, or sold for commercial purposes.
Here's another that specifically mentions the relevant law:
Ensure you honor rights requests timely or you will be in violation of the CCPA and users will be able to file a complaint against you.
How Consumers Can Report CCPA (CPRA) Violations
California's Privacy Protection Agency has created an online form that allows consumers to submit a complaint about businesses that have violated the California Consumer Privacy Act.
The form starts out by having the end user select any and all things that the complaint is about, from children's privacy to different user rights. Here's just an excerpt:
The next two sections ask for information about the businesses that have allegedly violated the CCPA, and asks the person submitting the complaint to verify if they're a resident of California or not:
The following sections let users detail what exactly happened in their own words, and note any supporting materials they may have:
Finally, users are asked if they have contacted the business previously, and whether they wish to submit the complaint as sworn or unsworn for legal purposes:
Following these questions, users are asked for general information such as a mailing address.
You can see how easy this form makes it for users to quickly and conveniently submit thorough compliants when needed.
How CCPA (CPRA) Complaints Affect You
CCPA (CPRA) complaints affect you by making it much easier for people to file a formal complaint against you if you violate the law, which in turn has financial and reputational repercussions for your business.
As a business owner, the last thing you want is a formal complaint filed against you and government officials seeking to penalize you. This will not only hurt your bottom line, but it can ruin your reputation and cause irreperable harm in some cases. Smaller businesses may not have the financial buffer to handle the damage caused, and may find themselves fighting to stay in business after being hit with fines and a damaged reputation.
The best way you can have complaints affect you is by not letting yourself get complaints in the first place. This means you need to comply with the CCPA (CPRA) and stay up to date with compliance requirements.
If you're a California-based consumer, you now have tools at your disposal to help ensure businesses comply with the CCPA (CPRA).
However, suppose you're a business owner or executive. In that case, you should understand that your company will now be under more scrutiny when it comes to CCPA (CPRA) compliance than perhaps it ever has.
For instance, as previously stated, a business selling personal information must place a prominent "Do not sell my personal information" link on their company's website. This allows consumers to request that the sale of their personal data be stopped.
Here's an example of this information displayed in a pop-up notice, which is highly effective:
Here's how you can display the link in your website footer so it's always there and accessible:
The link will then go to a page that can be similar to this one, where users can complete their request that you do not sell or share their personal information:
- What information a business collects
- Why it collects personal information
- Whom the business shares this information with, and why
- How the business collected data
- Whom the consumer can contact if they wish to know more about how their data is used or stored
- The consumers' various rights under the CCPA (CPRA)
Here's an example of a relevant clause:
You can update users in a number of ways, including a notice screen like this that can display on a website or mobile app:
The CCPA (CPRA) got off to a strong start with the first year of enforcement. California AG, Rob Bonta, said that 75% of businesses his office notified about an alleged violation took steps within 30 days to comply.
He also introduced a new online tool for consumers which will allow them to file complaints against companies they think are violating their privacy rights under the CCPA (CPRA) directly through email or on the website.
The reporting tool should help make sure California consumers feel they have real recourse if they feel like their personal data has been mishandled.
Finally, suppose you reside in the state of California and you believe a company is violating your rights under the CCPA (CPRA). In that case, you can use the reporting tool on the California Attorney General's website.