Attorney-Generals can pursue a civil penalty from anyone that fails to comply with the California Consumer Privacy Act (CCPA) as amended by the CPRA. And consumers now have a private right of action when a data breach compromises certain types of personal data.
Businesses showing a proactive and reasonable approach to compliance may be able to escape a penalty, even where a CCOA violation has occurred.
Let's consider what we know so far about the CCPA/CPRA's penalties, and how to avoid them.
- 1. Anyone Can Get a CCPA (CPRA) Penalty
- 2. Any CCPA (CPRA) Violation Can Lead to a Penalty
- 3. Businesses Will Get 30 Days' Notice
- 4. Penalties Can Be Extremely Costly
- 4.1. Violations Can Stack Up
- 4.2. One Consumer Per Violation
- 4.3. Penalties Can Be Adjusted
- 5. Penalties are Avoidable with Proper Compliance
- 6. Summary
Anyone Can Get a CCPA (CPRA) Penalty
The CCPA (CPRA) focuses on "businesses," meaning for-profit entities that operate in California and meet at least one of the following thresholds:
- Having annual revenues of $25 million or more
- Buying, selling, receiving, or sharing for commercial purposes the personal data of more than 100,000 consumers per year
- Deriving more than 50 percent of annual revenues from the selling or sharing of consumers' personal information
A careful reading of the CCPA/CPRA's section on civil penalties suggests that not only businesses will be liable for a penalty under the CCPA (CPRA) at section 1798.155:
The CCPA/CPRA's penalties can apply to businesses, service providers (companies that process personal information on behalf of a business pursuant to a written contract), and "other people."
Any CCPA (CPRA) Violation Can Lead to a Penalty
The civil penalty is one of two types of enforcement mechanisms in theCCPA (CPRA), the other being a private right of action which allows consumers to pursue civil legal claims against businesses.
Unlike the CCPA/CPRA's private right of action, which can only be triggered by a data breach, the California Attorney-General can pursue penalties from businesses that violate any part of the CCPA (CPRA).
Examples of CCPA (CPRA) violations that could result in a civil penalty include:
- Failing to respond to consumers' requests regarding their CCPA (CPRA) rights
- Failing to provide adequate notice when collecting personal information
- Selling consumers' personal information without providing an opt-out
- Discriminating against consumers who exercise their CCPA (CPRA) rights
Service providers may be issued a fine under the CCPA (CPRA) if they use, retain, or disclose personal information for purposes outside of their contract with a business.
Other than businesses and service providers, other people could possibly breach the CCPA/CPRA's rules on the onward transfer of personal information. For example, if a third party unlawfully sells personal information it has received from a business.
Businesses Will Get 30 Days' Notice
The California Attorney-General can pursue a civil penalty from a business, service provider, or other person that has been notified of a CCPA (CPRA) violation and has failed to cure it within 30 days:
This notification is likely to come from the California Attorney-General, as this is the office responsible for pursuing penalties under this section.
However, it appears that notification of a CCPA (CPRA) violation under this section may come from a consumer. This may be true whether or not the consumer can take private action against the business (i.e. even if the violation does not amount to a data breach).
Under California's other major privacy law, the California Online Privacy Protection Act (CalOPPA), the Attorney-General has required businesses to submit "compliance plans" detailing how they will cure alleged violations within the 30-day notice period. We may expect to see similar enforcement action taking place under the CCPA (CPRA).
If the business rectifies its violation within 30 days, it can avoid a civil penalty.
If the business fails to cure its violation within 30 days, the California Attorney-General will pursue a penalty from the business.
Penalties Can Be Extremely Costly
If a business is found to be liable for a civil penalty under the CCPA, the amount will be:
- Up to $7,500 per intentional violation
- Up to $2,500 per unintentional violation
Violations Can Stack Up
A "violation" occurs each time a consumers' rights are violated by a non-compliant business. As such, these penalties can add up to some phenomenal amounts.
We can learn from previous cases under CalOPPA when considering how the California Attorney-General might go about calculating CCPA (CPRA) penalties.
The Attorney-General's case failed, but it gives an indication of how "violations" are counted. A "violation" of CalOPPA had occurred each time Delta's app had been downloaded by a consumer.
So, for example, if Delta's app had been downloaded by 100,000 consumers (a very conservative estimate), and if the Attorney-General had pursued the highest penalty available under CalOPPA ($2,500 per violation), the penalty could have totaled $250 million.
So, a penalty in the hundreds of millions was possible even under CalOPPA. And note that the CCPA/CPRA's maximum fine is much larger than CalOPPA's, at $7,500.
We can imagine how, like with CalOPPA, CCPA (CPRA) violations could quickly stack up.
For example, businesses that regularly transfer personal information to third parties without valid notice, for example using third-party cookies, could be committing thousands of violations per day.
One Consumer Per Violation
In California law, one "violation" occurs per consumer, and so multiple instances of the same violation against the same consumer will only count as one violation.
Therefore, whether a consumer downloads a non-compliant app once or five times, only one violation has occurred.
Penalties Can Be Adjusted
Cases such as People vs. First Federal Credit show that the California Attorney-General has the discretion to pursue smaller penalties from smaller businesses that would not have the resources to pay the full $2,500 or $7,500 penalties available to it.
The Attorney-General is also likely to impose smaller fines on businesses that are cooperative and approach CCPA (CPRA) compliance in good faith.
Penalties are Avoidable with Proper Compliance
Understandably, many businesses are nervous at the prospect of a privacy law that can lead to fines in the hundreds of millions.
But the CCPA (CPRA) is clearly designed to encourage businesses to take reasonable steps towards compliance, and there is every indication that the California Attorney-General will act reasonably where businesses approach compliance in good faith.
Working toward CCPA (CPRA) compliance at the earliest possible opportunity will help ensure you are not subject to allegations of having violated the law.
If you do unintentionally violate the CCPA (CPRA), it will be far easier to cure your violation within the 30-day notice period from a position of preparedness.
Some key steps you can take towards CCPA (CPRA) compliance include:
- Conduct a personal information audit. You must understand how personal information flows to and from your business. This will help ensure you are not inadvertently disclosing or "selling" consumers' personal information.
- Provide appropriate consumer notices. The CCPA (CPRA) requires businesses to provide notice to consumers about what personal information they collect, and how consumers can opt out of the sale of their personal information.
- Ensure you can carry out CCPA (CPRA) consumer rights. Under the CCPA (CPRA), consumers have a new set of rights over their personal information. You must set up designated methods by which consumers can make such a request, and be ready to respond within 45 days.
Here's what we know so far about CCPA (CPRA) penalties:
- From July 1st, 2020, the California Attorney-General can pursue CCPA civil penalties from any person that violates any section of the CCPA (CPRA)
- The maximum amount is $7,500 per intentional violation or $2,500 per unintentional violation
- A violation occurs each time an individual Californian consumer's rights are violated by a business
- A business will have 30 days' notice in which to cure its violation before the Attorney General takes action
- A proactive approach to CCPA (CPRA) compliance can help a business to avoid penalties