CCPA Penalties: What We Know So Far

From July 1st, 2020, the California Attorney-General will begin enforcing the California Consumer Privacy Act (CCPA).

From this date, the Attorney-General can pursue a civil penalty from any person that fails to comply with the CCPA. These fines could easily add up to hundreds of millions of dollars in some cases and will apply to a violation of any section of the CCPA.

Businesses showing a proactive and reasonable approach to compliance may be able to escape a penalty, even where a CCOA violation has occurred.

Let's consider what we know so far about the CCPA's penalties, and how to avoid them.

Anyone Can Get a CCPA Penalty

The CCPA focuses on "businesses," meaning for-profit entities that operate in California and meet at least one of the following thresholds:

• Having annual revenues of $25 million or more
• Buying, selling, receiving, or sharing for commercial purposes the personal data of more than 50,000 consumers per year
• Deriving more than 50 percent of annual revenues from the sale of consumers' personal information

A careful reading of the CCPA's section on civil penalties suggests that not only businesses will be liable for a penalty under the CCPA at section 1798.155:

The CCPA's penalties can apply to businesses, service providers (companies that process personal information on behalf of a business pursuant to a written contract), and "other people."

Any CCPA Violation Can Lead to a Penalty

The civil penalty is one of two types of enforcement mechanisms in the CCPA, the other being a private right of action which allows consumers to pursue civil legal claims against businesses.

Unlike the CCPA's private right of action, which can only be triggered by a data breach, the California Attorney-General can pursue penalties from businesses that violate any part of the CCPA.

Examples of CCPA violations that could result in a civil penalty include:

• Failing to maintain a CCPA-compliant Privacy Policy
• Failing to respond to consumers' requests under the CCPA rights
• Failing to provide adequate notice when collecting personal information
• Selling consumers' personal information without providing an opt-out
• Discriminating against consumers who exercise their CCPA rights

Service providers may be liable for a CCPA penalty if they use, retain, or disclose personal information for purposes outside of their contract with a business.

Other than businesses and service providers, other people could possibly breach the CCPA's rules on the onward transfer of personal information. For example, if a third party unlawfully sells personal information it has received from a business.

Businesses Will Get 30 Days' Notice

The California Attorney-General can pursue a civil penalty from a business, service provider, or other person that has been notified of a CCPA violation and has failed to cure it within 30 days:

This notification is likely to come from the California Attorney-General, as this is the office responsible for pursuing penalties under this section.

However, it appears that notification of a CCPA violation under this section may come from a consumer. This may be true whether or not the consumer can take private action against the business (i.e. even if the violation does not amount to a data breach).

Under California's other major privacy law, the California Online Privacy Protection Act (CalOPPA), the Attorney-General has required businesses to submit "compliance plans" detailing how they will cure alleged violations within the 30-day notice period. We may expect to see similar enforcement action taking place under the CCPA.

If the business rectifies its violation within 30 days, it can avoid a civil penalty.

If the business fails to cure its violation within 30 days, the California Attorney-General will pursue a penalty from the business.

Penalties Can Be Extremely Costly

If a business is found to be liable for a civil penalty under the CCPA, the amount will be:

• Up to $7,500 per intentional violation
• Up to $2,500 per unintentional violation

Violations Can Stack Up

A "violation" occurs each time a consumers' rights are violated by a non-compliant business. As such, these penalties can add up to some phenomenal amounts.

We can learn from previous cases under CalOPPA when considering how the California Attorney-General might go about calculating CCPA penalties.

In 2012, the Attorney-General gave notice to Delta Airlines that it had allegedly violated CalOPPA by failing to make a Privacy Policy accessible via its mobile applications.

The Attorney-General's case failed, but it gives an indication of how "violations" are counted. A "violation" of CalOPPA had occurred each time Delta's app had been downloaded by a consumer.

So, for example, if Delta's app had been downloaded by 100,000 consumers (a very conservative estimate), and if the Attorney-General had pursued the highest penalty available under CalOPPA ($2,500 per violation), the penalty could have totaled $250 million.

So, a penalty in the hundreds of millions was possible even under CalOPPA. And note that the CCPA's maximum fine is much larger than CalOPPA's, at $7,500.

We can imagine how, like with CalOPPA, CCPA violations could quickly stack up.

For example, businesses that regularly transfer personal information to third parties without valid notice, for example using third-party cookies, could be committing thousands of violations per day.

One Consumer Per Violation

In California law, one "violation" occurs per consumer, and so multiple instances of the same violation against the same consumer will only count as one violation.

Therefore, whether a consumer downloads a non-compliant app once or five times, only one violation has occurred.

But consider how many unique hits your website gets originating in California. If your website doesn't display a valid Privacy Policy, each of these unique hits could constitute a CCPA violation.

Penalties Can Be Adjusted

Cases such as People vs. First Federal Credit show that the California Attorney-General has the discretion to pursue smaller penalties from smaller businesses that would not have the resources to pay the full $2,500 or $7,500 penalties available to it.

The Attorney-General is also likely to impose smaller fines on businesses that are cooperative and approach CCPA compliance in good faith.

Penalties are Avoidable with Proper Compliance

Understandably, many businesses are nervous at the prospect of a privacy law that can lead to fines in the hundreds of millions.

But the CCPA is clearly designed to encourage businesses to take reasonable steps towards compliance, and there is every indication that the California Attorney-General will act reasonably where businesses approach compliance in good faith.

Working toward CCPA compliance at the earliest possible opportunity will help ensure you are not subject to allegations of having violated the law.

If you do unintentionally violate the CCPA, it will be far easier to cure your violation within the 30-day notice period from a position of preparedness.

Some key steps you can take towards CCPA compliance include:

• Review your Privacy Policy. You must ensure your Privacy Policy meets the CCPA's requirements. The CCPA requires that you update your Privacy Policy every 12 months to show how you have collected, used, and shared consumers' personal information over the past year.
• Conduct a personal information audit. You must understand how personal information flows to and from your business. This will help ensure you are not inadvertently disclosing or "selling" consumers' personal information.
• Provide appropriate consumer notices. The CCPA requires businesses to provide notice to consumers about what personal information they collect, and how consumers can opt out of the sale of their personal information.
• Ensure you can carry out CCPA consumer rights. Under the CCPA, consumers have a new set of rights over their personal information. You must set up designated methods by which consumers can make such a request, and be ready to respond within 45 days.

Summary

Here's what we know so far about CCPA penalties:

• From July 1st, 2020, the California Attorney-General can pursue CCPA civil penalties from any person that violates any section of the CCPA
• The maximum amount is $7,500 per intentional violation or $2,500 per unintentional violation
• A violation occurs each time an individual Californian consumer's rights are violated by a business
• A business will have 30 days' notice in which to cure its violation before the Attorney General takes action
• A proactive approach to CCPA compliance can help a business to avoid penalties