CCPA non-compliance: What are the penalties?
Violating the CCPA's requirements is surprisingly easy. Learn what the violations and breaches are, and what the penalties and legal actions might be.
The California Consumer Privacy Act (CCPA) has now come into law. It’s one of the most significant data-protection requirements introduced in recent years.
Many US businesses sell to the California consumers to which the CCPA provides rights, and so will need to take action even if they’re based elsewhere. Even business outside the US will need to observe the new law.
There are already penalties for data protection breaches under California law. But the CCPA has an additional civil penalty system for violations, plus a potential for action by consumers.
“I get asked a lot for advice about CCPA violations,” says Joshua Carlson (pictured), an attorney who specializes in GDPR and CCPA data protection litigation and risk analysis, working out of Minneapolis, MN. “I tell people not to worry or be fearful. First, if you are not 100% compliant right now, you are not alone. You are probably in the majority. The goal should be to make progress towards a mature compliance posture. This is a journey, not a destination.”
If you haven’t already, see Sage Advice’s earlier quick start guide to the CCPA for an overview of the CCPA’s requirements.
What’s considered a violation of the CCPA?
The CCPA should be considered at every stage of the customer journey with your business. This might include before a prospect even becomes a customer if you gather personal information about them. It will continue to apply for years after if you hold or sell data about that customer.
This presents significant challenges but Carlson has some advice: “‘Don’t wish it were easier. Wish you were better.’ That’s a quote from Jim Rohn that sometimes applies to my clients. Instead of delaying or wasting time, skill-up and take care of the main requirements for the CCPA. Then move on with the business.”
Below are some examples where businesses might violate the CCPA. This is not an exhaustive list and there are others not listed here.
When we refer to a consumer throughout this article, we’re referring specifically to California consumers as defined by the CCPA.
Not informing consumers of their rights
You violate the CCPA if you or any of your employees responsible for handling consumer requests don’t understand the CCPA’s provisions and can’t direct consumers how to make inquiries. This includes feigning ignorance and a genuine lack of knowledge.
“Remember that the major themes of the CCPA are consumer rights,” says Carlson. “The CCPA is about handling California consumers’ data ethically and lawfully. Make sure you and your staff understand that the definition of personal data is super, super-broad.”
The wording of the act implies that businesses should be proactive in their explanation. For example, let’s say a consumer calls the tollfree helpline. She says she’s heard of “this new California privacy law” but knows nothing more. You or your staff should be able to explain what it is and the rights provided to the consumer.
Not enabling disclosure requests
A business violates the CCPA if it fails to provide a toll-free telephone number and a website address for consumers to make disclosure requests. This is considered the minimum when it comes to ways for letting consumers contact you for CCPA requests.
However, if your business doesn’t have a website, then you don’t need to create one just for the CCPA. Alternatively, if your business exists exclusively online, then you can provide nothing more than an email address for requests.
“A company, law firm, or the Attorney General—anyone—could run a web scan of websites known to work with California consumers,” adds Carlson. “They’ll be specifically looking for the language the CCPA requires. If they don’t see that, they might start an inquiry of noncompliance.”
Discriminating against consumers
A business shall not discriminate against consumers who exercise their rights under the CCPA. This could include refusing their business. It could include charging different prices or providing a different level of service or goods. Nor should you suggest to a consumer that any of these things could occur should they exercise their CCPA rights.
Charging consumers
A business may not charge a fee to consumers who exercise their rights under the CCPA. But there are a couple of caveats intended to protect against malicious consumer requests. The first is that if requests are “manifestly unfounded or excessive, in particular because of their repetitive character,” (to quote the legislation) then you can charge a “reasonable fee.”
But you must be able to demonstrate the request fulfills those criteria—and this could involve demonstrating this as part of legal action should the California Attorney General take action. Secondly, businesses are not obligated to provide personal information to the same consumer more than twice within a 12-month period. There are also some caveats around requests to delete data. See the heading “Does my business have to delete personal information for the CCPA?” in our CCPA quick start guide.
Not providing consumer information in the correct way
It is a violation of the CCPA if you provide the personal information requested by a consumer in a way that isn’t in a “portable and, to the extent technically feasible, in a readily useable format.” This applies only to the electronic transfer of the information (e.g., via email). Sending the requested personal information by mail is free of this requirement.
Not updating privacy policies/websites
A business must disclose in its privacy policies (or any other description of California-specific consumer rights) the information required by the CCPA, and then update it every 12 months.
“You must have a Privacy Incident Procedure document, or whatever you want to call it,” says Carlson. “There must be a documented procedure to follow. A government audit or a client/vendor audit will require attestation that such documentation is in place. As the saying goes, if it is not documented, it does not exist.”
If you start to collect additional categories of personal information, then you have to update the policies immediately. If you sell personal information, then you will need to update your website, including a conspicuous link called “Do Not Sell My Personal Information” by which consumers may opt out.
Not responding with 45 days
It is a violation of the CCPA if you don’t respond to a consumer request within 45 days. However, you can request an additional 45 days when “reasonably necessary.” While this effectively provides 90 days in total, you need to let the consumer know about this extension within the first 45 day period.
Not responding to a consumer request
Okay, so this one is perhaps an obvious violation of the CCPA. But there is a caveat. Businesses can refuse to respond to a consumer request if the requests are “manifestly unfounded or excessive,” as with the rules for charging consumers above. Again, you must be able to demonstrate the request fulfills those criteria. As above, you can legally refuse a third request made in the space of a 12-month period.
What happens following a CCPA violation?
Some have painted enforcement of the CCPA as a Wild West battle between businesses and the people—or the office of the California Attorney General, which enforces the CCPA on behalf of the California people.
The reality is perhaps less demanding.
Should a consumer wish to file a private right of action (“PRA”) against a business in violation of the CCPA, they must provide the business 30 days’ notice in writing of the violation. The business then has 30 days to put things right—to show that the “violations have been cured and that no further violations will occur,” according to the language of the CCPA. They must then communicate this in writing to the consumer (called a “written statement” in the CCPA).
If the business fails to cure the violation within 30 days, then the consumer may file the right of action and then must provide the Attorney General with written notice within 30 days of filing. The Attorney General then has 30 days to notify the consumer that (a) it plans to take action, (b) the consumer may proceed with its action, or (c) the consumer may not take action. If the Attorney General chooses option (a) and doesn’t take action within six months, then the consumer may proceed with their own action.
“This timeline is supercritical,” says Carlson. “This is why procedures and policy need to be in place, even if it is a one- or two-pager of how the process needs to work. This could prevent a lawsuit.”
Consumers may take a PRA to “enforce the written statement,” (in the words of the CCPA) and also pursue statutory damages. However, the provisions within the CCPA for this relate only to “unauthorized access and exfiltration, theft, or disclosure” as a result of businesses failing to implement “reasonable security procedures and practices.” In other words, action by consumers may be limited—but it’s only when PRAs are initiated that we will see a fuller picture.
“I think there are law firms waiting for the first big breach,” says Carlson. “They will leverage the CCPA for the basis of their consumer litigation. The first few cases will be the bellwethers to see if the CCPA will actually hit companies hard enough in their pocketbooks to make a serious impact. As always, it will be very interesting to see how the attorneys plan to show actual damages (psychological, stress, financial, etc) for breaches under the CCPA, which will really determine future states.”
What legal action will follow a CCPA violation?
Let’s say you’re informed of a CCPA violation, and you don’t or perhaps can’t put things right within the prescribed 30 days.
The Attorney General might take civil action, including imposing an injunction and a civil penalty of $2,500 for each violation. If the violation is considered to be intentional then that might rise to $7,500 for each violation.
If you’re approached by the Attorney General then the best plan is to “acknowledge the missed deadline, if there are not reasonable arguments otherwise, and often there are,” advises Carlson. “Then pivot to what has happened, what has been fixed, and when the work will be completed, if not already completed. Assign a single contact person with the Attorney General, so they can manage the communications. The Attorney General wants to know you take this seriously. Errors and accidents happen. That is not the real issue. The real issue is what are you doing about the matter now that you know about it.”
These penalties from the Attorney General are widely understood to apply to each consumer. In other words, if 1,000 of your consumers are affected, then you could face a civil penalty of $7.5 million.
However, the Attorney General has discretion in the actual amount per-violation.
A PRA from a consumer could seek damages of between $100 and $750 per violation. Consumers can also claim injunctive or declaratory relief, or any other relief the court deems proper.
Again, this could add up to millions if many consumers are affected and decide to take action. The amount awarded via statutory damages could be influenced by the severity of the misconduct. This might include the number of violations, the length of time the violation occurred over, and even the “willfulness of the defendant’s misconduct.”
“Intentional violations will by far gain the attention and scrutiny of the Attorney General and private attorneys,” says Carlson. “What this means is, you have not done anything to get prepared. You have no documentation, policies, procedures and simply do not have a plan to comply with the law. Personally, I think of working with California consumers without any CCPA planning as being like knowingly driving without a valid license, or knowingly selling products without permits.”
Conclusion
Businesses should be implementing the CCPA if they aren’t already. But if this article demonstrates one thing only, it’s that companies need to seriously consider the measures they’ll take should a violation of the CCPA be reported to them. With any luck, this will remain just a contingency plan—but it’s a plan that must exist, and staff within the business must be ready to act upon it.
The failure to do so could result in virtually unlimited penalties from the Attorney General, or damages following legal action by consumers. Make no mistake. A CCPA violation could be so costly that it could put the future of your business in jeopardy.
“The best medicine for being afraid of the CCPA is knowledge and taking action,” says Carlson. “If you skill-up and get up to speed with the CCPA and have some action plans in place, the fear goes away very quickly.”
Note: We would like to stress that there is no substitute for customers making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the California Consumer Privacy Act (CCPA) on their businesses. Consult your legal professional for information and advice concerning the CCPA and any issues you may have.
are non profit entities, such as churches exampt?