What Are The Penalties for CCPA Non-Compliance?

Companies who don’t comply with the California Consumer Privacy Act (“CCPA”) put themselves at risk for significant financial penalties. The cost of compliance pales in comparison to the potential penalties, which are enforced by the California Attorney General’s office.

What is the CCPA?

The CCPA is a state statute that enhances privacy rights and consumer protections for residents of California. The CCPA applies to any company doing business in California, including any for-profit entity that collects consumers’ personal data and satisfies at least one of the following thresholds:

1. 1. Has annual gross revenues in excess of $25 million;
2. ‍Buys, receives, or sells the personal information of 50,000 or more consumers or households; 
   
   or
3. Earns more than half of its annual revenue from selling consumers’ personal information.
   
   
   Organizations subject to the CCPA are required to “implement and maintain reasonable security procedures and practices” in protecting consumer data.

The intentions of the CCPA are to provide California residents with the right to:

1. ‍Know what personal information is being collected about them;
2. ‍Know if and to whom their personal data is sold;
3. ‍Prevent the sale of personal data;
4. ‍Access their personal data;
5. ‍Request that a company delete their personal information for; and  
6. ‍Not be discriminated against for exercising their privacy rights.

What are the penalties for non-compliance with the CCPA?

The California Attorney General is responsible for enforcement of the CCPA. While enforcement of the CCPA cannot begin until July 1, 2020, any actions taken by companies from January 1 to July 1, 2020 in violation of the CCPA may be enforced after the July 1 date, so companies are best served by being in compliance now!

Civil penalties imposed by the Attorney General can range from $2,500 for an unintentional violation to $7,500 for an intentional violation per instance. A company may not be not liable for these penalties if it cures any noncompliance “within 30 days after being notified of alleged noncompliance” (although some types of noncompliance – or a data breach – may not be capable of “cure”).

A unique aspect of the CCPA is that it contains a private right of action that consumers can bring under certain circumstances if a business experiences a data breach. This means that if your company violates the CCPA, individual consumers can file a claim against your company for damages. Importantly, the exemptions in the CCPA for personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Driver’s Privacy Protection Act (DPPA), employee/applicant personal information or personal information collected by business to business transactions and interactions do not exempt the covered business from the CCPA private right of action for data breaches.