Whether you're already subject to the CCPA regulations or expect to be in the future, it's crucial to know what the main compliance requirements are, since the consequences for non-compliance can be severe. What are the main things for which you could be fined under the Californian privacy law and what are the legal consequences for non-compliance? You’ll find everything you need to know in this article.

What’s considered a violation of the CCPA?

California Consumer Protection Act is focused on giving Californian consumers more control over their private data and limiting how companies can collect and use the data. The most important part of the new law is that it gives several new privacy rights to Californian citizens:

  • The right to know
  • The right to delete
  • The right to opt-out of the sale of their personal data
  • The right to non-discrimination
  • The right to sue a business in case of a data breach

For businesses, meanwhile, the new law means they had to change the way they collect, use and (most importantly) inform the consumers about their rights – and it might be a challenge.

To better understand what you should pay attention to, let's look at some of the most common CCPA violation cases. 

1.
No information about collecting customer data or selling it for commercial purposes

One of the central rights Californian citizens gain under the new privacy law is the “right to know” – namely, the right to know who, why, and how is collecting and using their personal data. The information must be included in a “Notice at collection” that your consumers can see while visiting your website, retail store, or using your mobile app and also be added to your privacy policy. If consumers can’t find the information themselves or learn from your employees how the company uses the consumers' data, that violates the privacy law. 

If you are selling or sharing your consumers’ data with third parties, then the notice at collection must also have clearly marked information you are doing this as well, together with a “Do not sell” link in a visible place through which consumers can opt-out of having their data sold. 

2.
Not giving the customers a way to make disclosure requests

Under the CCPA law, consumers also have the right to contact you at any time to ask what kind of data you collect on them and request that you give them a copy of the stored data. For that, you have to provide at least two methods by which they can submit their data disclosure request, including a toll-free number.  

If your consumers are unable to send their requests because they can’t find any information on how they can contact you or the given method does not work (for example, the “Do not sell” link is broken), then this is a violation of the CCPA regulations as well. 

Keep in mind that making it confusing or complicated for the consumers to contact you will be treated the same way. For example, you can’t force your consumers to create a customer account before they can submit the disclosure request or make it difficult to find and use the “Do not sell” link. 

3.
Charging for the customers’ disclosure requests (with exceptions)

While we are on the topic of disclosure requests – charging the consumers for processing their data requests and giving them a copy of their personal data is not allowed either. If you ask the consumers to pay any processing fees before you can give them access to their personal data or send them a data copy, then they can file a complaint to the California General Attorney for violating their rights. 

The CCPA law, however, makes one exception. Consumers can ask a business for a copy of their data twice a year only. If the same consumer sends another request to the company, then the company can either ask them to pay an administrative fee or refuse to process their request. In that case, it’s enough if the company sends a notification to the consumer explaining why their request has been denied.

4.
Customer discrimination for using the CCPA rights

To reassure customers that they will be treated equally regardless of whether they use their CCPA rights, there’s also a special rule forbidding businesses from discriminating customers. For example, let’s say that an online service customer noticed they are now paying more for a service than they did earlier or they are now getting a worse quality of service than before. They can file a complaint for customer discrimination if they can prove that the change is tied to them using their CCPA rights.

In addition, suggesting to the customer that they might be treated worse after exercising their CCPA rights (such as using the “Do not sell” link) can also be treated as a violation of the CCPA law. 

5.
Not updating privacy policies/websites

Having a privacy policy and notice of collection with all required by CCPA information is one thing. However, the regulations also state that you must update it every 12 months or whenever you change your internal privacy policies. So, for example, if you started collecting additional personal information besides those you already gather or plan to sell customer information, you have to update the policies immediately. 

If there are no updates or changes to add though, then at the minimum you should review the data processing practices and privacy policy information to stay compliant.

6.
Not responding within 45 days to consumer requests/15 days for opting-out requests

As a business, you have 45 days to respond to most of the consumers’ requests starting from the day you receive the requests. If by that time, a consumer won’t get a reply from you, that violates the CCPA regulations. However, you can extend the period for another 45 days (giving you 90 days in total) if you notify the consumer in advance and give your reason for the delay.

Remember though that the period for responding to opt-out requests is much shorter (only 15 days) and you can’t extend the period here – so those requests should be treated as a priority.

7.
Not maintaining “Reasonable security procedures” in your company

Under CCPA, you can also be fined in case of a data breach or leak in your company if the reason for the breach was that your company “didn’t have reasonable security procedures” to prevent the breach. That one violation is something you should especially want to avoid as, besides the fines coming from the general attorney, you might have to pay additional statutory damages or actual damages to your consumers if they take civil action against you.

Moreover, a serious data breach or damage can give you severe reputational damage that might impact your revenue for years to come. However, you can easily protect your company's internal and personal data by using a DLP application. The solution, for example, can be used to discover and map sensitive information in your company, to restrict access to critical files, or to monitor and block unauthorized access to any files stored or shared on your network.

By doing so, you’ll be able to proactively identify any threats to your data that could lead to a data breach and respond to them before they happen, saving you a lot of headaches later. In case there's already a data breach, a DLP can also help you track down where the breach originated and what lead to it – you can use the information to update your security and privacy policies. 

So for example, if you are using Safetica to manage and secure your company data, you’ll be able to fully control how sensitive data (such as your consumers' personal information) is accessed and used in your network. The solution will also alert you whenever there are any data breach or regulation violation risks so you’ll be able to immediately fix the issues before they cause any damage. 

What happens after you violate a consumer right?

As you can see, it's better to be careful around the CCPA regulation as it’s pretty easy to violate the requirements. For example, it’s enough that you forget to inform your consumers that you need more time to handle their requests before the time limit passes to become non-compliant.    

That doesn’t mean though that a consumer can sue you whenever such a thing happens and that such a company will be automatically punished and fined. Under the CCPA law, only the California general attorney has the power to investigate CCPA violations and take enforcement actions such as sending violation notifications and imposing civil penalties on non-compliant companies. Consumers meanwhile can take legal action only if they were directly affected by a data breach. 

Let’s say that one of your consumers thinks that you have violated the CCPA regulations by not responding to their request within the due 45 days. They can write a consumer complaint letter to the California Attorney General’s office, describing the situation, what rule they think your company has violated, and when the violation of the CCPA happened.

If the attorney's office, after reviewing the case, agrees that your business has violated the law, it will send you a cure notice about the alleged violation. Your business then has a “30-day cure period” to respond to the message and prove that you have fixed all non-compliance issues mentioned in the notice. If you clear all the above-mentioned issues in that time and send the report to the general attorney's office, that’s usually the end of the case.

What will happen if you don’t respond to the notice though or fail to clear the issues in the given period? Then the situation gets more serious. 

What are the financial consequences of a CCPA violation?

Let’s say that you got a notice from the General Attorney that your company’s main website is not meeting the CCPA requirements and that you have 30 days to update it – but you were unable to fix those in the given time. 

That’s when the general attorney might impose a financial penalty on your business – $2,500 for each unintentional violation of the privacy law and $7,500 for each intentional violation. Those potential fines given by the California attorney might seem pretty insignificant but you should note, though, that the California attorney fines for each case of a violation or each affected consumer per incident separately. What's more, there’s no upper cap to the amount of the CCPA penalties, so the amount can quickly add up.

Suppose you had 10,000 consumers affected by a single violation. The general attorney would count this as 10 thousand violations and multiply the fine by that number – even for an unintentional violation, that would be $25 million in fines!

What’s more, in case of a data breach, consumers can file a private lawsuit against you and demand $100–$750 statutory damages per violation. Again, this could add up to millions in additional fines if several of your consumers were affected by the breach and decided to take action against you. 


CCPA Violation real-life case: Sephora

The recent $1.2 million penalty for Sephora is an excellent example of the consequences of failing to comply with the CCPA.

In September 2022, California Attorney General Rob Bonta announced a settlement with Sephora. The retailer agreed to pay a penalty fine and revise its privacy policy to meet the CCPA requirements. 

During the investigation, California Attorney General found that Sephora:

  • Haven’t been informing consumers that their personal information was regularly sold to third parties (the information included the consumers’ location, a device used, products browsed, and added to the cart)
  • Had no “Do not sell my data” form to allow consumers to opt-out of having their personal information sold
  • Failed to clear the violations within 30 days of getting the violation notice

The settlement required Sephora to pay $1.2 million in penalties and also to revise their policies to include:

  • Clear information that the company sells data to third parties
  • Mechanisms for consumers to opt-out of the sale of personal information, including via the Global Privacy Control
  • Updating its service provider agreements to match the CCPA’s requirements
  • Send reports to the Attorney General about the results of implementing the above-mentioned changes

Besides Sephora, the General Attorney also sent the violation notice to several other companies and online retailers as a part of an “enforcement sweep,” with most of them meeting the compliance requirements in the 30-day statutory cure period. As of 24 August, the OAG has also added 13 new examples of non-compliance cases, along with the companies’ responses, to the official OAG website.

Conclusion

At first glance, the punishment for violating Californian privacy law might seem far more lenient than the fines for the European counterpart – but that’s not true. In fact, the consequences for CCPA non-compliance might actually be far more severe for the companies, as there’s no upper limit for the penalties the general attorney might issue. 

So if you are falling under the CCPA law already, it’s best to regularly check whether your company stays compliant – to avoid any potential problems down the road. Having a platform like Safetica to keep an eye on whether you meet all compliance requirements and alert you if there’s a risk of violation can help you avoid legal trouble (and hefty fines) as well – now and in the future as well. 


Author
Kristýna Svobodová
Content Strategist @Safetica

Next articles

TISAX: The Scope, Purpose, and How to Comply

TISAX is a globally recognized information and cyber-security standard developed to protect data within the automotive industry. Learn more.

ISO 27001/IEC 27001: The Scope, Purpose, and How to Comply

Following the ISO 27001 27001 international standard means setting up your organization with an effective information security management system (ISMS). Read more.

Quebec's Law 25 (formerly Bill 64): All You Need to Know

The application of the multiple new provisions of the Quebec's Law 25 is spread over three years, on September 22 of each year until 2024. Learn more.