'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on June 3, 2021 AUTHOR PRIVACY RESEARCH TEAM
The California Consumer Privacy Act was drafted to protect an individual’s personal data. This Act was designed to make organizations responsible custodians of the data they hold. If an organization fails to protect this data, it can face serious penalties and fines. This article will talk about all the potential penalties and fines an organization may face.
The CCPA applies to for-profit organizations that operate in California and meet one of the following criteria:
Under the CCPA at section 1798.155, any business, service provider, or individual that violates the conditions of CCPA will be subject to fines and penalties.
Civil penalties are the mechanism by which organizations are held accountable for showing non-compliance with the CCPA.
The Office of the Attorney General of California has been exclusively authorized under the CCPA to bring forth civil actions to enforce the law. Some examples of violations that can make businesses liable to pay the civil penalties are:
On the other hand, consumers under the CCPA have also been empowered with the private right to action - it is the consumer's ability to take an organization to court and pursue civil legal claims against them for violating the law. However, it is important to note that as per the CCPA, the private right of action available to consumers is limited to only when their unencrypted or unredacted personal information is breached and not to any other violation of the law.
CCPA mandates that businesses must receive a 30-day notice before aCCPA violation action is brought against them.
Businesses can take steps to resolve and rectify the violation within 30 days of receiving the notice. They can provide a statement to the California Attorney General or the aggrieved consumer which confirms the violation has been resolved to avoid the statutory civil penalty altogether.
However, during a penalty is easier said than done, and it might prove to be operationally difficult for businesses to correctly fulfill hundreds of pending DSRs within a strict 30 day time period and may even be impossible in certain cases, such as when consumers personal information has been breached and is used for identity theft fraud.
Given the rising frequency and severity of privacy scandals and data breaches, CCPA has laid some strict penalties for businesses that fail to comply. The penalties are:
At face value, the aforementioned fines for violation may not seem considerable, especially for multi-billion dollar organizations such as Facebook and Google. However, when one considers the multiplying factor and the fact that there is no upper cap on penalties (unlike the GDPR), it becomes clear that CCPA violations should be clearly avoided.
The CCPA states that the maximum civil penalty is $2500 for every unintentional violation and $7,500 for every intentional violation of the law. Therefore the CCPA considers a penalty per violation - which is a costly risk for businesses who must comply with the CCPA.
Let's consider the following example: If a company like Facebook is not adhering to CCPA requirements by not honoring consumer access or deletion requests, say of at least 100,000 individual requests made in total, and the AG determines the violations were intentional in nature, the civil penalties can potentially be up to $750 million.
In the case of a data breach leading to consumers undertaking the private right of action, damages are even more exorbitant. Consumers may sue and receive $100-$750 statutory damages or actual damages - whichever are greater - from the court (along with costs). Thus even a consumer who cannot prove any actual damage from the breach incident can receive a maximum of $750 in compensatory damages.
When we consider the multiplying factor of these damages due to the sheer volume of records that are breached in modern-day incidents, they added up to astounding figures, i.e., in the Equifax breach in 2017, the records of over 15 million Californians were compromised - with the CCPA, if California consumers had sued Equifax, without having to prove any actual damages, consumers could have been awarded a potential $1.5 billion in damages.
Complying with the CCPA as quickly as possible will help ensure your organization stays clear of compliance violations, penalties, or reputational harm.
If the law has been violated unintentionally, your organization has 30 days to rectify its mistake from a position of preparedness.
Here are some key steps your organization can take to ensure CCPA compliance:
Organizations must understand how personal information flows to and from their systems. This will help ensure you are not inadvertently disclosing or "selling" consumers' personal information. To do this, organizations need to conduct internal assessments on all their stored data.
Consumers have rights over their data under the CCPA. Organizations must ensure that these rights are honored and set up designated methods by which consumers can exercise their rights. This is where DSR fulfillment automation comes into play as organizations have a 45-day deadline to fulfill the consumer's request.
In order to maintain compliance, organizations need to know where all their information is and link it back to its owner. This is where data mapping comes into play. Data mapping can help organizations map stored information to the owner, which can help them fulfill data subject requests, an integral part of compliance.
In order to stay in compliance with privacy regulations, organizations will need to manage their entire incident and data breach management lifecycle. With the help of automation, organizations can improve their incident response process by gathering incident details, identifying the scope, and optimizing notifications to comply with global privacy regulations.
The CCPA's penalties can be detrimental for organizations and may lead to monetary losses and erode customer trust. Don't wait until it's too late. Request a demo now and see how Securiti can help you meet CCPA compliance.