What Happens If I Violate the CCPA?
Find out what happens when you violate the ccpa ––after learning what it is in the first place, of course. The more you learn, the better you can protect your website–and your business––from liability.
What is the CCPA?
If you accept the personal information of California residents in your business, a recent law called the California Consumer Privacy Act (CCPA) may impact how you collect and store the personal data of these customers. Under the California Civil Code, the California legislature passed the bill and signed it into law on June 28, 2018, under governor Jerry Brown. The California Consumer Privacy Act of 2018 may be the toughest privacy law in the United States. Its purpose is to protect the private information of California consumers from businesses that collect that data. The legislation falls in line with the General Data Protection Regulation (GDPR), Europe’s new data privacy and security law.
FURTHER READING: Who Must Be CCPA Compliant? Does It Apply to Me?
CCPA compliance is a pressing issue for many businesses because failing to adhere to the new law will result in fines and penalties. The window for compliance with the CCPA is narrowing as the act’s enforcement takes place on 1/1/2020. It is important to note that businesses do not need to reside in California for the law to apply. For any business collecting personal information of California residents, it’s important to determine if the law applies to your business and if your website, practices, and procedures are CCPA compliant. Lack of compliance will subject your business not only to CCPA penalties but also to possible litigation. You may be wondering what happens if you violate the CCPA.
Learn more about California Consumer Privacy Act (CCPA) exemptions.
First, it’s important to distinguish who the law applies to. The CCPA applies to a legal entity organized or operated for the profit or financial benefits of its owner, and if one or more of the following are true:
- Has gross revenues above $25 million
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of annual revenues from selling consumers’ personal information
(Source: California Consumer Privacy Act (CCPA))
What are the requirements for businesses under the CCPA legislation?
The following are requirements for businesses under the CCPA legislation:
- Businesses must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know and delete. For these requests, businesses must provide a link on their website or mobile app indicating “Do not sell my info.”
- Businesses must respond to requests from consumers to know, delete, and opt-out within specific timelines.
- Businesses must verify consumers’ identity who make requests to know and delete, regardless of whether the consumer has a password-protected account.
- Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how they calculate their value and how the incentive is permitted under the CCPA.
- Records of the requests and their response must be maintained for 24 months to show compliance.
- Under the CCPA, the personal information of minors under age 13 may only be sold with parental consent.
- Covered businesses under the act cannot discriminate against consumers for having exercised their rights by charging different prices or offering fewer quality goods and services for having done so.
FURTHER READING: How To Prepare to be CCPA Compliant
Approximately 3 months after the CCPA passing, amendments to the bill were made via Senate bill 1121.
- The right to litigation for personal consumers extends only to breaches and not violations under any other section.
- CCPA takes precedence over local laws, but only after the 1/1/2020 date.
- Enforcement by the California Attorney General begins 6 months after the final regulations have been produced or July 1, 2020, whichever is sooner.
What are the penalties for violating the CCPA?
Finally, the penalties for violating the CCPA can add up quickly.
Companies whose personal customer data becomes breached can be required to pay damages from between $100 to $750 per California resident, per incident, or actual damages, whichever is greater. Intentional violations are fined up to $7,500 for each violation and unintentional violations are fined $2,500 for each. Fines could easily reach into the millions for businesses with a large California customer database.
Both private litigations and the Attorney General of the state of California can enforce rights under the CCPA. Terms of the legislation do provide these covered businesses the opportunity to become compliant, however. It is worthy of note that consumers must provide the non-compliant business 30 days to correct the violation and respond in writing before they can commence with an action for damages between $100 and $750 per incident.
If your business retains the personal data of California residents and your business falls under the umbrella of the CCPA, now is the time to address your data collection practices and policies and confirm your website is CCPA compliant. Addressing your data collection procedures and implementing required changes to your website is paramount to avoid potentially costly fines and litigation.
If you need a hand bringing your website into CCPA compliance, contact one of our experts—we are here to help.