What Happens If I Violate the CCPA?
What is the CCPA?
If you accept the personal information of California residents in your business, a recent law called the California Consumer Privacy Act (CCPA) may impact how you collect and store the personal data of these customers. Under the California Civil Code, the bill was passed by the California legislature and signed into law on June 28, 2018, under governor Jerry Brown. The California Consumer Privacy Act of 2018 may be the toughest privacy law in the United States. Its purpose is to protect the private information of California consumers from businesses that collect that data. The legislation falls in line with the General Data Protection Regulation (GDPR), which is Europe’s new data privacy and security law.
FURTHER READING: Who Must Be CCPA Compliant? Does It Apply to Me?
CCPA compliance is a pressing issue for many businesses because failing to adhere to the new law will subject them to fines and penalties. The window for compliance with the CCPA is narrowing as the enforcement of the act takes place on 1/1/2020. It is important to note that businesses do not need to reside in the state of California for the law to apply. For any business collecting personal information of California residents, it’s important to determine if the law applies to your business and if your website, practices, and procedures are CCPA compliant. Lack of compliance will subject your business not only to CCPA penalties, but also possible litigation. You may be wondering what happens if you violate the CCPA.
First, it’s important to distinguish who the law applies to. The CCPA applies to a legal entity organized or operated for the profit or financial benefits of its owner, and if one or more of the following are true:
- Has gross revenues in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of annual revenues from selling consumers’ personal information
What are the requirements for businesses under the CCPA legislation?
The following are requirements for businesses under the CCPA legislation:
- Businesses must provide notice to consumers at or before data collection.
- Businesses must create procedures to respond to requests from consumers to opt-out, know and delete. For these requests, businesses must provide a link on their website or mobile app indicating “Do not sell my info”.
- Businesses must respond to requests from consumers to know, delete and opt-out within specific timelines.
- Businesses must verify the identity of consumers who make requests to know and to delete, regardless of whether the consumer has a password-protected account.
- Businesses must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how they calculate their value and how the incentive is permitted under the CCPA.
- Records of the requests and how they are responded to must be maintained for 24 months to show compliance.
- Under the CCPA, personal information of minors under age 13 may only be sold with parental consent.
- Covered businesses under the act cannot discriminate against consumers for having exercised their rights by charging different prices or offering fewer quality goods and services for having done so.
FURTHER READING: How To Prepare to be CCPA Compliant
Approximately 3 months after the CCPA passing, amendments to the bill were made via Senate bill 1121.
- The right to litigation for personal consumers extends only to breaches and not to violations under any other section.
- CCPA takes precedence over local laws, but only after the 1/1/2020 date.
- Enforcement by the California Attorney General begins 6 months after the final regulations have been produced or July 1, 2020, whichever is sooner.
What are the penalties for violating the CCPA?
Finally, the penalties for violating the CCPA can add up quickly.
Companies whose personal customer data becomes breached can be required to pay damages from between $100 to $750 per California resident, per incident, or actual damages, whichever is greater. Intentional violations are fined up to $7,500 for each violation and unintentional violations are fined $2,500 for each. Fines could easily reach into the millions for businesses with a large California customer database.
Both private litigations and the Attorney General of the state of California can enforce rights under the CCPA. Terms of the legislation do provide these covered businesses the opportunity to become compliant, however. It is worthy of note that consumers must provide the non-compliant business 30 days to correct the violation and respond in writing before they can commence with an action for damages between $100 and $750 per incident.
If your business retains the personal data of California residents and your business falls under the umbrella of the CCPA, now is the time to address your data collection practices and policies and to confirm your website is CCPA compliant. Addressing your data collection procedures and implementing required changes to your website is of paramount importance in order to avoid potentially costly fines and litigation.
If you need a hand bringing your website into CCPA compliance, contact one of our experts—we are here to help.