Chapter 2: CCPA Enforcement and Penalties

The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and enforcement has been underway since July 1, 2020. Enforcement of the CCPA is primarily carried out by the newly created California Privacy Protection Agency (CPPA), which has the ability to impose administrative fines, but the California Office of the Attorney General (OAG) may bring a civil action on its own as well.

Government Enforcement

For normal violations, businesses face fines of up to $2,500 per violation Because businesses regularly collect personal information from large numbers of consumers, these fines could easily add up to hundreds of thousands or even millions of dollars.

For intentional violations, businesses can be fined up to $7,500 per violation. What is an intentional CCPA violation? The statute does not define the term, but the most likely example is where a business repeatedly violates the privacy law even after previous enforcement actions or complaints from consumers.

Until 2022, enforcement authorities had to give businesses 30 days to cure any alleged CCPA violations, but that requirement has since expired. At the CPPA or OAG's discretion, they may either allow the business to fix its violations or proceed directly to enforcement.

CCPA Private Right of Action

A critically important question for businesses is whether the CCPA creates a private right of action for consumers. That is, can consumers sue a business over violations of the CCPA? The answer is both no and yes.

Consumers cannot sue businesses for violations of the privacy rights created by the CCPA. For example, if a consumer opts out of the sale of their personal information but the business does not honor that request, the consumer cannot take the business to court over the violation. This is in contrast to the General Data Protection Regulation (GDPR) in the European Union. Under the CCPA, a consumer may file a complaint, but only the Attorney General has the authority to enforce privacy rights.

However, the CCPA does create a private right of action for consumers who have been affected by a data breach at a business. Consumers have this legal remedy when their nonencrypted and nonredacted personal information is subject to unauthorized access, theft, or disclosure as a result of the business’s failure to implement and maintain reasonable security procedures and practices.

Plaintiffs can recover statutory damages of $100 to $750 per incident, or actual damages, whichever is greater. This means that plaintiffs do not have to prove actual damages to prevail in court. The CCPA’s new private right of action is certain to lead to a new type of class-action lawsuit by consumers. In order to avoid liability, a business should:

  • Encrypt and redact consumers' personal information whenever possible
  • Implement and maintain reasonable data security procedures

Hidden Costs of CCPA Non-Compliance

Since the CCPA has gone into effect, many businesses have continued operating with the same data privacy practices as before. Some have adopted a wait-and-see approach to the California law; many others were simply unaware of its existence until they received a notice from one of their advertising partners or even the California Attorney General. Now executives and managers are asking themselves, “How will this affect my business?”

Businesses that are not in compliance with the CCPA can suffer hidden costs beyond civil penalties and class-action lawsuits, such as the effect on consumer goodwill. Even for those that are compliant, there are marketing implications associated with choosing one compliance strategy over another.

Negative Brand Reputation

Maintaining consumer goodwill is more important than ever. A few negative online comments or customer interactions can quickly spiral out of control and lead to a negative brand reputation. This can damage everything from earnings to employee morale. The CCPA is part of a growing trend in consumer expectations: that businesses should be more respectful and responsive regarding privacy concerns. Businesses that fail to live up to these expectations do so at their own peril.

If a business has not provided an opt-out link or is unprepared to respond to consumers’ privacy requests in a timely manner, this can easily lead to the perception that the business is acting intentionally to deny people their privacy rights. These consumers might also file a complaint with the state. On the bright side, the opposite is also true. When a business is forthcoming with its consumers by providing transparent privacy policies, easy opt-out requests, etc., it can help build trust and positive feelings toward the company.

CCPA Compliance and Marketing

There can be multiple paths to CCPA compliance, and the path your company chooses can have a major impact on its marketing capabilities. Consider these two examples, in which both companies are CCPA compliant.

Company A is an online retailer. It has posted all required privacy notices and responds to consumers’ privacy requests as appropriate. Some of its transfers of personal information qualify as sharing under the CCPA, so it has posted a “Do Not Share My Personal Information” link on its homepage to allow consumers to opt out.

Company B is also an online retailer with all the required privacy notices and infrastructure to respond to consumer requests. Like Company A, it would have been required to post a “Do Not Share” link on its homepage. Unlike Company A, it decided this link was not right for its brand, so instead Company B chose to stop all transactions that qualify as sharing personal information. Because of this, the “Do Not Share” link is no longer required.

In the example above, Company A can continue taking advantage of interest-based advertising, because it gives consumers the choice to opt out. If a consumer submits an opt-out request, Company A must stop any sharing of that particular person’s information, which includes using retargeting. In order to help businesses comply with their CCPA obligations, companies like Facebook and Google now offer advertising options that utilize a lower level of data sharing (called “limited data use” by Facebook, “restricted data processing” by Google) so they can be reclassified as service providers. These options switch off the companies’ retargeting features, but can be applied to specific consumers.

Company B is in a different situation. By electing not to have a “Do Not Share” link, Company B has essentially chosen to opt out all of its consumers. This means the only way to stay CCPA compliant is to switch off retargeting for everyone in California and potentially for all consumers in the United States. Given that retargeting has proven to be such an effective marketing tool, Company B can expect a drop of up to 70% in customer conversions.

Not all CCPA compliance strategies are the same. Businesses that are in the process of planning their compliance should carefully consider the implications of their different options.

Next: Becoming CCPA Compliant

The CCPA is here to stay, and the costs of non-compliance are rising steeply. With enforcement efforts ramping up, class-action lawsuits looming on the horizon, and consumer expectations changing, the best move for businesses is to start the process of becoming compliant without any further delay.

The next chapter, “Becoming CCPA Compliant,” gives businesses a sense of the effort involved in that process by outlining the major steps they must take.