How Much Do CCPA Violations Cost?

TrueVault

A violation occurs when the California Attorney General’s Office (AG Office) finds that a business or service provider has not complied with its obligations under the CCPA.

For businesses and service providers attempting, in good faith, to adhere to the CCPA’s requirements, a violation should not cost anything beyond the cost of compliance. That is because the law grants businesses and service providers a 30-day cure period in which to correct any violations. If the business or service provider cures the violation(s) within 30 days after receiving notice of noncompliance, the AG’s Office will not pursue a civil action against the business or service provider, and it will not impose any penalties.

The reason we highlight a business or service provider’s good faith attempt to comply is that if a business or service provider has made no effort to understand and comply with its obligations under the CCPA until it receives notice of noncompliance, it will most certainly have a difficult (if not impossible) time becoming fully compliant with the law in a 30-day time frame. Once a business or service provider has received notice of noncompliance, the AG’s Office will carefully scrutinize their practices, and that is not an ideal circumstance for understanding and implementing CCPA compliance practices and protocols for the first time.

So what happens when a CCPA is not cured? A number of things may occur.

Injunctions

If a business fails to cure its alleged violations, it will be subject to both an injunction and civil penalties. An injunction means that the business will be required by court order to stop engaging in certain practices. The CCPA does not explain what the injunction would require, but it could require the business to cease its operations (or at least stop its collection and processing of consumers’ personal information) until it becomes CCPA-compliant.

Civil Penalties

The AG’s Office could assess a maximum penalty of $2,500 per violation, or $7,500 per intentional violation. An intentional violation is one that the business or service provider is aware of. An intentional violation could be found where the business has engaged in repeated violations even after the assessment of penalties, or after being made aware of its violations from consumers or other businesses or service providers. If a business does not cure its violations and it has routinely – perhaps for dozens or even hundreds of consumers - failed to follow CCPA guidelines, the business could face hundreds of thousands of dollars in penalties.

Private Right of Action

Importantly, while the CCPA creates a private right of action, that right does not extend to violations of the rights and obligations set forth in the CCPA itself. In other words, a consumer cannot sue a business or service provider under the CCPA for violations of the consumer’s right to request a deletion of personal information or right to non-discrimination.

Schedule Call