When it comes to the California Consumer Privacy Act (CCPA), one of the top concerns for businesses is enforcement. They want to know what enforcement looks like and, more importantly, how much a violation costs. These questions have taken on even more importance since the start of 2023, as the California Privacy Rights Act has significantly transformed the CCPA enforcement landscape.
Before, all enforcement was carried out by the California Attorney General's Office, as just one of its many law enforcement duties. Now, that responsibility falls primarily to the California Privacy Protection Agency (CPPA), which is dedicated exclusively to CCPA-related matters. While the Attorney General's Office has not been idle (Sephora, for example, was fined $1.2 million in 2022), enforcement is widely expected to take a big jump under the CPPA.
Another fundamental change to the enforcement scheme is the expiration of the mandatory 30-day cure period. The state was formerly required to give any business 30 days to cure any alleged violation of the CCPA; if the problem was fixed within that time frame, no further action was taken. Now, the CPPA has the discretion to either allow a cure period or proceed directly to enforcement proceedings. Businesses can no longer rely on having 30 days to avoid penalties, especially if they have not made any good-faith effort to get compliant up to that point.
All that being said, what happens when a business violates the CCPA?
If a business fails to cure its alleged violations, it will be subject to both an injunction and civil penalties. An injunction means that the business will be required by court order to stop engaging in certain practices. The CCPA does not explain what the injunction would require, but it could require the business to cease its operations (or at least stop its collection and processing of consumers’ personal information) until it becomes CCPA-compliant.
The AG’s Office could assess a maximum penalty of $2,500 per violation, or $7,500 per intentional violation. An intentional violation is one that the business or service provider is aware of. An intentional violation could be found where the business has engaged in repeated violations even after the assessment of penalties, or after being made aware of its violations from consumers or other businesses or service providers. If a business does not cure its violations and it has routinely – perhaps for dozens or even hundreds of consumers - failed to follow CCPA guidelines, the business could face hundreds of thousands of dollars in penalties.
Importantly, while the CCPA creates a private right of action, that right does not extend to violations of the rights and obligations set forth in the CCPA itself. In other words, a consumer cannot sue a business or service provider under the CCPA for violations of the consumer’s right to request a deletion of personal information or right to non-discrimination.
Crossing your fingers and hoping to escape notice is not a great strategy for CCPA compliance. All it takes is one irate customer filing an online complaint with the CPPA to upend your operations. The better choice by far is to simply get your business compliant and eliminate the worry.
TrueVault US simplifies privacy compliance across multiple state laws, so that businesses can handle it on their own. With an interface that is familiar to anyone who has done their own taxes online, TrueVault guides you through every step of the process, from onboarding vendors to handling privacy requests.
Contact our team to learn more and view a demo of how TrueVault works.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.