A violation occurs when the California Attorney General’s Office (AG Office) finds that a business or service provider has not complied with its obligations under the CCPA.
For businesses and service providers attempting, in good faith, to adhere to the CCPA’s requirements, a violation should not cost anything beyond the cost of compliance. That is because the law grants businesses and service providers a 30-day cure period in which to correct any violations. If the business or service provider cures the violation(s) within 30 days after receiving notice of noncompliance, the AG’s Office will not pursue a civil action against the business or service provider, and it will not impose any penalties.
The reason we highlight a business or service provider’s good faith attempt to comply is that if a business or service provider has made no effort to understand and comply with its obligations under the CCPA until it receives notice of noncompliance, it will most certainly have a difficult (if not impossible) time becoming fully compliant with the law in a 30-day time frame. Once a business or service provider has received notice of noncompliance, the AG’s Office will carefully scrutinize their practices, and that is not an ideal circumstance for understanding and implementing CCPA compliance practices and protocols for the first time.
If a business fails to cure its alleged violations, it will be subject to both an injunction and civil penalties. An injunction means that the business will be required by court order to stop engaging in certain practices. The CCPA does not explain what the injunction would require, but it could require the business to cease its operations (or at least stop its collection and processing of consumers’ personal information) until it becomes CCPA-compliant.
The AG’s Office could assess a maximum penalty of $2,500 per violation, or $7,500 per intentional violation. An intentional violation is one that the business or service provider is aware of. An intentional violation could be found where the business has engaged in repeated violations even after the assessment of penalties, or after being made aware of its violations from consumers or other businesses or service providers. If a business does not cure its violations and it has routinely – perhaps for dozens or even hundreds of consumers - failed to follow CCPA guidelines, the business could face hundreds of thousands of dollars in penalties.
Importantly, while the CCPA creates a private right of action, that right does not extend to violations of the rights and obligations set forth in the CCPA itself. In other words, a consumer cannot sue a business or service provider under the CCPA for violations of the consumer’s right to request a deletion of personal information or right to non-discrimination.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.