CCPA Fines: What Are the Consequences of Non-Compliance?

What are the CCPA fines? What happens if you don’t comply? In this post, we explain the main consequences of CCPA non-compliance and show you how you can avoid them.

Fines for CCPA’s non-compliance

As with many other laws on data privacy, the California Consumer Privacy Act has quite a severe approach to non-compliance.

The CCPA provides for fines of up to $7500 per individual violation, and consumers have also the right to sue businesses for damages. Though the right to sue only applies to the actual business (aka the data controller) and not to “service providers” (processors) acting on their behalf, the associated fines are between $100 and $750 –per violation– or any higher amount related to actual damages.

The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.

Compared to the GDPR, which provides for fines up to EUR 20 M (22 M USD) or 4% of annual global revenue, these fines might not seem particularly large. However, keep in mind that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.

How to comply with CCPA and avoid fines

In order to avoid penalties, there are a few steps to follow to comply with CCPA:

• honestly assess and review your activities. Ask yourself what types of data you collect, what are the purposes of your collection, which third parties are involved in the processing, etc. This step will help you determine which legal documents you may need and how to handle users’ requests;

• have a valid and clear privacy policy, with all the relevant disclosures on how you collect and process the users’ personal information. It should be easily accessible from the homepage of your website / app, describe the process by which users can request changes to personal data and show your contact information for CCPA requests;

• make sure you’re honoring the user’s right to opt out of the sale (or sharing) of their personal data. Under the CCPA, while you don’t need opt-in or prior consent of your users before sharing or selling their data, you must inform them of the sale activity and provide them with an immediate way to opt-out. That’s why you need to show a “Do Not Sell My Personal Information” (“DNSMPI“) notice, upon the user’s first visit to your website or app.

Remember, you don’t always need to ask users to opt-in. However, it may be mandatory if there are children involved, or you’re collecting and processing sensitive information.

How iubenda can help

iubenda’s solutions can help you comply with the CCPA, in minutes.

Privacy and cookie policy

Our Privacy and Cookie Policy generator allows you to:

• display CCPA related language, disclosures, and instructions as legally required;
• indicate services active on your site which might constitute a sale under the CCPA definition; and
• automatically update your embedded privacy policy with the CCPA text once activated within the generator.

Cookie management

With our Privacy Controls and Cookie Solution, you can display a “Do Not Sell My Personal Information” notice and manage opt-outs.
It also supports the CCPA Compliance Framework by IAB (Interactive Advertising Bureau), which establishes a process for publishers and their partners to comply with new regulations regarding the sale of consumer data to technology companies.

Consent management

Then, you may need to keep track of your users’ requests. In fact, the CCPA mandates that opted-out users may not be contacted for a minimum of 12 months after the request.
Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details like opt-out via API to a centrally managed visual dashboard. It’s prudent to keep records of opt-out details such as the particular user, the date, and sub-contractors to be notified in the case of requests.

Register of Data Processing Activities

Our Register of Data Processing Activities lets you accurately record relevant details necessary for fulfilling Consumer requests with precision. The solution records:

• security details such as which members of your organization has access to user data;
• any registered sub-contractors processing on your behalf;
• manually added purposes for the processing;
• data collection methods and more.

See also

• CCPA Privacy Policy Example
• What is Personal Information under the CCPA
• CCPA vs GDPR: what’s the difference?