What are the CCPA fines? What happens if you don’t comply? In this post, we explain the main consequences of CCPA non-compliance and show you how you can avoid them.
As with many other laws on data privacy, the California Consumer Privacy Act has quite a severe approach to non-compliance.
The CCPA provides for fines of up to $7500 per individual violation, and consumers have also the right to sue businesses for damages. Though the right to sue only applies to the actual business (aka the data controller) and not to “service providers” (processors) acting on their behalf, the associated fines are between $100 and $750 –per violation– or any higher amount related to actual damages.
The state can bring charges of up to $2,500 per violation for businesses that unintentionally violate the CCPA, and fines of up to $7,500 per violation, for businesses that commit intentional violations.
Compared to the GDPR, which provides for fines up to EUR 20 M (22 M USD) or 4% of annual global revenue, these fines might not seem particularly large. However, keep in mind that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.
In order to avoid penalties, there are a few steps to follow to comply with CCPA:
Remember, you don’t always need to ask users to opt-in. However, it may be mandatory if there are children involved, or you’re collecting and processing sensitive information.
iubenda’s solutions can help you comply with the CCPA, in minutes.
Our Privacy and Cookie Policy generator allows you to:
With our Privacy Controls and Cookie Solution, you can display a “Do Not Sell My Personal Information” notice and manage opt-outs.
It also supports the CCPA Compliance Framework by IAB (Interactive Advertising Bureau), which establishes a process for publishers and their partners to comply with new regulations regarding the sale of consumer data to technology companies.
Then, you may need to keep track of your users’ requests. In fact, the CCPA mandates that opted-out users may not be contacted for a minimum of 12 months after the request.
Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details like opt-out via API to a centrally managed visual dashboard. It’s prudent to keep records of opt-out details such as the particular user, the date, and sub-contractors to be notified in the case of requests.
Our Register of Data Processing Activities lets you accurately record relevant details necessary for fulfilling Consumer requests with precision. The solution records:
Check out our California legal overview: everything you need to know to comply!