CCPA Fines: What Are the Consequences of Non-Compliance?

What are the CCPA fines? What happens if you don’t comply? In this post, we explain the main consequences of CCPA non-compliance and show you how you can avoid them.

Fines for CCPA’s non-compliance

As with many other laws on data privacy, the California Consumer Privacy Act has quite a severe approach to non-compliance.

“As required under the CCPA, the California Privacy Protection Agency has adjusted, and will do so every other year, monetary thresholds, monetary damages, administrative fines, and civil penalties, in line with increases to the Consumer Price Index (CPI). The current adjustment is effective on January 1, 2025. The monetary threshold within the definition of businesses has been raised to $26,625,000, while administrative fines and civil penalties to $2,663 for each violation or $7,988 for each intentional violation and violations involving the personal information of consumers whom the violator has actual knowledge are under 16 years of age“.

Compared to the GDPR, which provides for fines up to EUR 20 M (22 M USD) or 4% of annual global revenue, these fines might not seem particularly large. However, keep in mind that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.

How to comply with CCPA and avoid fines

In order to avoid penalties, there are a few steps to follow to comply with CCPA:

• honestly assess and review your activities. Ask yourself what types of data you collect, what are the purposes of your collection, which third parties are involved in the processing, etc. This step will help you determine which legal documents you may need and how to handle users’ requests;

• have a valid and clear privacy policy, with all the relevant disclosures on how you collect and process the users’ personal information. It should be easily accessible from the homepage of your website / app, describe the process by which users can request changes to personal data and show your contact information for CCPA requests;

• make sure you’re honoring the user’s right to opt out of the sale (or sharing) of their personal data. Under the CCPA, while you don’t need opt-in or prior consent of your users before sharing or selling their data, you must inform them of the sale activity and provide them with an immediate way to opt-out. That’s why you need to show a “Do Not Sell My Personal Information” (“DNSMPI“) notice, upon the user’s first visit to your website or app.

Remember, you don’t always need to ask users to opt-in. However, it may be mandatory if there are children involved, or you’re collecting and processing sensitive information.

How iubenda can help

iubenda’s solutions can help you comply with the CCPA, in minutes.

Privacy and cookie policy

Our Privacy and Cookie Policy generator allows you to:

• display CCPA related language, disclosures, and instructions as legally required;
• indicate services active on your site which might constitute a sale under the CCPA definition; and
• automatically update your embedded privacy policy with the CCPA text once activated within the generator.

Cookie management

With our Privacy Controls and Cookie Solution, you can display a “Do Not Sell My Personal Information” notice and manage opt-outs.
It also supports the CCPA Compliance Framework by IAB (Interactive Advertising Bureau), which establishes a process for publishers and their partners to comply with new regulations regarding the sale of consumer data to technology companies.

Consent management

Then, you may need to keep track of your users’ requests. In fact, the CCPA mandates that opted-out users may not be contacted for a minimum of 12 months after the request.
Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details like opt-out via API to a centrally managed visual dashboard. It’s prudent to keep records of opt-out details such as the particular user, the date, and sub-contractors to be notified in the case of requests.

Register of Data Processing Activities

Our Register of Data Processing Activities lets you accurately record relevant details necessary for fulfilling Consumer requests with precision. The solution records:

• security details such as which members of your organization has access to user data;
• any registered sub-contractors processing on your behalf;
• manually added purposes for the processing;
• data collection methods and more.

See also

• CCPA Privacy Policy Example
• What is Personal Information under the CCPA
• CCPA vs GDPR: what’s the difference?