California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
When it comes to the California Consumer Privacy Act (CCPA), one of the top concerns for businesses is enforcement. They want to know what enforcement looks like and, more importantly, how much a violation costs. These questions have taken on even more importance since the start of 2023, as the California Privacy Protection Agency (CPPA), which is dedicated exclusively to CCPA-related matters. While the Attorney General's Office has not been idle (Sephora, for example, was fined $1.2 million in 2022), enforcement is widely expected to take a big jump under the CPPA.
Another fundamental change to the enforcement scheme is the expiration of the mandatory 30-day cure period. The state was formerly required to give any business 30 days to cure any alleged violation of the CCPA; if the problem was fixed within that time frame, no further action was taken. Now, the CPPA has the discretion to either allow a cure period or proceed directly to enforcement proceedings. Businesses can no longer rely on having 30 days to avoid penalties, especially if they have not made any good-faith effort to get compliant up to that point.
All that being said, what happens when a business violates the CCPA?
If a business fails to cure its alleged violations, it will be subject to both an injunction and civil penalties. An injunction means that the business will be required by court order to stop engaging in certain practices. The CCPA does not explain what the injunction would require, but it could require the business to cease its operations (or at least stop its collection and processing of consumers’ personal information) until it becomes CCPA-compliant.
The AG’s Office could assess a maximum penalty of $2,500 per violation, or $7,500 per intentional violation. An intentional violation is one that the business or service provider is aware of. An intentional violation could be found where the business has engaged in repeated violations even after the assessment of penalties, or after being made aware of its violations from consumers or other businesses or service providers. If a business does not cure its violations and it has routinely – perhaps for dozens or even hundreds of consumers - failed to follow CCPA guidelines, the business could face hundreds of thousands of dollars in penalties.
Importantly, while the CCPA creates a private right of action, that right does not extend to violations of the rights and obligations set forth in the CCPA itself. In other words, a consumer cannot sue a business or service provider under the CCPA for violations of the consumer’s right to request a deletion of personal information or right to non-discrimination.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.