All businesses that process data of California residents and meet specific data subject numbers, annual gross revenue, or personal data selling revenue can be penalized by the CCPA. Fines range from $2,500 to $7,500 per violation depending if it’s intentional or not.
In this article, we’ll explain everything you need to know about CCPA fines – exactly what companies can get penalties for, what kind of fines exist, and compliance tips on how to prevent them.
Ensure CCPA compliance on Shopify and prevent fines by adopting a customizable cookie banner and automatically collecting user consent with one app
Try TinyCookie nowWho can be fined by the CCPA?
The Attorney General or the California Privacy Protection Agency can fine any business or individual to whom CCPA applies. According to the CCPA (FAQ A.5), this means anyone who processes the personal data of California residents and meets at least one of the following criteria:
- The annual gross revenue of the business exceeds $25 million
- 50% or more of annual revenue comes from personal data selling
- Processes over 100,000 California resident personal data each year
Keep in mind that CCPA doesn’t just apply to California businesses. If a business or project operates outside of California but processes data of Californian citizens, the CCPA can still penalize it for non-compliance.
Types of CCPA fines and penalties
You don’t always immediately get fined for not complying with CCPA, and if you do – the fine depends on whether the violation was intentional or not. Here are a few types of penalties to be aware of:
1. Class action
There are many violations for which consumers cannot sue a business. Exceptions may include data breaches when a business fails to adopt necessary security measures to protect data. In such cases, according to the CCPA (FAQ A.8), consumers can sue the company and get monetary damages or up to $750 per violation in statutory damages.
While $750 may seem like little, since one violation equals one consumer, it can quickly add up to millions of dollars.
If consumers wish to use their right of action, such as a class-action lawsuit, they must provide a 30-day notice for the business to cure violations and respond. Consumers cannot sue businesses that cure the violation unless it still violates the regulation.
2. Fine for intentional violations
An administrative fine can be issued when a business or company violates the CCPA knowingly. This means the business is aware of non-compliance with the law but doesn’t rectify it.
Some of the signs that a business is intentionally violating the regulation are failure to delete, give access, or provide an option to withdraw consent even when consumers have requested it. Businesses may even go as far as ignoring the orders to fix non-compliance from authorities.
When a violation is found to be intentional, the fines can go up to $7,500 per single violation.
3. Fine for non-intentional violations
Some companies may violate the CCPA unintentionally due to a lack of awareness or not fully comprehending the requirements of the regulation.
For example, non-intentional violations could be a data breach that happened due to a security vulnerability a company wasn’t aware of or an incomplete privacy policy.
In some cases, authorities may give businesses a 30-day cure period to fix the situation (if possible) before giving a fine. However, failure to rectify it can result in a non-intentional violation fine which can be up to $2,500 per single violation.
Common reasons for CCPA penalties
There are many reasons a company, big or small, can receive a penalty. Some of them include:
- Not providing a withdrawal option
- Not providing a privacy notice
- Missing “Do Not Sell My Personal Information” button and/or page
- Failure to get consent from parents of children (under the age of 13)
- Failure to comply with user rights (such as the right to delete or access information, the right to know what information is collected, and more)
- Failure to report a data breach
- Not disclosing what data collection practices apply
How to prevent CCPA fines?
Businesses or companies have to know the main requirements of CCPA in order to prevent fines. These include a consent withdrawal option, cookie preference management option, data security, detailed cookie information, user consent storing, and more. Here are the main steps to take to comply with CCPA on your website:
- Adopt a cookie consent banner. A cookie consent banner lets you add cookie management options and withdrawal buttons as soon as a user enters the website which are obligatory according to CCPA. Additionally, it lets you place a link to a privacy or cookie policy to ensure consumers easy access.
- Collect user consent. Unlike with GDPR, it isn’t obligatory to get user consent under CCPA to use cookies as it’s given automatically as soon as consumers open the website. However, collecting the automatic user consent forms is required.
- Create a privacy policy. A CCPA-compliant store must write a privacy policy with the necessary information, including definitions, data collection reasons, a list of data that is collected and for how long, data sharing or selling to third parties, and user rights.
- Include a cookie policy. Whether as a separate page or a section in the privacy policy, a cookie policy is a must. Businesses must provide information on what cookies are used, for how long, instructions on how to withdraw consent, and more. You can learn how to do it properly in our cookie policy writing guide.
- Secure user data. According to CCPA, businesses must have data protection measures in place to avoid breaches. In case of a breach, companies can be fined up to $7,500 for a single violation.
Conclusion
Unlike GDPR penalties, CCPA penalizes businesses based on whether non-compliance or violations are intentional.
If a company wasn’t aware of issues, the regulation allows up to a $2,500 fine per violation and may even give a 30-day cure period beforehand. However, if violation notifications are ignored, the single violation fine can go up to $7,500.
The best way to ensure CCPA compliance is to add a cookie consent banner like TinyCookie to your website. It lets you implement a banner in just a few clicks, customize the content and design to your needs, collect user consent, scan website cookies, and more.
However, you must also write and add to your website a privacy and cookie policy listing all the personal information collected. Plus, to avoid multiple violations due to data breaches, businesses must ensure security measures to protect data from leaking.
Frequently asked questions
Sephora received a $1.2 million fine under the CCPA in 2022 because of its failure to disclose to users that their information would be sold to third parties. Additionally, it failed to provide a withdrawal option for users.
The maximum CCPA fine is $7,500 for a single violation. The largest fine at the time of writing was given to T-Mobile, a telecommunications brand by Deutsche Telekom, which was $350 million because of a data breach that exposed data of millions of its customers.