< BACK TO ALL BLOGS
CCPA Series 4: How to Interpret CCPA Penalties?
Aug 2, 2023
Since the CCPA was officially implemented in January 2020, there has been no news of sky-high fines. In stark contrast is the high-profile and stringent GDPR. According to statistics from Atlas VPN, in 2021, a total of 412 companies will be fined for violating GDPR, including Internet giants such as Amazon and WhatsApp, and the total fines will be as high as 1 billion euros. Penalties under CCPA seem to be milder than GDPR, is that really the case?
Section 1798.155 of the CCPA states, "An administrative penalty of up to $2,500 for each violation and an administrative fine of up to $7,500 for each willful violation and each violation involving the personal information of a consumer who is a minor."
Let's look at the penalty standards of GDPR. For general violations, the fine limit of GDPR is 10 million euros, or up to 2% of the global annual operating income in the previous fiscal year (whichever is greater); for serious violations, the fine limit is 20 million euros Euros, or up to 4% of global annual turnover for the preceding financial year, whichever is greater.
China's newly promulgated "Personal Information Protection Law" in November 2021 also followed the example of GDPR, and fined illegal companies in proportion to their turnover. It stipulates that "...if you refuse to make corrections, you will be fined less than one million yuan...if the circumstances are serious, you will be fined less than 50 million yuan or less than 5% of the previous year's turnover..." In line with GDPR and Compared with the tens of millions of fines in the "Personal Information Protection Act", the CCPA's maximum figure of no more than $7,500 is indeed insignificant. But it should be noted that CCPA is "fee-per-view". For platforms with a large amount of user data, once the data breach causes actual losses to users, the total fines can easily reach hundreds of millions of dollars based on the maximum penalty of $7,500 for each violation. Moreover, CCPA does not have an upper limit for fines, and the calculation method of infinite accumulation of fines also has a deterrent effect. These fines must be collected through a lawsuit filed by the California Attorney General, also known as "administrative fines." In addition to "administrative fines",
consumers can use their personal litigation rights to file a lawsuit and apply for "civil relief". The CCPA stipulates that if a consumer's personal information is leaked because the company's protection obligations are not in place, the consumer can file a civil lawsuit and demand the following compensation:
(1) Compensation for damages of not less than US$100 and not more than US$750 or actual damages for each accident per consumer, whichever is higher.
(2) Injunctive or declaratory legal relief.
(3)Other relief that the court deems appropriate. Although the upper limit of fines of $750 is not high, if enough
people file class action lawsuits, illegal companies may also face tens of millions of fines. Individual litigation
rights are often regarded as a powerful weapon for consumers to defend their own rights and interests. However, while
CCPA empowers consumers with this right, it also sets strict conditions for its launch: 1) it is limited to specific
information leakage; 2) enterprises have not fulfilled their protection obligations; 3) actual damage has been caused.
The establishment of strict standards is mainly to prevent someone from abusing individual litigation rights and wasting
limited law enforcement resources. The GDPR, which also gives consumers individual rights to sue, sets similar conditions.
So far, California courts have not successfully accepted a single case of an individual suing a company for violating the
CCPA. It can be seen that the CCPA does not regard individual lawsuits as the main means of protecting consumer rights.
The CCPA gives consumers the right to bring individual lawsuits, and illegal companies may also be brought in administrative lawsuits. However, the California Attorney General has admitted that the resources of the Department of Justice are only enough
to handle a few lawsuits each year, which means that most companies will not be sued. Litigation is not the ultimate goal of CCPA law enforcement, the most important thing is to urge companies to take appropriate measures to protect consumers' privacy rights. In order to use limited resources wisely, CCPA has specially set a 30-day rectification period, which is also a place where CCPA’s program settings are superior to GDPR.
Section 1798.150 of the CCPA states: If, prior to initiating any action against a business for individual or class statutory damages, a consumer provides a business with 30 days' written
notice that the business that the consumer alleges has violated or is in violation of a specific provision of this Act provisions, the consumer may bring an action in accordance with this section. No individual or class-based charges against a business may be initiated if the business actually corrects the notified violation within 30 days and provides consumers with a clear written statement that the relevant violation has been corrected and that the violation will not recur. Action for Statutory Damages.
If the company violates the relevant provisions of the CCPA again, consumers can initiate a lawsuit against the company, requiring it to implement the written statement, or request statutory damages for any violation of the written statement. Consumers who file individual lawsuits should abide by the 30-day rectification period, and administrative lawsuits are no exception. After the law enforcement agency discovers that the company has non-compliance, it should immediately issue a notice to the company, instructing it to make rectification within 30 days. If the enterprise fails to complete the rectification within 30 days, the chief prosecutor may file an administrative lawsuit according to law.
3. Compliance Suggestions
In July 2021, the California Prosecutor's Office released a summary of CCPA enforcement, which described in detail 27 typical cases and the company's
subsequent rectification measures. The vast majority of companies can correct their non-compliance behaviors within 30 days under the guidance of the Procuratorate, and very few companies have reached the point of litigation and fines. Even if it is really prosecuted, so far no sky-high fines like GDPR have been issued: the first fine issued by CCPA is only 400,000 US dollars. At the level of government regulation, CCPA law enforcement agencies pay more attention to strengthening the awareness and practice of corporate privacy protection through daily supervision and rectification period. Litigation and fines are more of a deterrent and cover-up role.
For enterprises, moderate penalty standards mean lower trial and error costs, but this does not mean that enterprises can relax the implementation of CCPA. In fact, after
the CCPA was implemented, California passed an amendment to the CCPA, the California Privacy Rights Act (CPRA), in November 2020. CPRA has set up a special regulatory agency - the California Privacy Protection Agency (California Privacy Protection Agency), which is responsible for the daily supervision and law enforcement of CCPA and CPRA, and strengthens public education. Specialized institutions mean more professional manpower and more abundant available resources. As the staffing of the Privacy Protection Agency is gradually completed, the scope and content of its law enforcement will continue to expand, and the chances of companies' non-compliance behaviors being discovered will also increase. In this context, enterprises should track the latest privacy policies and regulations in a timely manner, actively cooperate with law enforcement agencies after discovering problems, and complete rectification within the specified time to avoid being issued a fine.