Avoid Penalties for Non-Compliance with CCPA
On December 4, the US Senate Commerce Committee met to discuss a unified federal privacy law. While the hearing moved the privacy initiative forward, consensus has not yet been reached over crucial aspects such as citizen private right to action.
What does this mean for California’s new privacy act that took effect January 1? Do businesses need to worry about CCPA fines and penalties? Should they act now to comply with California Consumer Privacy Act or wait for a federal law? In late November, CPO Magazine reported that only 12% of companies surveyed were prepared for CCPA and 38% needed twelve more months to be ready (Lindsey, 2019). If you are the majority who are not prepared for CCPA what should you be doing now to avoid CCPA fines and penalties?
CCPA Compliance
In order to avoid penalties for non-compliance with CCPA, 2B Advice privacy experts recommend building a privacy compliance program that’s flexible enough to ensure compliance with any of the potential privacy bills passed at a state or federal level. With CCPA going into effect now, the countdown to enforcement has started. The maximum penalty for non-compliance with CCPA is $7,500 for intentional violations. Violations lacking intent are subject to a $2,500 maximum fine. However, the larger impact on businesses is the CCPA’s consumer right to take private legal action. These situations may arise from instances where non-encrypted or non-redacted personal information is breached, regardless of the harm done to the data. Under the CCPA, consumers can collect between $100 and $750 for each event. Given the number of records affected in recent data breaches, the financial impact of this could add up to large sums. And note that this law applies to businesses anywhere in the world that interact with or collect data on California residents.
As written, enforcement of the CCPA will begin on July 1, 2020 and there is a 30-day period for companies found not in compliance to prove that they have rectified any problems. Does this mean you should wait? We recommend you start preparing now. Even if a federal privacy bill is passed, it can take several months, or even up to a year or more, to develop a privacy program for your business, including developing and rolling out educational training programs, put in place appropriate measures, and working with your third party vendors to ensure that any controller or processor you work with is also compliant.
Companies doing business with California residents should take note that the California AG will be vigilant from the start of the year. California Attorney General Xavier Becerra said during a December news conference that he will be “keeping an eye on potential violations in the first six months that involve the ‘sensitive, critical data’ of a large number of Californians, and will prosecute cases as warranted” (Koseff, 2019).
How to Get Started to Avoid CCPA Penalties
Putting in place a privacy compliance program that protects customer privacy will not only help your company avoid CCPA fines and penalties but it can be an important part of your business strategy. Don’t just think in terms of avoiding penalties, think holistically about how to build customer trust and loyalty and reduce risk. Begin by considering if there is a general awareness and agreement among your top management of privacy risk areas. If the answer is “we don’t know what we don’t know” then reach out to privacy legal consultants at 2B Advice for help getting started.
To learn more about CCPA and if it applies to your business, read our blog post ‘Manage Your CCPA Compliance‘.
Resources
- Lindsey, N. (2019): Study Shows Only 12% of Companies Are Ready For New CCPA Data Privacy Regulation (cpomagazine.com/data-protection/study-shows-only-12-of-companies-are-ready-for-new-ccpa-data-privacy-regulation)
- Koseff, A. (2019): California promises aggressive enforcement of new privacy law (sfchronicle.com/politics/article/California-promises-aggressive-enforcement-of-new-14911017.php)
Similar Blog Posts
This blog delves into the intricate requirements of GDPR consent, guided by the European Data Protection Board's (EDPB) clarifications and the amendments to the initial guidelines set by the Article 29 Working Party.
This blog will delve into the nuances of New Jersey's Senate Bill 332 and New Hampshire's Senate Bill 255, exploring their key features and the potential impacts on privacy norms.
The European Commission's recent confirmation of the continuity of data flows to 11 third countries and territories marks a significant milestone in international data protection.
Blog Categories
Questions?
Tel: +1 (858) 366 9750
Email: sandiego@2b-advice.com
2B ADVICE IN THE U.S.
San Diego, CA, USA
2B ADVICE WORLDWIDE
Berlin, Germany
Munich, Germany
Bonn, Germany
Verona, Italy
Vienna, Austria
Brezno, Slovakia
Paris, France
Information on data processing and data protection can be found in our Privacy Policy.