California Consumer Privacy Act (CCPA): What You Need To Know

By Iris C. Chiu and Jake Kim

The California Privacy Rights Act (CPRA) amends the California Consumer Privacy Act (CCPA) and includes additional privacy protections. Effective July 1, 2023, noncompliance with the CCPA could have significant consequences for your businesses. Our past article discussed whether your business is covered under the CCPA. Click here to read about it. This article will share with you what is happening in the privacy space right now and how your business should comply.

Enforcement & Penalties Under CCPA

• The California Attorney General was responsible for enforcing the CCPA. Now, the CCPA has established a new enforcement authority called the California Privacy Protection Agency (a group of privacy law attorneys). In theory, the enforcement of the CCPA has become more efficient.
• Businesses not in compliance can be fined civil penalties of up to $2,500 per violation and up to $7,500 per intentional violation of the statute.
• There are private rights of action available for individuals in cases of breach of nonencrypted and nonredacted information, such as data theft from emails or information that would permit access to accounts.

Small, Mid-Sized Business Enforcement (GDPR)

The CPRA is modeled on the GDPR, so it is not a surprise that they share certain similarities. At least 270 CCPA-related legal actions have been filed, and there are hundreds more claims or demands. Here are some examples of GDPR fines imposed on small and medium-sized businesses.

Restaurant Business	Fined approximately $10,000 for failing to display a video surveillance sign to its customers
Mid-sized Marketing company	Fined approximately $140,000 for the unauthorized reselling of personal information
Sports Betting Operator	Fined approximately $380,000 for failing to secure client data, with employees accessing up to 1/3 of the full client dataset
Sephora USA (CCPA)	Agreed to pay fine of $1.2 million (failed to tell consumers that the company sold personal information and did not process opt-out requests)

 

Data Breach, is YOUR BUSINESS safe?

Data breaches are on the rise. They take a tremendous amount of company resources, from manpower to the risk of consumers abandoning a company and the like. When one considers statutory fines that may be associated with a breach, it makes sense to see how to minimize that impact. However, businesses that are in compliance with the CCPA will be protected against many of the fines and related consequences of data breaches. Further, many small businesses believe that a data breach is unlikely to occur to them or have any significant impact. However, a recent study found the opposite to be true.

source: strongdm

While data breaches are always a risk, complying with the CCPA guidelines can safeguard your business from the penalties associated with a breach. Here is a compliance checklist to help you safeguard your business.

CPRA Compliance Checklist (non-exhaustive)

☐  Provide a CPRA-compliant notice to consumers and employees when collecting personal information

☐  Review and update sensitive personal information details in contracts, including those with employees, customers, and suppliers, if necessary

☐  Create or update your website privacy policy to include details about the new information on sensitive personal information

☐  Implement “do not sell or share my personal information” and “limit the use of my sensitive personal information” links on your website

☐  Create a process for disclosing information when required

☐  Create data retention and minimization policies for data processing activities and evaluate if your business requires regular privacy risk assessments

This article is not intended to and does not constitute legal advice or a solicitation for the formation of an attorney-client relationship. For questions about privacy law or other matters, reach out to our experienced privacy team at 408.286.5800 or e-mail iris.chiu@berliner.com.