CCPA Fines and Penalties for Non-Compliance

Updated: Mar 5


The California Consumer Privacy Act (CCPA) A.B. 375 is California’s landmark consumer privacy law to force significant changes for businesses that collect and store personal data of California residents. Passed in 2018, the law took effect on January 1, 2020 and it is seen by many as the strictest data privacy law ever enacted in the United States.

The CCPA provides California consumer with the ability to demand to see the information a company has stored for them. It also allows the consumer to review a list of all the third-party organizations that data has been shared with. And if it is determined that the privacy guidelines have been violated, the law allows consumers to sue the company. This is true even if no breach occurs.


Companies Impacted by the CCPA

Any company that serves California residents and has $25 million or more in annual revenue is subject to this law. And any company that stores personal data on at least 50,000 people and companies that derive more than 50% of their revenues through the sale of personal data, fall under this law as well. Importantly, the CCPA applies to all companies that serve California residents, regardless of where the company is based.


CCPA Fine and Penalties

Given the potential for “private right of action” consumer lawsuits for data breaches as well as the potential for civil penalties levied by the California attorney general for non-compliance, CCPA fines can be significant.


Under California law, damages may include:

  • $100 to $750 per consumer per incident, or actual damages (the greater of the two)

  • Compensation for injunctive or declaratory damages

  • Any other relief deemed appropriate by the court

When assessing damages, the CCPA directs a court to consider:

  • The nature and seriousness of the violation

  • The number and frequency of violations

  • The time period over which the violations occurred

  • Whether or not the violation was intentional

  • The assets, liabilities, and net worth of the defending organization


In cases of non-compliance, the company has thirty days to address the issue once regulators alert them to a violation. If the issue is not resolved, the fine can be up to $7,500 per record.


CCPA Training for Employees

Under the CCPA, companies must ensure that their employees are trained regarding key sections of the law and on how consumers are instructed to pursue their rights under those sections.


Specifically, employees must be trained to understand the following:

  • The consumer’s right to request that the business to disclose what information is being collected and why

  • The right of the consumer to learn which personal information is being shared or sold

  • The injunction against businesses discriminating against consumers who choose to exercise the privacy rights offered by the CCPA

  • The company’s policy disclosure requirements and the rules regarding how it responds to requests from consumers


LMS Portals for CCPA Staff Training

LMS Portals offers robust learning management system (LMS) organizations can utilize to conduct their CCPA employee training. The system allows users to quickly and easily build and deliver CCPA learning content and courses on their own corporate-branded portal. The platform also includes tools for user onboarding, messaging, analytics, and more.


Contact us today to get started for free!

0 views