While privacy and the role of stewards for personal data are a value and enough of a reason to pay attention to data protection and information security, penalties and reputational damage for violating data regulations weigh heavily on the minds of most company executives. CCPA defines penalties on a per violation basis. There are two forms of penalties - those brought by the California Attorney General as civil cases and those brought by individuals.
Penalties brought by the Attorney General have a potential penalty of $2,500 per violation or $7,500 per intentional violation. These penalties can be levied for violating CCPA, whether there has been a breach of data or not. If there are violations that impact many individuals' records, these fines can add up.
CCPA allows for a 30 day cure period. This clause requires the Attorney General to notify a company of a violation and allow the company to have 30 days to resolve it. If the violation is resolved in this timeframe, then there is no penalty for the violation.
CCPA also allows for individuals, in particular cases, to seek damages from companies. This right is codified in CCPA as the Private Right of Action. As opposed to the above violations brought by the Attorney General, individual cases can only be brought against companies when there has been a data breach.
The penalties are capped between $100 and $750 per individual, per violation. While these violations can add up if many impacted individuals pursue action, the penalties are considered by many to be too low.
The final form of penalty is reputation damage. With the increasing awareness and value that consumers put on privacy and protecting their data, this is a powerful deterrent. While not specific to CCPA, this is something that many executives and boards think about when they prioritize data security and privacy.