As of today, the California state government is enforcing the California Consumer Privacy Act (CCPA). Companies that don't comply with the law can expect stiff penalties from the government, along with potential consumer lawsuits.
Although the CCPA was signed into law two years ago and has been in effect since January 1, there was a six-month grace period during which companies were expected to review their procedures and ensure that they complied with the regulations. Today marks the start of real enforcement, when the attorney general can hold businesses accountable for violations.
Industry had pressured the state government to delay the enforcement date as companies struggled to cope with the COVID-19 pandemic, but the government held firm. It submitted the final set of proposed regulations for approval under the CCPA on June 2.
Darren Wray, CTO at data privacy company Guardum, warned that California has a reputation for aggressively pursuing its regulations. "Regulators are almost certainly going to come down strongly on high-profile breaches or compliance failures to show they mean business," he said. "We can also expect to see an uptick in the number of consumer complaints when they are unhappy with how a company has handled their data. We will also see more social media shaming for large companies that have failed in their new CCPA duties."
From today, penalties against companies that violate the CCPA rules could cost companies $2,500 per individual violation, or $7,500 for intentional violations. The law also allows for consumer lawsuits with statutory payments of $100–$750 per violation.
This could all lead to soaring fines, warned Omer Tene, vice president and chief knowledge officer at the International Association of Privacy Professionals. "With companies collecting data about millions of California residents, the numbers add up quickly to sums that could dwarf the FTC's $5 billion settlement with Facebook," he said.
The law affects any person or organization doing business in California with over $25m in annual revenue, or any business collecting information on over 50,000 people or devices. Companies making more than 50% of their annual revenue from the sale of personal information also come under the CCPA.