Penalties & fines

The CPRA amends existing provisions of Title 1.81.5 of the California Civil Code (CCPA) and introduces new provisions related to the establishment of a new California Privacy Protection Agency (CPPA).

The CPPA was one of the major additions with the passage of CPRA.

Enforcement of the CPRA begins in July of 2023, and applies to violations occurring on or after that date. CCPA’s provisions remain in effect and enforceable until that date and previous statutory requirements are still applicable and will be taken into consideration with data collected on or before January of 2022. The newly created agency (CPPA) is tasked with rulemaking as well as regulatory compliance taking over from the California AG starting in July of 2022. The CPPA will provide regulatory guidance and organizations will have to provide ongoing risk assessments and cybersecurity audits when requested by the agency with the CPPA maintaining the right to audit to ensure compliance. CPRA is subject to statutory requirements, penalties and enforcement actions and consumers also have a private right of action. Under the CPRA, a consumer can initiate a private right of action against organizations in instances where unauthorized access or disclosure of an email together with authentication information, leads to a data breach. CPRA eliminates the 30-day remediation period from the CCPA, to cure violations, and instead now allows the CPPA to set the deadlines for compliance and remediation to cure violations.

The CPRA covers over 20 different categories of regulations with increased enforcement for violations involving minors. The following are some examples highlighting major additions to the CPRA:

New thresholds for compliance: Goes from 50,000 to100,000

The threshold of consumer personal information that an entity must process to qualify as a business under the scope of CPRA has been increased. Any organization that processes the records of 100,000 or more of California households are required to comply with the CPRA, up from the 50,000 threshold originally outlined in the CCPA.

Increased California Consumer Rights

The CPRA adds 2 very important rights to CA consumers that were not previous available in CCPA.

Right to Correct: CPRA requires that businesses authenticate and verify the identity of an individual using reasonable means. A “verifiable consumer request” is a request for data access, correction, or deletion made by a consumer, the legal guardian of a minor or an authorized agent acting on behalf of the individual. Businesses that receive “verifiable consumer requests” to correct reportedly inaccurate personal information will be required to use “commercially reasonable efforts” to address inaccuracies and provide CA Consumers with proof of action. CCPA/CPRA does not currently outline what constitutes “commercially reasonable efforts” but organizations should rely on best practices using other existing data privacy laws until this standard is further established.

Rights on Usage Limitation: CPRA also places limits on how a business may use and process personally identifiable information as well as setting limits on disclosure of personal data to third parties and processors. CPRA section 1798.121 gives consumers the right to tell businesses to limit the use of their sensitive personal information to only that which is necessary for providing products or services.

The CPRA also expands on the 3 following CA Consumer Privacy Rights:

Right to Know: CPRA expands on the consumer’s right to know and request the types of personal information that is collected about them. CPRA also addresses the length of time necessary to store files and storage limitations of personal information and requires that data be stored for only as long as necessary to achieve stated processing and/or business goals.

Right to Delete: CPRA expands on the right of CA consumers to have their data removed from all marketing processes and data sources. Third parties and contractors are required to honor all requests for deletion of personal information and are required to make best efforts to remove/delete related data sets.

Right to opt out: CPRA also expands on CA Consumers right to opt out of processing functions specifically in areas where the personal information could be used for profiling, segmentation and cross-contextual behavioral advertising.

GDPR

GDPR Fines and Penalties

GDPR has some of the harshest and strictest fines and penalties regarding violations and can range in severity depending on:

• Intentional or negligent actions/behavior
• Lack of remediation and “best efforts” to address violations
• Not cooperating with the regional and National authorities

For intentional and egregious violations the fines and penalties can result in action that ranges from “€20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.” The following violations are examples of major violations:

GDPR Articles (5,6,9) Basic principles for processing: Data processing must occur lawfully, fairly, and transparently.

GDPR Article (7) — Conditions for consent: Proper consent from data subjects must be given and recorded when processing is conducted for lawful purposes.

GDPR Articles (12-22) — Data subjects’ rights: Data subjects have the right to access and know what personal information the organization is collecting and the purposes and entities that will be conducting processing.

GDPR Articles (44-49) — Transfer of data to an international organization or a recipient in a third country Transfers of data outside of the EU must have adequacy provisions or other mechanisms in place (Binding Corporate Rules, Standard Contractual Clauses) in order to facilitate legal transfers of personal data to a third country or international organization, the European Commission must determine adequacy standards and provisions required to achieve adequacy.

Failing to comply with the order of a supervisory authority: Once a regulatory or monitoring body imposes an action for non compliance of GDPR or related regulations, organizations face severe repercussions for not following orders, actions and judgments passed by these authorities.

Various actions available to supervisory authorities

Information notices

A request for information or Information Notice can be issued by authorities in order to assess an organization’s security and information systems. The Information Notice can request information on the ability of the entity to secure systems and information as well as request information and proper documentation of all processing activities. The regulatory or supervisory can also request proof that inspections and due diligence have occurred on third party processors that they meet the standards outlined in GDPR. The Information Notice will clearly outline the information being requested along with reasons for the request along with a deadline of completion for the Notice. If the organization fails to submit the Information Notice by the stipulated deadline or does not comply with the policies and procedures outlined the entity can be issued an enforcement notice.

Enforcement notices

Enforcement notices can be given in several situations, including but not limited to:

Notifications of security breaches and deficiencies
Failing to notify the public in regards to specific GDPR violations
Failure to comply and follow an Information Notice
Inspection Notices

Penalty notices

Failure to execute properly on an Enforcement Notice can result in escalating to a Penalty Notice. Penalty Notices clearly outline the violations referenced or violated the amount of fines levied along with the payment due date and provides information on how to appeal and/or contest the Penalty Notice.