The California Consumer Privacy Act (CCPA) is a privacy law enacted in 2018 by the state of California to regulate the way businesses all over the world can collect, use and share the personal information of California residents.
Irrespective of where you are located or operate, if you have consumers in California, you must know about the CCPA and comply with it if required.
What is the meaning of CCPA?
The CCPA protects the residents of California against third-party sales or disclosure of their personal information.
The CCPA provides these privacy rights to California consumers:
- The right to know what personal information a business is collecting about them and how it is being used and shared
- The right to delete the personal information collected from them
- The right to opt-out of the sale of their personal information to third parties
- The right to non-discrimination for exercising their CCPA rights
If you are a for-profit organisation that does business in California and meets any of the following three criteria, you must comply with the CCPA:
- Your annual revenue is more than $25 million
- You buy, sell or receive personal information of 50,000 or more California residents, households or devices
- At least 50% of your annual revenue is generated by selling the personal information of California residents
What are the penalties for CCPA non-compliance?
The California attorney general is authorized to bring about an injunction or a civil action suit against any entity violating the CCPA.
If the violation is intentional, the penalty can be $7,500, or $2,500 in the case of an unintentional violation.
If any consumer’s unencrypted sensitive personal information has been subject to a data breach, they can file a civil action suit against your company.
The consumer can sue for their actual damages or statutory damages of between $100 and $750 per consumer per incident.
Those penalties can multiply quickly if there’s a data breach involving thousands of consumers.
Who was the first company fined for violating the CCPA?
Sephora, the cosmetics giant of the LVMH group, must pay a USD 1.2 million fine for failure to comply with the California Consumer Privacy Act (CCPA), after receiving a warning from the California Attorney General and time to rectify its violations.
According to the statement issued by the California Attorney General’s Office, Sephora disclosed information to third parties about its online customers, including location, purchase history, and information devices used to perform the purchases.
It did so without informing its customers and without enabling them to opt out and refuse to allow Sephora to sell such personal information.
The USD 1.2 million fine is the outcome of a settlement between the Attorney General and LVMH.
Within the framework of the settlement, Sephora undertook to take the following measures:
- Clarify the company’s privacy policy and clearly report about any interface that involves the disclosure or sale of customers’ information to third parties.
- Activate an opt-out mechanism to enable consumers to refuse to give their consent to the disclosure of their information to third parties.
- Revise its agreements with third parties so that they comply with CCPA requirements.
- Forward reports to the California Attorney General’s Office on a regular basis about the courses of action the company is taking to comply with the statutory requirements.
CookieScan™ can help with your CCPA compliance
CookieScan has a ‘Data Privacy’ feature that allows the website owner to activate a method for site users to enforce their data protection rights.
This feature places an additional line on the banner with a link to ‘submit a data privacy request’. Once this is selected a new central window will open to allow site users to fill in some fields with their details, the right they wish to enforce and the reason.
One of these rights is the CCPA right to opt out of allowing companies to sell personal data. The reason Sephora were fined.
This feature also shows that the website owners take data rights seriously and are accountable to the requirements of the data protection laws, globally.
Try CookieScan™ with our 30-day free trial, with no obligation to pay. Once you put it on your website you will not want to be without it.