CCPA fines blow GDPR out of the water
The fines of the CCPA, SB-220, and the GDPR compared based on Facebook’s latest privacy violation.
The California Consumer Privacy Act (CCPA) is a groundbreaking piece of regulation on many levels. The definition of Personal Information is drawn broadly enough to capture anything that can be associated with a person or household. Extensive rights are granted to consumers, imposing reciprocal obligations on businesses. Most will be forced to completely overhaul their data and IT security processes — with an extensive legal review — causing a total cost of initial compliance of $55 billion.
Despite the fact that 50% of companies complain they don’t fully understand the CCPA, they’re jumping into gear.
And that’s because the material risk of getting fined for CCPA violations is too high to sit back and wait:
CCPA and SB-220 both impose fines per violation, rather than per violated provision as it is the case under the GDPR. The meaning of the term “per violation” is essential.
The CCPA follows the system of the California Online Privacy Protection Act (CalOPPA), which refers to section 17206 of the California Unfair Competition Law. The term “per violation” of Section 17206 UCL was interpreted by the California Supreme court in the case People v. Superior Court, where damages were calculated on a per consumer basis.
Following this logic, the CCPA could lead to fines of $2,500–$7,500 for every consumer whose rights have been violated.
Let’s put this into context.
Some days ago, it came to light that Facebook’s app may have been opening iPhone cameras in the background without their users’ knowledge. The feature or bug was detected on iOS 13.2.2 but not on iOS 12. Video and potentially sound recordings, which could easily be linked to individuals and therefore constitute personal information/data under the CCPA and the GDPR, were collected without the knowledge of the app-users, violating GDPR, CCPA, and potentially SB-220. (1) Assuming approximately 36 million European, 5.5 million Californian, and. 650,000 Nevadan users ran the Facebook app on iOS 13.2.2, this could lead to the following damages:
This concrete example shows how the CCPA can damage businesses to a far greater extent than the GDPR. And while businesses won’t often be sued for the maximum penalties allowed under the CCPA and SB-220, the law allows it and sets those anchor points for fines and settlements. Comparing the astronomical amounts in the table above to the $5 billion settlement Facebook made with the FTC in July this year, the largest fine in FTC history, gives us an idea of the massive impact the CCPA will have.
Companies that defer tackling the CCPA run the risk of facing the steep fines discussed in this post, especially if they underestimate the complexity of becoming fully compliant. A “wait and see” strategy is not an option with the CCPA. After being flagged by the Attorney General for a violation, businesses are granted a mere 30-day timeframe to cure the violation and ensure that no further violations of the same type can occur. A broad interpretation of the term “cure” would mean overhauling entire processes and IT-systems. Failing to do this within the short timeframe might lead to the violation being categorized as intentional, which could lead to fines being tripled.
(1) Specifically, it would violate Article 7 of GDPR (lack of informed consent) and California Civil Code Section 1798.100 CCPA (lack of notice). And if Facebook maintained the recordings in combination with an identifier, making the information personally identifiable, NRS 603.340 (Nevada privacy bill) would additionally be violated.CCPA Consumer PrivacyData Breaches Data Misuse Regulatory Updates