Guide to CCPA Violations, Fines & Penalties

By MatrixPoint

CCPA data breach violations, which are any intentional or unintentional violations of the California Consumer Privacy Act, can be very serious infractions for any business or company to endure. Depending on the severity of the violation and whether it is determined if your business intentionally committed violations or not, the data protection fines alone can be catastrophic.

Your business may face private right of action consumer lawsuits for data breaches as well as civil penalties that can be levied by the State of California Attorney General’s office for non-compliance to the CCPA. As a result, CCPA can be a very expensive law for your business to break.

To best understand how to avoid CCPA fines and penalties, you should first examine the scope of the law. You should also continue reading to find out the penalty amounts, how these penalties are going to be measured, who is responsible for enacting any legal action that will be taken against your company, and when you can expect these penalties to start being levied.

We’re going to break all of these factors down for you so that you can better understand all the penalties and fines associated with CCPA.

What is the penalty amount

One of the biggest questions people are asking is “what are the CCPA penalties” and “what are the amounts these penalties will cost?”

The penalties and fines for violating the CCPA, or being found to be non-compliant with the CCPA regulations following notification of a violation and being given 30 days to fix the violations and issues, can range in severity depending on the party that is levying accusations and legal action against you and your business.

CCPA allows for consumer lawsuits to be levied against your business. These lawsuits can include statutory damages of anywhere from $100 to $750 per consumer per incident, or the cost of actual damages caused by a data breach, whichever is the greater sum.

Consumer lawsuits may be brought against a business if “non-encrypted or non-redacted public information” is subject to any “unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” according to Section 1798.150(a)(1).

Essentially, consumer lawsuits are intended to allow for consumer complaints only if and when there is a negligent data breach concerning the personal data and information of a user.

Companies that become victims of a data breach that results in data theft or other security breaches can be ordered, in civil class-action lawsuits, to pay statutory damages between $100 and $750 per California resident and incident involving a California resident, or the cost of actual damages as a result of the breach (whichever is greater). Additionally, you will have to pay for any other charges or relief that a court of law deems to be proper.

Penalty amounts range depending on the type of violation and who is filing a lawsuit against your company. At most, the cap for unintentional violations is $2,500 and the cap on intentional violations is $7,500. Each of these numbers is per violation, not as a total sum as a result of all violations.

How are they measuring the penalties

The State of California and the legislators designed and amended CCPA to protect California consumers’ rights over their personal information and data, which to date is the most stringent data privacy law in the States.

CCPA is similar to the European Union’s General Data Protection Regulation, known as GDPR. However, unlike the GDPR, CCPA grants and allows the consumers affected by any violations to have the right to sue the company involved if a third party obtains unauthorized access to their personal data or information.

Those consumers may then qualify for statutory damages, assuming that they can prove that the security data breach occurred due to a lack of reasonable security procedures such as encryption or redacting specific identifying data.

Under California law, the damages that a company may be faced with include but may not be limited to:

  • $100 to $750 per consumer per incident, or actual damages, whichever is greater
  • Injunctive or declaratory relief
  • Any other relief that the court deems as proper

While assessing the damages, CCPA will direct a court to consider the following:

  • The nature, severity, and persistence of the misconduct or negligence
  • The number of violations incurred
  • The length of time over which the misconduct or negligence occurred
  • Whether or not the violation was intentional
  • The defendant’s assets, liabilities, and overall net worth

Additionally, the law does allow the chance for a business to right any wrongs or cure any inconsistencies or gaps in security before being forced to pay fines or legal fees.

If a consumer files a complaint or class-action civil suit against the business or organization that suffered a breach, the accused party has an allotted 30 days from the date of the complaint to take proper and corrective action before the suit can proceed. If the consumer has suffered financially as a result of a breach in data security, however, the notification is not required and the 30 day curing period may be voided.

What are the differences between intentional and unintentional violations?

It’s important to know and understand the differences between intentional violations of  CCPA and unintentional violations, as both carry their own consequences and implications. Additionally, CCPA fines can vary depending on the nature of the violation, so it’s important to know the distinction ahead of time.

Potential fines under CCPA can cap at $2,500 or $7,500 per violation depending on the violation type.


Intentional Violations:

Intentional violations are rather straightforward, except for where the 30 day curation period comes into play.

When a business chooses not to take any steps to cure or fix a violation of CCPA within thirty days of being notified of a violation, then typically it is seen as solid evidence that the violation in question was intentional. This assumption only takes place if the violation was, in fact, curable to begin with.

As a result of the cure provision of CCPA, all violations where it is possible to cure said violation during the 30-day notification period, but that is not cured by the company in question, could potentially be seen as intentional. This would lead to the possibility of your company being subject to the highest fines.

Typically, the standard of intent is applied at or before the time of the actual violation. In this case, however, there is no enforceable violation until after the notification period has elapsed.

Intentional violations of the CCPA carry fines of up to $7,500 per violation when action is brought against a company by the California Attorney General’s office.


Unintentional Violations:

In contrast to violations determined to be intentional, unintentional violations can also lead to fines and other actions being brought against your business.

Unintentional violations are the violations your company may be facing as a result of being unable or unprepared to provide reasonable data security measures for your users and consumers. If reasonable measures are taken to try to cure these types of violations, your fines and damages to be paid out may be significantly less than they would be otherwise.

The best way to avoid violations altogether, however, is to properly prepare for CCPA regulations before they are enacted and the effective date begins.

Unintentional violations of CCPA allow for penalties up to $2,500 for each violation when action is brought against the company by the State of California Attorney General’s office.

By themselves, the fines for violating the CCPA, intentionally or unintentionally, may not seem like much when you consider that some penalized gross at least $25 million per year. However, these fines are per each violation - if your company has violated the CCPA-protected rights of 1,000 consumers and the violations have been found to be intentional, you’re looking at a fine of about $7,500,000, without accounting for court costs or any additional fines, costs, and damages.

If the Attorney General decides to treat each separate piece of personal information that has been exposed as a result of your violation of CCPA or any blatant negligence, you may have thousands of violations to face. The violations of 5,000 consumers may wind up counting as 30,000 separate violations if your company held at least six pieces of exposed personal data or information about each individual consumer affected.

What this means is that you could quickly be facing multi-million dollar lawsuits for data and security breaches that could have been avoided or easily cured ahead of time.

Who is responsible for legal action?

Primarily, CCPA will be enforced by the State of California’s Attorney General’s office. Actions taken by the Attorney General’s office will carry the most potential for damages, fines, and collections to be taken against or from your business.

CCPA is enforceable by not only the Attorney General of the State of California but also by private litigants and consumers.

Take note that there is technical terminology within the legislation that was included regarding when and how a consumer can bring about a private action claim or civil suit under the statute. The terms included in the legislation provide any covered businesses and those affected by the implication of CCPA as identified by the law with opportunities to cure or otherwise fix certain instances of non-compliance or negligence.

Most notably, CCPA includes the following phrasing:


            “Enforcement by the Attorney General: Violations of the CCPA are enforceable by the California Attorney General, which is authorized to pursue civil penalties of up to U.S. $7,500 per violation.


            “Limited Private Right of Action for Unauthorized Disclosure of Data: Consumers may bring a private right of action against covered businesses in connection with ‘certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s non-encrypted or non-redacted personal information’ if the covered business has failed to implement and maintain reasonable security measures to protect such information. However, prior to commencing an action for statutory damages (U.S. $100 - $750 per incident), the consumer must provide the covered business with 30 days to cure the alleged violation and to respond with a written statement that the violation has been cured.”


Additionally, CCPA has included extra clarifications that are intended to help alleviate or entirely avoid any conflicts with other regulations. These other regulations and laws include HIPAA, the Driver’s Privacy Protection Act, the Gramm-Leach-Bliley Act, and the California Financial Information Privacy Act.

Further revisions to CCPA as it is currently written include the following:

  • The consumer has a right to litigation under CCPA that is only applicable to data breaches, not to violations under any additional sections
  • The CCPA will go into effect on January 1, 2020, and will preempt all relevant local laws
  • The Attorney General of the State of California’s general enforcement of the CCPA will begin “six months after the publication of final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.”

Besides that, consumers are to be given private rights of action under CCPA. If a consumer has opted out of a sale of their data, but their data is sold knowingly and willfully by a business without the consumer’s consent, the business may face statutory damages between $1,000 and up to $3,000 per incident. Alternatively, they may be charged for actual damages caused, and the court will default to whichever cost is greater.

This means that the CCPA will empower consumers to file class-action lawsuits for losses of privacy without requiring them to show any evidentiary loss of property or money.

However, as per Section 1798.150(c), the “cause of action [...] shall not be based on violations of any other section of this title.” This caused it to be relatively well-established that the consumer lawsuits are meant to and are intended to allow for complaints only where and when there is a negligent data breach that concerns the personal information or data of a consumer.

When do penalties start?

The California Consumer Privacy Act goes into effect on January 1, 2020. It will preempt all relevant local laws, but will not breach or violate similar regulations, such as HIPAA and the California Financial Information Act.

Penalties will not be issued under the CCPA by the Attorney General of the State of California until July 1, 2020. This is true unless or until additional regulations pertaining to the CCPA are issued.

There is a look-back window of twelve months that will apply to this law as well. Despite enforcements and penalties being delayed by California’s Attorney General, you may still face litigation after January 1, 2020, when the law goes into effect. For this reason, it is important to comply with the CCPA before that date, or your business may face the threat of class-action lawsuits from negligent data breaches even before the Attorney General can direct litigation.

Class action lawsuits on data breaches can begin as soon as the law goes into effect on January 1, 2020.

It’s also important to note that, even if there has been no breach in security, the California Attorney General’s office can prosecute a business for any general violations of CCPA that they find have taken place or are actively taking place. Examples of this include a business’ failure to respond to a consumer’s requests to view, move, erase, or delete personal information as well as its unauthorized sale of a consumer’s personal information or any sharing of that data.

The Attorney General of California is not exempt from giving your business a thirty-day window to come into compliance with CCPA. If your business does not honor that notification and does not rectify any problems that the Attorney General’s office has identified in those 30 days, the Attorney General will be permitted to impose a civil penalty of up to $2,500 per violation or $7,500 per intentional violation.

Contact MatrixPoint for Assistance

Schedule a consultation with MatrixPoint to learn more about our data privacy management solutions. We will help your business website to be compliant with the CCPA regulations and will assist you in all of your data and privacy needs.



Ready to get started?
Get in contact with us
Get Started