If a consumer complains that the Act has been violated, companies have 30 days to comply with the law. Where a business does not act swiftly or fails to comply, they may face fines up to $7,500 per case. For a company that deals with thousands of consumer records, intentional or unintentional non-compliance could quickly become costly.
What’s more, thanks to the bill, consumers have the right to sue a company for the first time – either individually or as a class. At the moment, it’s not known what statutory damages in the event of a class-action lawsuit could look like or what the upper threshold may be. It’s, therefore, advised that companies take the Act seriously and ensure they comply. However, companies can avoid fines and lawsuits as long as they respond to customers within 30 days and make any requested amendments swiftly.
For unauthorized access and data breaches, for example, theft or negligence, the Act states that consumers can receive damages between $100 to $750 per customer and incident.
Because many large businesses in the US also provide products and services in Europe, they will have already updated their privacy policies to comply with the GDPR. As such, they’re already on track to comply with much of the CCPA as some of the provisions are similar between the two. But how similar are the CCPA and the GDPR?