CCPA enforcement and the rising cost of non-compliance

Originally published in January 2019 as “GDPR fines: Lessons learned from the first.” Updated July 2020.

After petitions for a delay were denied, today marks the beginning of California’s official CCPA enforcement. Unintentional violations incur a $2,500 fine, while penalties for intentional violations are three times as costly. More regulations have been introduced around the country and CPRA, a second privacy law that would modify CCPA, is on California’s November ballot. As privacy regulations gain traction and more fines are publicized, public attention to data privacy is exploding—and the cost of non-compliance is rising.

GDPR enforcement: A blueprint for CCPA expectations

As companies prepare for CCPA enforcement, it’s prudent to review how GDPR fines have evolved. Organizations across industries have been penalized, resulting in a whopping $558,419,585 (€497,188,353) in major fines to date. Some of the better-known cases have occurred in healthcare, telecommunications, banking, and more. We’ve chosen illustrative examples from each of the past three years.

2018

Not long after GDPR enforcement began in May 2018, Portugal’s supervisory data privacy authority, the Comissão Nacional de Protecção de Dados (CNPD), fined Centro Hospitalar Barreiro Montijo 400,000 euros for three GDPR violations. (The fines were reportedly imposed in July 2018 but were only later made public.)

According to the CNPD’s investigation, the hospital had 985 users associated with the profile of “doctor”; however, according to HR records, the organization only employs 296 physicians. The investigation revealed a long list of related facts, such as missing documentation and continued maintenance of profiles for inactive doctors; for more details, see the IAPP article on the investigation.

In this instance, the three GDPR violations cited by the CNPD were:

• Allowing indiscriminate access to patient data by an excessive number of users (GDPR Articles 5(1)(c) and 83(5)(a)), incurring a fine of 150,000 euros
• Failure to prevent unlawful access to personal data (Articles 5(1)(f) and 83(5)(a)), incurring a fine of 150,000 euros
• Failure to ensure the continued confidentiality, integrity, availability, and resilience of treatment systems and services (Article 32(1)(b)), incurring a fine of 100,000 euros

2019

German telecommunications provider 1&1 incurred a fine of nearly 10 million euros for improper security of customer data in their call centers. Anyone dialing the company’s customer service line could gain unauthorized access to private data simply by providing a customer’s name and birthdate. The German Federal Data Protection Authority specified that 1&1 lacked proper “technical and organizational measures to prevent unauthorized access,” a fact the company appealed given an improvement in their processes since the original infraction.

2020

In May 2020, an unnamed company in the Netherlands was fined 725,000 euros for misusing employee biometric data. Court documents emphasized both the uniqueness and permanence of biometrics, in this case human fingerprints, when compared to changeable data such as passwords.

CCPA citations to date

Since January 1, 2020, numerous civil cases have been filed citing CCPA violations. Though CCPA does not contain a private right of action for non-security breach violations, plaintiffs are citing CCPA violations as basis for claim under other causes of action like unfair competition laws and some allege causes of action directly under CCPA.

• Zoom Video Communications is facing multiple lawsuits over their collection and use of PII, including failing to prevent unauthorized disclosure.
• Facial recognition pioneer ClearviewAI has been accused of “improper collection and sale of PII” under CCPA and the Illinois Biometric Information Privacy Act (BIPA).
• Online paper goods distributor Minted, Inc., faces a lawsuit after a security breach brought their maintenance of “reasonable security measures” into question.

Takeaways for today’s compliance

• 1. Data privacy readiness isn’t just about data breaches and requests for erasure: Some companies’ primary concerns around data privacy regulations focus on breach notification procedures and accommodating requests from data users; the healthcare case, however, highlights the importance of controlling access to personal data. It’s vital to understand the entire scope of the regulation as it applies to your company and to align your organization with each requirement.
• 2. It’s not just about big companies: Some companies may believe they can fly under the data privacy regulation radar because they’re not “a Google” or “a Facebook,” but smaller organizations are just as likely to be investigated and fined.
• 3. Document, document, document: Lack of documentation around issues such as rules for creating users and the connection between users’ functional competences and their profiles can escalate fines. Make sure that you have current, thorough, and accurate documentation for all areas concerning your organization’s alignment with data privacy requirements.
• 4. Biometric data deserves special attention: As companies now grapple with returning employees to the office, safety procedures like personal temperature checks and symptom cataloguing are increasing the importance of data privacy compliance.
• 5. The risks are more than financial: Privacy infractions have the potential to significantly damage a company’s reputation and erode trust for customers and employees. Businesses should recognize that penalties and bad press will be more than a one-time cost, especially in the context of office re-openings and an increase in online activities during stay-at-home orders.
• 6. Regulators aren’t waiting for complaints to take action: Cases can come to the attention of regulators in a variety of ways. The CNPD investigation, for example, was triggered by a news story, not an official complaint.
• 7. Complaints are coming: Though some private lawsuits have already been filed, today’s official enforcement of the CCPA ushers in what will likely be a higher frequency of litigation. With CPRA (CCPA 2.0) on the ballot in California’s November’s election, businesses can expect increasing pressure to comply with GDPR, CCPA, and future laws.

Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.

Executive Team member Kevin Moos is recognized for his experience with knowledge management systems. He has lent his expertise to several prestigious industry panels on enterprise content management and other topics.