The emergence of data protection laws has given greater meaning to how customers and businesses view consent in the context of collecting personal data from consumers. In recent years, regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) regulate how personal data is shared with businesses and third parties. Upcoming regulations that will go into effect in 2023 include the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), The Utah Consumer Privacy Act (UCPA), and an update to the CCPA in the form of California Privacy Rights Act (CPRA). Each regulation has a specific jurisdictional threshold, and some differ in their approach to whose and what types of personal data are protected.
These current and upcoming regulations will affect most, if not all, businesses in today’s globalized economy, and require many businesses to grow their data privacy teams. Penalties can be incurred by those who do not comply with the privacy requirements. As described below, in addition to the differences in each jurisdiction’s approach to enforcement, the size of related penalties can vary significantly.
GDPR (General Data Protection Regulation)
Non-compliance with GDPR can result in administrative fines of up to €20 million or 4% of total global annual turnover for the previous financial year, whichever is larger. [1] The GDPR regulation is thought to be one of the most stringent in its approach to how data is governed, and the consequences of being non-compliant illustrate that point.
CCPA (California Consumer Privacy Act)
Violations of the CCPA can result in civil penalties of up to $7,500, per violation, for willful violations and $2,500, per violation, for inadvertent violations after notice and a 30-day opportunity to cure has been provided. [2] Consumers may seek statutory damages of not less than $100 and not more than $750 per consumer per occurrence, or actual damages, whichever is greater, in proceedings brought by them for security breach violations.
CPRA (California Privacy Rights Act)
Proposition 24, or the CPRA, was approved by California voters on November 3, 2020. [3] It modifies and expands the CCPA significantly. However, penalties incurred for non-compliance with the CPRA are consistent with those previously listed for the CCPA.
VCDPA (Virginia Consumer Data Protection Act)
If a controller or processor continues to violate the VCDPA after the cure period* has expired, or if the controller or processor fails to comply with an express written statement provided to the Attorney General, the Attorney General may bring an action on behalf of the Commonwealth, seeking an injunction to prevent further violations of the VCDPA as well as civil penalties of up to $7,500 per violation. [4]
* The VCDPA will be enforced by the Virginia Attorney General and allows for a 30-day cure period
CPA (Colorado Privacy Act)
The Colorado Consumer Protection Act defines a violation as a deceptive trade practice, and while the CPA does not specify a penalty amount, the Colorado Consumer Protection Act does. The Colorado Consumer Protection Act stipulates a penalty of up to $20,000 per violation. [5]
UCPA (Utah Consumer Privacy Act)
The Attorney General has exclusive enforcement responsibility, and entities must be notified in writing of any suspected violations and given a 30-day window to correct them. They may file a lawsuit for uncured offenses and seek real damages from the consumer as well as civil fines of $7,500 per violation. [6] There is no private right of action, and state and local privacy laws are specifically preempted by the statute.
While the penalties vary, it is clearly demonstrated in these regulations that consumer data protection should be a priority going forward for businesses, and that non-compliance could be a large issue for those that do not have organizational data privacy policies in place.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
[1] https://gdpr-info.eu/issues/fines-penalties/
[2] https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
[3] https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
[4] https://lis.virginia.gov/cgi-bin/legp604.exe?211+sum+SB1392
[5] https://leg.colorado.gov/bills/hb19-1289
[6] https://le.utah.gov/~2022/bills/static/SB0227.html
