They thought their data practices were airtight—until CPRA fines turned their compliance checklist into a million-dollar lesson.
This blog will discuss some case studies of CPRA violations costing companies more than expected.
With CPRA, an organisation goes to another level from a consumerist world; businesses are accountable to clients for safeguarding all personal data reasonably.
Of course, the consequences of non-compliance could go beyond fines to include consumer lawsuits and distrust.
Indeed, it has spread its influence over understanding the impacts and lessons learnt through case studies, apart from building robust privacy practices to avoid high monetary penalties.
If you need to learn what CPRA is, let’s briefly explain it before we get into the details of the CPRA fines.
Overview of the CPRA
The CPRA was enacted in 2020. The law aims to strengthen the existing CCPA to protect consumer information.
Users were given enhanced control of their personal information, including their geolocation, health, and many other things initially lacking under the previous law.
The CPRA Fines and Penalties model was enforced to ensure stringent regulations with tighter punishment for violators.
Background and Need for Data Privacy Laws CPRA
Before we dig in more to fines and penalties imposed under the CPRA, it is crucial to know the background and reason behind its creation.
Global Privacy Concerns
It was a very in-depth decision. Online technologies have spanned most people; everything from shopping and booking hotel rooms to making doctor appointments online is possible today.
Left unmonitored and unchecked, such content becomes a danger hazard. Moreover, incidents such as Cambridge Analytics have made it necessary to spout privacy protection.
If you are thinking has anyone been fined under CPRA? Moving forward, we will discuss several other major data breach scandals and incidents to help you understand why the CPRA is vital to consumers and businesses.
Influence of GDPR
No one would deny that The EU’s General Data Protection Regulation (GDPR) was a model from which California drew inspiration for this attempt to protect personal data.
The strength and functionality of GDPR inspired law enforcement authorities to offer the same protection to their residents.
Why the CPRA Was Needed
CPRA is not just a law but a protective shield against user privacy violations. It was very much needed to ensure user safety.
Data Collection Oversight
It provides enhanced transparency as regards how entities collect and utilise personal data.
Protection for Children
The act has prescribed harsher provisions regarding data specifically related to children and has made it mandatory to provide parental consent for individuals younger than 13 years. Age verification must be sought for all individuals below 16 years.
Business Accountability and Compliance
Companies should adequately safeguard personal information and inform how data is handled for children. Defiance invites heavy penalties.
The General Applicability of CPRA
- The above-said CPRA applies to every enterprise whose revenue is $25 million or more for the relevant year.
- At least half of your yearly income comes from selling or sharing private information.
- To every enterprise whose processed information on not less than 100,000 consumers is accessible.
CPRA Fines Overview
An organisation can face a penalty for breaching any CPRA (CCPA) regulation. This penalty is up to $7,500 for each instance of a deliberate breach of the rules or $2,500 for an unintentional one.
Violations Can Pile Up
Every time a business violates the CCPA, it is counted as a “violation.” The penalty becomes severe if they violate the code more than once daily.
How Violations Work
A violation accounts for every time a consumer’s rights are violated. An organisation may violate the law according to how many consumers it serves; if you uncovered the mistake to one person, it would count as just that one.
Lower Penalties for Small Businesses
Not all of the organisations get the maximum fines. There are cases when smaller companies or those who put effort into being compliant pay lower penalties because the law has some room for companies to try to do the correct thing.
Notable CPRA Fines You Should Know
Every case of penalties under the CPRA is an essential lesson for a business to conduct its data on Californian consumers. These cases bring forth issues that demand proactive compliance to keep consumer trust and financial viability for the company.
Zoom Video Communication Inc. (April 2020)
Zoom video communication has gained popularity during the COVID-19 pandemic, as lockdowns have forced companies to work remotely to ensure safety.
This is when Zoom entered the market with its unique features and functionality. Yet, they were soon accused of violating the CPRA.
Introduction
The case for the Zoom CPRA breach is founded on the company’s data-sharing practice, which violates the privacy regulations of CCPA, which has now been extended to CPRA.
This follows after it was discovered that the company was sending unnecessary personal information of users to third parties such as Facebook.
These include details such as the model, OS type, and screen size, among others, which did not need to be sent to provide the core service of Zoom.
Key Facts of the Case
- Zoom admitted that it had transmitted user data to Facebook without gaining explicit consent. Data transferred included device specifications, time zone, and operating system details.
- The lawsuits were based on the violation of the CCPA, as the data-sharing practices of the platform allegedly violated the law in terms of transparency and consumer rights.
- The plaintiffs did not plead a data breach per se but contended that data sharing was unauthorised disclosure.
Settlement and Outcome
- Complaint settlement by Zoom to pay the affected consumers a sum amounting to $85 million. This is also meant to force Zoom to change its privacy practices and refund consumers.
- In addition, Zoom agreed to implement over a dozen security and privacy-related changes to its platform.
Impact on Business
- It has inflicted reputational loss on the firm Zoom, which grew alarmingly during the pandemic. Although the company was not threatened to shut shop, the settlement called for very substantive change in its security and privacy practices that might inflate its operational cost
- The case has created precedence in the non-breach situation of CCPA wherein, among others, tech firms were made transparent about how personal data are handled.
Sephora (August 2022)
The Sephora case is one of the most significant enforcement actions performed under California’s privacy laws.
The case serves as an eye-opener from a business perspective of how companies should respond to the stringent requirements of CCPA and CPRA.
Introduction
In August 2022, Sephora signed a $1.2 million settlement with the California Attorney General after being charged with violating the CCPA.
This was among the first high-profile enforcement actions under the law, with California authorities pointing out non-compliance with provisions related to the sale of consumer data and transparency in privacy practices.
Key Facts of the Case
- Sephora allegedly shared consumer data, including geolocation and behavioural information, with third-party analytics and advertising companies, which needed proper opt-out disclosure of the practice. CCPA considers the practice a “sale” of data; the data owner must be given a clear choice to opt-out.
- Sephora does not post the “Do Not Sell My Personal Information” link on its website and ignores browsers’ Global Privacy Control signals that reflect opt-out requests.
- The Attorney General gave Sephora a 30-day cure period but determined that the company was not in compliance at the end of that time.
Settlement and Outcome
The beauty retailer agreed to a $1.2 million fine and implementation of several measures toward compliance.
- Update its privacy notices to reflect data-sharing practices.
- Provide for opt-out options and include recognition of GPC signals.
- Reform service provider agreements in light of privacy laws.
- Implement internal monitoring programs to ensure continuous compliance.
Impact on Business
- This case shows how businesses treat data sharing and consumer rights under CCPA/CPRA.
- It clarified that data transfers for analytics or advertising purposes could be considered a “sale,” opening the floodgates of regulatory reach.
- Businesses were placed under warning to ensure the inclusion of opt-out provisions and adhere to new standards like GPC.
- Non-compliance risks the player faces financial penalties, reputational damage, and increased scrutiny by regulators.
Tilting Point Media LLC
Tilting Point Media LLC, a prominent gaming company, was heavily fined by the California Attorney General for violating CPRA requirements regarding children’s privacy.
Indeed, the infringement was caused by the lack of proper protective measures related to personal data collected by the mobile game, primarily children’s data. Data privacy regulations compliance failures were identified as a key issue.
Introduction
This children’s franchise-based game generated personal details of the users, most of whom were less than 13 years old. The age verifications have failed to create neutral questions that could make the children lie.
Key Facts of the Case
- Misconfiguration of third-party SDKs has allowed users’ data to be collected without obtaining proper permissions.
- The application has violated COPPA and CARU guidelines.
- Data was collected in practices that were not entirely transparent, violating the CCPA and COPPA.
Settlement and Outcome
- Tilting Point Media LLC agreed to settle with the California Department of Justice and the Los Angeles City Attorney’s Office. The agreement provides:
- Civil penalties of $500,000.
- Comprehensive compliance measures involve the following:
- Neutral age screens.
- Improvement of SDK configuration.
- Frameworks on annual reporting and governance for data collection.
- Limiting the collection and sharing of child personal data without parents’ consent.
Impact on Business
- The situation has exposed serious lapses in children’s privacy, which would undermine consumers’ trust.
- The company might have to modify its data governance practices, and consequently, more operations expenses would be incurred.
- This settlement is a stamp for strict compliance with all privacy laws and, thus, sets a precedent for other companies.
How to Avoid CPRA Fines?
Test your CPRA whether you have a big or small business. One step can lead the way to a considerable fine and your reputation in business. Companies must be proactive in readiness and alignment to avoid Penalties for Violating the CPRA.
Know and Plot Data
Using automated data mapping tools, track the flow of personal information in your organisation. This helps identify and secure sensitive data along with proper handling and transparency.
Privacy Policies Update
Privacy policy updates to CPRA requirements. Consumers should be informed of how they collect, use, and share their personal information.
Consumer Rights Empowered
Create a procedure for data subjects to access, correct, or delete. Make the system automatic for Data Subject Access Requests so that the CPRA deadline is shortened to 45 days.
Consent Management
It creates a complete consent management solution such as that found in Seers, whereby a person grants their consent and delivers processing of deletion requests.
Seers also offer customised banners for consent as well as the processing of deletion requests.
Data Security
Strong cybersecurity measures should now be proven with the protection given to consumers’ data. Regular risk assessments should also be carried out.
With solutions such as the Privacy Risk Assessment offered by Seers, you will be able to understand vulnerability, thus mitigating the risks of a data breach.
Employee Training
Specific training for employees on CPRA will help them understand their part in compliance and how to handle consumer credit data correctly and respond when compliance requirements are set.
FAQs
When does the CPRA take effect?
The CPRA took effect on January 1, 2023, marking a significant update to consumer privacy rights in California.
Are non-profits exempt from the CPRA?
Non-profits are generally exempt unless they meet certain conditions, such as earning substantial revenue from consumer data or processing large amounts of personal information.
Do businesses get a cure period under CPRA?
Under the CPRA, businesses no longer have an automatic 30-day cure period. The enforcement agency determines if a cure period is allowed for violations.