May 7, 2024

An Insight into Privacy Regulation Enforcement Trends: Analyzing Fines under GDPR and CPRA

With the increasing concern about data privacy and protection, governments worldwide have continued to enact regulations to safeguard the rights of consumers. A growing means to meet these ends have been through the use of punitive incentives, as seen with the 2020 amendment, the California Privacy Rights Act (CPRA), to the California Consumer Protection Act (CCPA).  

This amendment oversaw the creation of the California Privacy Protection Agency (CPPA), the first state agency dedicated to privacy protection. Their main power resides in their ability to impose administrative fines for violations. They have the oversight to increase penalties based on the nature and severity of the violation. With an added focus given to violations that affect consumers under the age of 16. Enforcement was postponed to 2023, but this buffer quickly evaporated into only a handful of months to reach compliance. While this is a new phenomenon in the United States, the European Union’s General Data Protection Regulation (GDPR) can be used to contextualize what these fines will look like for organizations since the GDPR imposes similar fines for non-compliance and has a similar structure of enforcement due to the administration of fines being dictated by national authorities.

Recent GDPR Trends

GDPR enforcement has increasingly become a topic of interest amongst news sources and industry professionals because of an uptick in recent landmark fines. Attention-grabbing fines include Google being fined $391.5 million in 2022 and Instagram receiving a fine of $403 million in the same year. These fines highlight the potential enforcement of other privacy regulations, especially ones that draw on the GDPR style. The California Consumer Protection Act (CCPA) is one such law, as it first borrowed from the GDPR’s Data Subject Rights and is now taking inspiration from its administrative fines structure via the enactment of the CPRA. 

High-Level Description of GDPR Fines:

The fines for non-compliance under the GDPR can be substantial and determined by national authorities. The GDPR follows a philosophy of having effective, proportionate, and dissuasive penalties for each  case. 

  • For more severe violations, these fines can be up to 20 million euros, or 4% of the total global turnover of the preceding fiscal year, whichever is higher. 
  • For less severe violations, fines can be up to 10 million euros, or 2% of the entire global turnover of the preceding fiscal year, whichever is higher. 

These fines are to hold organizations accountable for protecting the personal data of individuals and ensure compliance with the GDPR’s privacy requirements.

High-Level Description of CPRA Fines:

Under the CPRA, organizations can face significant fines for violating privacy requirements. The CPRA allows for both administrative fines and Civil Penalties. Both have the same fee structure. 

  • Up to $2,500 for each violation 
  • Up to $7,500 for each intentional violation or violation concerning consumers known to be under 16.

Notably, the CPRA does not require organizations to have actual knowledge that a consumer is under 16 to be subject to these higher fines.

Recent CCPA/CPRA Trends

Sephora has become one of the most notable CCPA fine recipient. California Attorney General Rob Bonta announced that Sephora was found in violation of the CCPA due to a failure to disclose to customers that the company was selling their personal information. Sephora is not only required to pay $1.2 million in penalties but is also required to do the following:

  • Clarify that they sell customers via their online disclosures and privacy policy. 
  • Provide mechanisms for consumers to opt out of the sale of personal information. 
  • Review and fulfill its service provider agreements to the CCPA’s requirements.
  • Provide reports to the Attorney General relating to its sale of personal information, the status of its service provider relationships, and its efforts to honor Global Privacy Control

Conclusion:

The EU and California are two governments that have established themselves as trendsetters in privacy regulations, leading the way with robust and comprehensive data protection laws prioritizing individual privacy rights. Punitive-based models of compliance are the next step they are taking to protect personal information. 

Organizations must prioritize compliance to protect their consumers’ personal data and protect themselves from financial damages imposed by fines. The net new compliance asks are the common areas that organizations overlook or misinterpret.  Data subject requests and privacy disclosures are the most common citations for violations since they are new asks and are the most public facing.  

Adjusting to the CPRA and avoiding violations is made more accessible when organizations take an in-depth look at their operations, understand what and why is collected, and have effective communication with their customers.  

We Can Help

Tevora has provided comprehensive data privacy compliance services for organizations across industries and of all sizes. If your organization is under the purview of the CCPA/CPRA, or a similar privacy regulation, Tevora can help you understand the requirements your organization is required to meet and provide a clear path toward compliance.  If you would like to talk to an expert just give us a call at (833) 292-1609 or email us at sales@tevora.com

Discover in-depth government resources