With various state-level data protection laws coming into force across the US, what possible fines could a business face for violating any of those laws?
In the United States, while there isn’t a comprehensive federal data protection law, more and more state laws governing the protection of personal data are coming into force, imposing their own fines for infractions. While some of these laws are set to be enforced in the near future, extending from later in 2024 through to the beginning of 2025 and into 2026, a number are already in place and actively being enforced. Businesses found in violation of these regulations could face substantial penalties. One of the pioneering state level privacy laws, California Consumer Privacy Law (CCPA) has been enforceable from January 2020, formed part in a multistate settlement as high as $93 million, as was the case with Google, following allegations that its location-privacy practices violated consumer protection laws. The settlement was the result of a multi-year investigation by the California Department of Justice that determined Google was collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent. In addition to paying $93 million, Google also agreed to accept injunctive terms to deter future misconduct.
Under some US data protection laws like the CCPA for example, the Attorney General imposes fines for each violation, and consumers are also allowed to claim for damages.
Under the CCPA, businesses may incur fines up to $7,500 per intentional violation and up to $2,500 per unintentional violation, with an opportunity to correct unintentional violations within 30 days to avoid fines. Additionally, with this legislation, there is a provision for citizens’ private right of action, allowing consumers to seek damages between $100 and $750 per incident, or actual damages if greater, for unauthorized access, theft, or disclosure of their non-encrypted and non-anonymized personal data, due to inadequate security procedures by a business. Those potential fines given by the California Attorney General might seem pretty insignificant compared to other pieces of legislation such as the GDPR, but it should be noted, though, that the California attorney fines for each case of a violation or each affected consumer per incident separately. What is even more important to note is that there’s no upper limit to the amount of the CCPA penalties, so the amount can quickly add up.
A single incident could result in several violations, depending on the number of consumers affected, and the number of enforceable state laws violated.
In the case of an unintentional violation which affects 10,000 consumers, this incident would be regarded by the Attorney General as 10,000 individual violations, resulting in a potential $25 million fine. If the violations were regarded as intentional this would amount to $75 million. With consumers also allowed to seek damages under the CCPA due to citizens’ private right of action, lawsuits for statutory damages of $100-$750 per violation are also possible. The citizens’ private right of action does not apply to other US state data privacy laws which are already effective like the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CDPA), Utah Consumer Privacy Act (UCPA), and Virginia Consumer Data Privacy Act (VCDPA). In any case, these laws share many similarities with regard to what constitutes true compliance with similar sanctionable offenses. For this reason, if the data affected in the case of a mass violation includes data of consumers within several states, it is very likely that the company will be subject to fines, not just in one state, but in each state where the privacy law is already enforceable, and in which there were violations. Evidently, one incident could turn into several thousands of violations across several states with enforceable privacy laws. By the end of 2024, the Montana Consumer Data Privacy Act (MCDPA), Oregon Consumer Privacy Act (OCPA) and Texas Data Privacy and Security Act (TDPASA) will also be enforceable and should also be taken into account as soon as possible if your business collects data from consumers in those states as well.
Businesses are encouraged to implement a data protection strategy to ensure the protection of the personal data of consumers, and compliance with data protection laws.
To avoid fines for violating US data protection laws, businesses are advised to adopt several key practices. It is helpful that businesses be aware of which laws apply to them. It is worth reiterating that many of these state laws share similarities, meaning that in some cases, a single action may suffice to ensure compliance across several regulations, streamlining the process for businesses in the efficient protection of personal data. However, implementing an internal data protection policy and the relevant procedures is crucial. This policy should clearly outline how the business intends to protect personal data, ensuring all members of the organization understand their role in safeguarding personal information. Anyone within the organization who has access to personal data should be thoroughly trained on adherence to this policy to prevent breaches. Additionally, businesses must take proactive measures to guard against unauthorized access, use, or disclosure of personal data. In the event of a data breach, it’s essential to act swiftly to notify affected individuals, as well as take steps to mitigate the damage.
