Failing to respect your customers' privacy can result in reputational harm, loss of personal information, and wasted resources. Increasingly, it can also put you in violation of the law, and lead to large fines and legal claims.

No matter where your business operates, there is almost certainly at least one privacy law it must obey.

The headline-grabbing, multimillion-dollar fines available under these fines are real, and they can also affect smaller businesses who do not take proper care of personal information.

We're going to look at possible sanctions under five of the most important privacy laws worldwide.



CalOPPA (California)

CalOPPA (California)

The California Online Privacy Protection Act (CalOPPA) is one of the widest-reaching privacy laws in the world. It was the first law in the United States to require website operators to create a Privacy Policy.

Who Does CalOPPA Apply to?

CalOPPA applies to any "operator" of a commercial website, online service, or app that collects "personally identifiable information" (PII) from consumers in California.

This includes operators based outside of California.

What Types of Sanctions and Remedies are Available Under CalOPPA?

  • Civil penalties: The California Attorney-General can pursue a fine from an operator on behalf of the people of California of up to $2,500 per consumer, per violation
  • Private right of action: Consumers can bring private legal claims against operators

This can add up to many millions of dollars, for example where thousands of consumers download a non-compliant app or visit a non-compliant website. Each download/visit will be an individual violation.

A private legal claim could result in "actual damages," i.e. the amount of money actually lost by the consumer as a result of the operator's CalOPPA violation.

It could be difficult for a consumer to prove that they have lost money as a result of a business failing to post a Privacy Policy on its website or app. However, the consumer might argue that they would have paid less for the business's services had they been given proper notice of the business's practices.

An operator may violate CalOPPA either:

  • Knowingly and willfully
  • Negligently and materially

An operator can violate CalOPPA by failing to do one or more of the following things:

  • Creating a Privacy Policy
  • Including all the relevant information required under CalOPPA in its Privacy Policy
  • Conspicuously post the Privacy Policy on its website, online service, or app.
  • Updating the Privacy Policy as required
  • Informing users about updates to its Privacy Policy
  • Collecting PII in accordance with its Privacy Policy

The Attorney-General must give the business 30 days' notice before pursuing a civil penalty. If the operator effectively cures the violation within this time, by conspicuously posting a compliant Privacy Policy, then it will escape the penalty.

CCPA/CPRA (California)

CCPA (California)

The California Consumer Privacy Act (CCPA) has caused thousands of businesses operating in California to review their practices and change the ways they collect, use, and sell consumers' personal information.

The CCPA was amended by the CPRA, with the amendments taking effect on January 1, 2023.

While the law is sometimes said to target social media corporations and "data brokers," more and more businesses are coming to realize that the law applies much more broadly.

Who Does the CCPA (CPRA) Apply to?

The CCPA (CPRA) applies to any business operating in California that decides how and why to collect personal information, providing it meets one of the following three thresholds:

  1. It has annual gross revenues in excess of $25 million
  2. It annually buys, sells, receives or shares for commercial purposes the personal information of at least 100,000 consumers, devices or households
  3. It derives at least 50 percent of its revenues from the selling or sharing of consumers' personal information

This includes companies based outside of California.

Note that a company may fall under the second threshold by using third-party cookies for tracking or analytics purposes.

The CCPA (CPRA) also applies to "service providers" who process personal information on behalf of a business.

What Types of Sanctions and Remedies are Available Under the CCPA (CPRA)?

The CCPA (CPRA) provides two means by which to sanction non-compliant companies:

  • Civil penalties: The California Attorney-General can pursue a fine from a business, service provider, or other person on behalf of the people of California
  • Private right of action: Consumers can bring private legal claims against businesses for:

    • Actual damages: An amount of money actually lost by a consumer resulting from the loss of their personal information by the business
    • Statutory damages: An amount of money determined by the court that is based on the nature of the business's misconduct and not directly tied to any loss by the consumer

Civil penalties pursued by the Attorney General can be:

  • Up to $7,500 per intentional violation
  • Up to $2,500 per unintentional violation

Violating any part of the CCPA (CPRA) can result in a civil penalty. Possible violations include failing to:

Claims under the CCPA/CPRA's private right of action are only available where a business has failed to properly secure personal information, resulting in its access and exfiltration, loss, or theft (i.e. where there has been a data breach).

Businesses must receive 30 days' notice before the Attorney-General can pursue a civil penalty, or a consumer can pursue statutory damages. If the business "actually cures" their alleged CCPA violation within this period, the case will not proceed.

An individual consumer bringing a case for actual damages does not need to provide notice.

COPPA (United States)

COPPA (United States)

The United States has notoriously weak privacy law, relying on a patchwork of state-by-state statutes and industry-specific regulations.

The Children's Online Privacy Protection Act (COPPA) is the exception. COPPA applies all over the United States and protects children's privacy across every industry.

Who Does COPPA Apply to?

COPPA applies to operators of commercial websites, online services, and apps that are directed to children (minors under the age of 13) or knowingly collect the personal information of children.

"Personal information" includes persistent identifiers such as IP addresses and device IDs, which brings targeted advertising to children under the scope of COPPA.

COPPA also applies to content creators using third-party online services such as YouTube. According to the Federal Trade Commission (FTC), when using a third-party platform, "COPPA applies in the same way it would if the channel owner had its own website or app."

COPPA applies to non-U.S. operators that knowingly collect the personal information of children in the United States.

What Types of Sanctions and Remedies are Available Under COPPA?

Violating COPPA can lead to a civil penalty under the FTC Act, which is regularly adjusted for inflation and currently stands at up to $43,280 per violation.

In the world of digital advertising, this can add up to some extremely large figures. For example, in 2019, the FTC and Google settled a case for $170 million after YouTube was alleged to have violated COPPA.

There is no private right of action under COPPA. However, this has not prevented parents pursuing class-action lawsuits against operators, claiming that non-compliance with COPPA provisions has violated their children's civil rights to privacy.

An example is the 2019 case against TikTok, settled for $1.1 million dollars.

An operator can incur a civil penalty by failing to:

  • Notify parents of its information practices
  • Obtain verifiable parental consent for the collection, use, or disclosure of children's personal information
  • Let parents prevent further maintenance, use, or future collection of their child's personal information
  • Provide parents access to their child's personal information
  • Collect from a child only the personal information that is reasonably necessary to participate in an activity
  • Maintain reasonable procedures to protect the confidentiality, security, and integrity of children's personal information

GDPR (European Union)

GDPR (European Union)

The EU General Data Protection Regulation (GDPR) has totally changed the face of the internet and brought hundreds of thousands of businesses worldwide under the jurisdiction of EU privacy law.

Who Does the GDPR Apply to?

The GDPR applies to "data controllers" and "data processors," which can be individuals, non-profits, or businesses of any size.

A "data controller" decides how and why to collect, use, or process personal information. Most businesses are data controllers in respect of some personal information.

A "data processor" processes personal information on behalf of a business.

See our article "GDPR Data Controller vs. Data Processor" for more information.

The GDPR applies to any non-EU company that:

  • Offers goods and services to people in the EU, or
  • Monitors the behavior of people in the EU, including by tracking their online activity with cookies and other personalized advertising tools

The GDPR continues to apply in the UK despite the country's withdrawal from the EU. Like every EU member state, the UK also has its own privacy legislation. In the UK, this is called the Data Protection Act 2018. This law refers to the GDPR throughout.

What Types of Sanctions and Remedies are Available Under the GDPR?

The GDPR contains two main monetary sanctions:

  • Administrative fines issued by the EU's Data Protection Authorities (DPAs). These can amount to:

    • For less serious violations, up to €10 million (approximately $11 million) or 2 percent of total worldwide turnover (whichever is greater)
    • For more serious violations, up to €20 million ($22 million) or 4 percent of total worldwide turnover (whichever is greater)
  • A private right of action, allowing individuals to bring private legal claims for any damage caused by a GDPR violation

Data controllers are the main subject of GDPR sanctions and legal claims as they hold primary responsibility for obeying the GDPR's principles and facilitating the rights of individuals of their personal information.

However, a data processor can also be liable for a penalty or private legal claim if it violates the GDPR's rules for data processors, or if it goes against the lawful instructions of its data controller.

The biggest GDPR fine so far remains the €50 million ($55 million) fine against Facebook by the French DPA.

The UK's DPA has also threatened fines against Marriott Hotels for £99.2 million ($122.3 million), and British Airways for £183.39 million ($226.2 million).

EasyJet is also facing an £18 billion ($22 billion) class-action lawsuit after a massive data breach in early 2020.

Violation of any part of the GDPR can lead to an administrative fine or private legal action.

Some key GDPR violations include failing to:

PIPEDA (Canada)

PIPEDA (Canada)

The Personal Information and Electronic Documents Act (PIPEDA) is a relatively strict privacy law that applies on a federal level across Canada. In 2018, an amendment introduced fines for non-compliance with certain provisions.

Who Does PIPEDA Apply to?

PIPEDA applies to private sector organizations, i.e. any organization or person engaged in "commercial activity."

PIPEDA is federal law that applies to all processing of personal information across borders in Canada. Certain provinces have local privacy laws that override PIPEDA, but in every case these laws are substantially similar to PIPEDA.

Non-Canadian companies with "a real and substantial connection to Canada" also must comply with PIPEDA.

What Types of Sanctions and Remedies are Available Under PIPEDA?

PIPEDA is enforced via fines of up to $100,000 CAD (approximately $73,000 USD) per violation. These fines are initiated by the Office of the Privacy Commissioner (OPC) and pursued by the Justice Department through the federal courts.

Individuals can also pursue private claims for compensation having read the OPC's report.

Upcoming changes to PIPEDA are likely to see the OPC empowered to issue fines directly.

Fines are only applicable to violations of PIPEDA's data breach reporting and recording provisions.

Under PIPEDA, organizations must report any breach of consumers' personal information that presents a "real risk of significant harm." They must also inform the individuals affected when it would be reasonable to do so.

Organizations are also required to keep records of all data breaches, whether or not the breach has resulted in a real risk of significant harm.

Summary

The privacy laws examined above all apply to any business operating within their jurisdiction, regardless of where the business is based.

This means that, depending on the scope of your business activities, you may have to comply with each or any of these laws.

Some of the sanctions and remedies you need to know about include:

  • CalOPPA (California):

    • Civil penalties of up to $2,500 per violation
    • Private claims for actual damages
  • CCPA (CPRA) (California):

    • Civil penalties:

      • Up to $2,500 per unintentional violation
      • Up to $7,500 per intentional violation
    • Private claims for statutory damages of between $150 and $750 per violation or actual damages (whichever is greater)
  • COPPA (United States):

    • Civil penalties of up to $43,280 per violation
    • Private claims for actual damages
  • GDPR (EU):

    • Administrative fines:

      • Up to €10 million or 2 percent of annual worldwide turnover for less serious violations
      • Up to €20 million or 4 percent of annual worldwide turnover for more serious violations
    • Private claims for actual damages
  • PIPEDA (Canada):

    • Fines of up to $100,000 CAD per violation
    • Private claims for actual damages

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy