Consequences: Hefty Fines Have Landed
White Paper | May 2020
The regulatory tsunami has made it clear that compliant data destruction processes are not a choice and failure to comply creates exposure to large monetary fines

Fines and legal liability are no longer hypothetical.
GDPR and CCPA have wasted no time in exercising legal and regulatory authority to punish organizations that fall out of compliance.
GDPR violations can result in fines of up to $20 million U.S. Dollars or 4% of an organization’s global annual revenue (whichever is greater).

CCPA fines are issued by the California Attorney General can be massive ($7,500/per breached record).  For example, under CCPA if an organization experiences a breach or violation and 10,000 consumers are affected, the fine could be $75,000,000.

GDPR violations have resulted in hefty fines being levied against some of the world’s largest organizations including:
  • Marriott: $130 million (July 2019)
  • British Airways: $230 million (July 2019)
  • Google: $62 million (January 2019)
  • Austrian Post: $20 million (January 2019)
  • Duetsche Wohnen SE: $15 million (October 2019)
In addition to monetary fines, CCPA violators face additional liability.
CCPA provides individuals the standing and right to bring civil action against an organization if that organization does not maintain ‘reasonable security’ procedures.  Barely a month after CCPA went into effect, the first lawsuit citing CCPA in its judgement sought was filed. On February 3, 2020, a class action lawsuit was filed in the U.S. District Court for the Northern District of California naming Hanna Andersson and Salesforce as defendants (Barnes v. Hanna Andersson, LLC).  If successful, the Plaintiffs will be entitled to a devastating amount of money.