First of all, it's “up to” $1 million or $10 million. It could be $10, $100, $1,000, or whatever is appropriate.
Secondly, we, like every enforcement agency, have a compliance compendium. You start off by educating people. You warn them, you try to get them to comply, you try to educate them. Then, if there is resistance or a wilful breach, you can fine them.
When you do fine them, you take into account the gravity of the action taken. Was it deliberate or was it unintentional? Was it repetitive? What was the cost damage? When you impose a fine, you take into account both aspects--the deterrence aspect, in that it should be a lesson to this person and others not to do it again, and also the effect it will have. You don't want to put somebody out of business. You just want to make sure they get a meaningful lesson and won't do it again.
Now, if it's somebody who is just deliberately, consistently, and wilfully breaching, etc., obviously you may go close to the maximum or to the maximum. It depends; you make an assessment of the circumstances.