With the entire panoply of compliance requirements under the California Consumer Privacy Act of 2018 (CCPA) and the California Privacy Rights Act (CPRA) set to take effect on January 1, 2023, now is the time for employers to undertake efforts to ensure full compliance with the regulations. Many California employers may have previously ignored aspects of the groundbreaking privacy law given that employment data had been exempted from its reach. But now that state lawmakers have ensnared employers in the CCPA’s grasp, the time is now for employers to take action – and the state Attorney General has chimed in with some critical insights that you should take to heart.
Attorney General Provides Specific Examples
Your first stop for compliance should be the newly launched Fisher Phillips CCPA Resource Center, where you can find all manner of helpful resources to aid your compliance efforts. But when it comes to CCPA enforcement, the California Department of Justice Office of the Attorney General (OAG) website has helpful resources available on its California Consumer Privacy Act (CCPA) page. Under the “CCPA Enforcement Case Examples” section, which was just updated on August 24, the OAG provides illustrations of alleged noncompliance and subsequent remedial actions taken by businesses. The examples provide helpful insight into obligations to keep in mind when reviewing policies and procedures.
The OAG’s latest release includes 13 enforcement case examples. The industries identified span from consumer retail to technology to those in the healthcare space. The notices of alleged noncompliance cover a broad spectrum of CCPA requirements including issues with the content of required notices and disclosures and opt-out processes. However, as disclaimed on the OAG site, not all facts for each matter are disclosed.
Notice and Disclosure
Regarding notice and disclosure, some of the issues identified include failure to post Notices of Financial Incentive programs outlining compliant terms, noncompliant notice at collection, privacy policies that omit requisite CCPA information or limit a consumer’s rights, and failure to disclose whether a business sold personal information.
Opt-Out Requirements
With respect to a consumer’s right to opt-out of the sale of personal information, examples include inconspicuous or nonexistent website links, language that was unclear on how to elect to opt-out of the sale of personal information, or technology-related issues related to the opt-out process.
Additional Requirements
In addition, the examples highlight the importance of drafting disclosures in clear language understandable to consumers, ensuring links function and technology solutions are implemented and operate properly, and appropriate training is conducted. Should any obligations apply due to the collection of minor data or under the California Code of Regulations, Title 11 § 7102 – Requirements for Businesses Collecting Large Amounts of Personal Information – be sure the additional CCPA requirements are incorporated.
