Between the enforcement date (July 1, 2020) being six months after the effective date (January 1, 2020), the global pandemic, and limited resources in the California AG’s office, there were some valid questions and unknowns surrounding when the California AG’s office would be prepared to begin investigating and enforcing the California Consumer Privacy Act (CCPA). We have an answer now and it is almost immediately following the enforcement date.
Under the CCPA, businesses have a 30-day right to cure potential violations and the California AG is currently sending out 30-day notices to businesses surrounding potential violations. A representative from the California AG’s office previously stated on an IAPP webinar that the office would keep an eye out for privacy complaints regarding a business’s privacy practices on social media. Based on this, it is safe to assume that the AG’s office is not sitting back waiting for complaints from consumers and is even proactively combing websites for potential violations – violations that are not that difficult to spot.
Here are a few tips and steps to take to improve your website and privacy program to ensure the next letter the California AG sends is not to your business:
- A major area under the CCPA that causes confusion and is easy to check by the California AG (or consumers) is the “Do Not Sell My Personal Information” link requirement as well as the definition of “sale” under the CCPA. Things to consider:
- If your business is registered with California as a data broker, then it is likely required that the business has the appropriate links, disclosures, and other rights spelled out on your website.
- Even if your business is not a data broker, AdTech activities must be reviewed. Companies like Facebook and Google provided guidance to their customers and even implemented controls to limit the personal information processing activities to be a Service Provider under the CCPA. While the guidance and technical settings are helpful, businesses are still confused by the definitions of “sale” and “service provider” under the CCPA. Businesses must review other cookies and trackers that are considered third parties to whom a business sells personal information under the CCPA that may still remain on the website. The California AG can research this very quickly and savvy consumers can easily leverage existing functionality and browser plug-ins to determine a business’s AdTech and data sharing activities that may fall under the definition of “sale.”
Solutions to this likely include a combination of implementing cookie consent, which may exempt your sharing activities from the definition of sale, and following the IAB Compliance Framework on the AdTech side of this requirement. Further, businesses should ensure their data inventory, vendor contracts, and website change management processes are in place.
- CCPA specific disclosure requirements.
- Web forms and other modalities (such as a toll-free phone number) for a California consumer to make a rights request.
- Accurate descriptions of personal information collected, purposes of collection, and any sharing/selling activities.
- Monitor the activity surrounding your brand on social media and other online areas:
- Consumers often take to online forums to complain about a business.
- Scanning technology is available to monitor social media and consumer review sites for mentions surrounding a brand and this technology is often already used by a business’s marketing or website team.
- This allows businesses to take a proactive approach towards monitoring and remediating any privacy issues.
If your business receives a notice of a potential violation of the CCPA from the California AG’s office, make sure that you reply within the 30 days provided by the CCPA. Further, these letters request that recipients outline not only what they did to resolve any potential violations but also what they are going to do in the future to prevent the violation from occurring again, so be sure to include future assessments, legal opinions, and technology implementations that are on the business’s CCPA compliance roadmap.