California Attorney General CCPA Enforcement—Make Sure You Pay Attention to What Customers Are Saying on Twitter

McGuireWoods LLP

If you’re like us, you’ve been anticipating an announcement from the California Attorney General about the types of companies it targeted in its initial enforcement of the California Consumer Privacy Act (the “CCPA”), the types of violations the AG is interested in, and the types of arguments it is making in enforcing the Act.  While official word from the AG is unlikely before the end of the 30-day cure period following its initial notice letters, a member of the AG’s office did confirm during a recent panel discussion that the AG sent out those letters on July 1, 2020.

The statement was part of a fascinating and informative panel put on by the International Association of Privacy Professionals (“IAPP”).  It featured Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a multi-member team of attorneys in the AG’s office charged with enforcing the CCPA.  A recording is available on the IAPP’s website, and we encourage you to check it out if you’re a member.  In terms of the details gleaned from Ms. Schesser’s comments, here is what we know about the AG’s enforcement of the CCPA to-date:

  • On July 1, 2020, the AG sent an initial wave of notice letters to companies it believed were in violation of the CCPA;
  • Because the CCPA Regulations are still under review with the Office of Administrative Law, the current round of enforcement is focused on violations of the “four corners” of statute itself;
  • The initial round of letters focused on online-only businesses;
  • The AG selected its targets after reviewing the data privacy practices of a broad range of businesses;
  • Customer complaints on social media sites such as Twitter relating to difficulty exercising CCPA rights factored into the AG’s decisions on which companies to investigate; and
  • There was also an emphasis on violations of the CCPA’s rules governing the sale of personal information.

Obviously, none of the above is the “official” word of the AG, but it does give an idea of where CCPA enforcement currently stands.  In terms of future enforcement of the CCPA, it sounds like the AG could take things in several different directions.  The following seem to be among the key enforcement priorities:

  • Violations of the CCPA’s rules relating to children’s privacy;
  • Violations involving sensitive personal information such as financial or health information;
  • Violations of the CCPA in addition to another statute such as the California Online Privacy Protection Act, the California Confidentiality of Medical Information Act, or the California Unfair Competition Law;
  • Repeated consumer complaints; and
  • Issues raised in class actions brought by private plaintiffs that may go unaddressed without AG enforcement.

There are many lessons to be gleaned from the discussion that took place on this panel, not the least of which is to make sure your company is addressing any customer complaints about using the privacy rights CCPA provides.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.