Although the California Consumer Privacy Act (“CCPA”) has been in effect since January 1, 2020 and subject to enforcement since July 1, 2020, it seemed until recently that compliance had been somewhat spotty. Well, it’s time to wake from your compliance slumbers and start paying attention because California’s new Attorney General (“AG”) Rob Bonta has stepped up enforcement of the CCPA.
Fortunately, we have recently received guidance on what areas of noncompliance have drawn scrutiny from the AG. In July 2021, the Office of the AG (“OAG”) released CCPA enforcement examples describing high-level descriptions (without company names) of notices of alleged noncompliance with the CCPA and steps taken by such companies in response to those notices. The OAG summarized the status of the enforcement actions by noting that upon receiving a notice of alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of alleged violation were either still within the 30-day cure period or were under active investigation by the OAG as of July 2021.
As a part of our ongoing efforts to monitor privacy enforcement trends in the U.S. and around the globe, we have compiled a checklist based on CCPA enforcement actions taken by the California OAG.
The California OAG appears to have been targeting, in particular, the public disclosures companies make regarding handling of personal information, as well as maintaining effective, proper and streamlined methods for consumers to opt out of sales of personal information. We can tell you from our experience dealing with the AG on notices of violation, for example, that his office prefers for the Do Not Sell right to be available without requiring the authentication most organizations would consider appropriate for access or deletion requests. The top violations according to the sample we have available were for failure to do the following:
- Provide required notices (online and in-person, if applicable)
- Explicitly state whether a business has sold personal information in the past 12 months
- Provide a clear, conspicuous, and functioning “Do Not Sell My Personal Information” Link (if needed) on all applicable platforms/properties
- Provide consumers with effective methods to opt out of the sale of personal information (e.g., not simply directing consumers to a third party trade association tool or to mobile device settings or requiring multiple opt-out requests)
Also, it is important to be mindful that, as of July 1, 2021, certain businesses subject to the CCPA are required to report metrics about the consumer requests they’ve received under the CCPA. According Section 999.317(g) of the regulations issued by the OAG, a business that buys, receives for commercial purposes, sells or shares for commercial purposes the personal information of 10 million or more California consumers in a calendar year must post the following information for the prior calendar year:
- The total number of requests to know that the business received in the prior calendar year, complied with in whole or in part, and denied;
- The total number of requests to delete personal information under the CCPA that the business received, complied with in whole or in part, and denied;
- The total number of requests to opt-out that the business received in the prior calendar year, complied with in whole or in part, and denied; and
- The median or mean number of days within which the business substantively responded to such requests to know, requests to delete, and requests to opt-out.
We recommend using our checklist linked here to confirm that your organization has implemented the compliance measures that the California OAG appears to consider to be of greatest importance. It is best to confirm internally that you’re in compliance before the OAG sends a notice of enforcement and request for documentation proving your compliance. California is likely to keep privacy professionals on their toes for years to come with enforcement of the CCPA both by the OAG and the newly-formed California Privacy Protection Agency and the eventual release of the regulations for the California Privacy Rights Act (“CPRA”). With respect to enforcement procedures in particular, the CPRA terminates the CCPA’s 30-day cure period currently available before the OAG may bring an enforcement action. It seems like we’re always going back to Cali(fornia) when it comes to our focus for U.S. privacy laws.