Mysteries Solved! California Attorney General Reveals CCPA First-Year Enforcement and Launches Consumer Complaint Tool

Dorsey & Whitney LLP

Dorsey & Whitney LLP

Not since the disappearance of Amelia Earhart, have people wondered more. Which companies were the early targets of the California Attorney General’s enforcement of the California Consumer Privacy Act (“CCPA”) and on what basis? This week, we got a partial answer.

On July 19, the California Attorney General released an enforcement report and launched a new interactive tool through which consumers can draft a “non-compliance” notice to companies that allegedly lack a “Do Not Sell My Personal Information” link on their websites or mobile apps. Based on the CCPA enforcement actions reported, continuing your company's efforts to comply with the CCPA, no matter your industry, will be important in the coming months.

The good news is that most companies receiving violation notices are successfully curing their alleged CCPA violations. The Attorney General’s Office reported that in the first year of enforcement, 75% of the companies that received CCPA non-compliance notices cured the alleged violation, while the remaining 25% are still within the 30-day cure period or are under continuing investigation. The California Attorney General did not give details regarding each non-compliance notice and did not provide a total number of enforcement actions taken. However, he did provide 27 examples of instances in which his Office sent non-compliance notices and the company cured the alleged violations.

The 27 enforcement examples released by the California Attorney General show that early CCPA enforcement targeted a variety of industries on a number of different aspects of CCPA non-compliance. Recipients of non-compliance notices included an online dating company that allegedly sold personal information and lacked a “Do Not Sell My Personal Information” (“DNSMPI”) link, a grocery chain which allegedly did not provide a notice of financial incentive to consumers participating in a loyalty program, and an automotive company that allegedly collected information from consumers who test drove vehicles without providing a notice at collection. Other industries targeted included children’s toys, email marketing, social media, online event planning, education technology, advertising technology, online classified ads, media, pet, data broker, manufacturing, retail, video game, and clothing.

Of the more than a dozen CCPA issues represented in the 27 enforcement examples, the majority centered on the adequacy of a company’s privacy policy, such as whether consumers were provided methods to exercise CCPA rights such as the right to know and delete, whether a list of categories of personal information was disclosed, and whether a statement affirming or disclosing if a company sold personal information in the last 12 months was included. The enforcement examples also touch on consumers’ ability to exercise CCPA rights without barriers. The California Attorney General instructed companies to remove a requirement to provide notarized verification as part of the rights request process, to cease charging a fee for processing CCPA requests to know, to remove verification requirements in connection with requests not to sell personal information, and to revise policies to ensure the average consumer understands the text.

The report also highlights the use of cookies, pixels, and other trackers on websites and mobile apps and clarifies the requirement in connection with many cookies and trackers for website or mobile app operators to: enter data processing agreements with cookie/tracker providers, provide DNSMPI rights in connection with cookies/trackers, or remove cookies and other trackers from their websites and mobile apps.

To further ease consumer burdens in making CCPA requests and reports, the California Attorney General created the Consumer Privacy Interactive Tool, a tool that helps consumers draft a non-compliance notice to send to companies. This tool asks consumers guided questions based on the CCPA and then generates a notice for consumers to send to an allegedly non-compliant company. The California Attorney General will have access to the violations reported through the tool and may take action based on them. So far, the tool is limited to complaining about failure to post a DNSMPI link but may include other CCPA violations in the future. With the launch of this tool, companies which are not required to have a DNSMPI link will likely receive an increase in unwarranted consumer complaints regarding the CCPA.

The California Attorney General’s enforcement update solves some of the mysteries of CCPA enforcement, but questions remain. The outcome for the 25% of companies that are still within the 30-day cure period or are involved in an on going investigation is unclear, as the California Attorney General’s Office may sue some of these companies. Another consideration is that the California Attorney General will eventually share CCPA enforcement responsibility with the newly established California Privacy Protection Agency (“CPPA”). The CPPA will administratively enforce the California Privacy Rights Act and the CCPA, while the California Attorney General will retain civil enforcement authority over these statutes. Thus, while the California Attorney General’s first-year update is helpful, the update may not be instructive once the CPPA assumes administrative enforcement power in July 2023.

With CCPA enforcement underway and a non-compliance notice tool available to consumers, companies should remain vigilant in seeking to comply with the CCPA. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.