CCPA Enforcement by the California Attorney General
Now that a little more than a year has passed since the California Consumer Protection Act (“CCPA”) took effect on January 1, 2020, and almost nine months after the California Attorney General’s enforcement authority took effect, we are seeing activity on the enforcement front as well as individuals attempting to exercise their private right of action under the CCPA. This activity provides some insight into CCPA compliance. This month we will look at Attorney General enforcement and next month, we will dig into suits based on the private right of action.
Attorney General Enforcement
As a refresher, the California Attorney General has enforcement authority over any provision of the CCPA, however, any enforcement activity comes with a 30-day cure period as non-compliance with a provision of the statute does not constitute a violation until it remains uncured for 30 days after notification of the alleged non-compliance. In December 2019, the Attorney General stated that it would approach enforcement based on a company’s approach to compliance, where companies that demonstrated a willingness to comply would be viewed favorably.
Now, several months into Attorney General enforcement, it appears that enforcement is beginning by targeting a key aspect of the CCPA –a company’s privacy notice. The privacy notice is a key communication from a business subject to the CCPA to its California consumers. The notice informs consumers about what information a business collects about them, how that information is used, and a consumer’s rights, including the right to opt out of a sale of their personal information, under the CCPA.
Based on comments from Deputy Attorney General Stacey Schesser, the first round of enforcement letters was focused on businesses that had deficient privacy notices. So what does this mean for businesses subject to the CCPA? Businesses that previously updated their privacy notices to comply with the CCPA early in the CCPA timeline should consider preemptively reviewing their notices to ensure that their privacy notice still complies with the most recent CCPA regulations, which were finalized after the enforcement action took effect. Further, if your business does receive an enforcement letter, it is vitally important to address it and take corrective action within the 30-day cure period to position your business to avoid further enforcement.