California Attorney General Reveals Initial CCPA Privacy Enforcement
On July 19, 2021, the Office of the California Attorney General provided the public with information about enforcement practices related to the California Consumer Privacy Act of 2018 (“CCPA”). CCPA became effective on January 1, 2020, with enforcement beginning July 1, 2020. The CCPA allows companies 30 days to cure CCPA violations after receiving notice from the AG before it takes further enforcement measures.
Although the update only released limited information without naming specific businesses under investigation, the AG provided examples of curative actions taken by companies. A few examples the AG’s office included were as follows:
- A grocery chain required personal information in exchange for participation in the company’s loyalty program. The company was not providing a Notice of Financial Incentive to consumers and amended its policy to include such notice when notified of its noncompliance.
- A video game distribution company did not state whether or not it had sold personal information in the past 12 months. After being notified, the business updated its policies.
California Attorney General Rob Bonta stated that 75 percent of businesses who are notified of an alleged violation have come into compliance within the 30-day cure period. For the 25 percent of businesses who have not yet cured their CCPA violations, those businesses are either still within their 30-day window or are currently under investigation. If a company fails to comply, the Attorney General may initiate a civil action for penalties, not to exceed $2,500.00 for each violation or $7,500.00 for each intentional violation. At this time, the AG has not made any public announcements regarding any issued penalties.
The California AG also introduced the Consumer Privacy Interactive Tool, a tool allowing consumers to send notice of noncompliance directly to businesses. Right now, the tool is limited to only notifying businesses of hard-to-find “Do Not Sell My Personal Information” links on websites. It remains unclear if a notification via this tool will begin the 30-day cure window.
The complete press release from the Office of the California Attorney General can be found here.
The complete list of CCPA enforcement case examples can be found here.
It is important for any company doing business in California to stay up to date with CCPA compliance best practices and mark January 1, 2023 as the date that CCPA will be replaced with the California Privacy Rights and Enforcement Act (“CPRA”). If you have questions regarding how to comply with CCPA, please contact one of the specialists in Koley Jessen’s Data Privacy and Security Practice Area.
Special thanks to Kate Hughes, Koley Jessen Summer Associate, for her contributions to this article.