Although the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, the California Attorney General (AG) was not authorized to begin enforcement until July 1, 2020. With the pandemic and the delay in finalizing the regulations, it was unclear how or when AG enforcement would begin. Any such confusion can be dispelled, because California’s Supervising Deputy AG, Stacey Schesser, has confirmed that initial compliance notice letters have been sent.
In a keynote presentation with the International Association of Privacy Professionals, Schesser offered an important window into the AG’s planned – and existing – enforcement efforts. Most notably, as mentioned above, on July 1, 2020, the AG sent out initial letters to allegedly noncompliant businesses. Although the letters themselves remain confidential, Schesser provided some insight into their substance:
- They targeted multiple industries and business sectors.
- They focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where AG thought one was necessary).
- The targets of the letters were identified based, at least in part, on consumer complaints, including complaints made using social media.
The CCPA, which – as Schesser acknowledged, is a “complex” law with “lots of nuance,” provides businesses with an opportunity to cure potential violations to avoid regulator enforcement actions. It specifically requires the AG, prior to an enforcement action, to notify a business of its noncompliance. A business will only violate the CCPA if it fails to cure the violation within 30 days after that notification. Depending on each business’s response to the letter, the AG may either open a confidential investigation or bring a suit.
Schesser also offered insight into future enforcement actions. The AG has previously publicly stated that he intends to focus on protections for minors and other vulnerable populations. She also referenced past enforcement actions, which focused on wide scale impacts on Californians, the types of data involved, and actual harm. She noted that the AG had a number of other laws in his arsenal, including the California Online Privacy Protection Act, Confidentiality of Medical Information Act, and California’s Unfair Competition Law, and that an investigation initiated pursuant to a CCPA complaint would not necessarily be limited to CCPA compliance.
Comment. Although his resources are limited, it is clear that the California AG has already started using his enforcement powers under the CCPA and businesses should be prepared. While California appears to be currently focused on low hanging fruit – clearly deficient public disclosures and consumer rights options – businesses can also expect more stringent enforcement proceedings going forward, especially in the case of protected individuals and sensitive data. Businesses should ensure that they are complying with the law, and the unlucky businesses that have received – or may receive – noncompliance letters should immediately raise them with trusted counsel to both cure any deficiency and determine the appropriate strategy for communicating with the AG’s office.