Although the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, the California Attorney General (AG) was not authorized to begin enforcement until July 1, 2020. With the pandemic and the delay in finalizing the regulations, it was unclear how or when AG enforcement would begin. Any such confusion can be dispelled, because California’s Supervising Deputy AG, Stacey Schesser, has confirmed that initial compliance notice letters have been sent.
In a keynote presentation with the International Association of Privacy Professionals, Schesser offered an important window into the AG’s planned – and existing – enforcement efforts. Most notably, as mentioned above, on July 1, 2020, the AG sent out initial letters to allegedly noncompliant businesses. Although the letters themselves remain confidential, Schesser provided some insight into their substance:
- They targeted multiple industries and business sectors.
- They focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where AG thought one was necessary).
- The targets of the letters were identified based, at least in part, on consumer complaints, including complaints made using social media.