Most companies have remedied compliance issues with the state’s data privacy law after receiving notice of an alleged violation.
8/27/2021 9:30
Enforcement of the California Consumer Privacy Act (CCPA) has been in place for just over one year and, in announcing the milestone, Attorney General Rob Bonta said there has been “great progress” by businesses required to comply.
According to a news release from the attorney general’s office, after receiving a notice of an alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of an alleged violation are either within the 30-day cure period or are under active investigation, according to the news release.
“The attorney general has been focusing on consumer complaints in fiscal year 2020-21, and that focus appears to have been on large companies and blatant violations,” said ACA International member June Coleman, of counsel at Messer Strickler Ltd. “With the voter approval of the Consumer Privacy Rights Act (CPRA) initiative in November 2020, that effort will be transferred to a separate agency to enforce the [law]—the California Privacy Protection Agency. Once the [agency] is up and running, you can expect that you will see more enforcement efforts.”
Coleman added the California Privacy Protection Agency (CPPA) has $10 million in funding, which is two-and-a-half times the amount of money the attorney general can spend on enforcement and 20 times the funding for enforcement allotted to the California Office of Privacy Protection when it closed down in 2012.
“Also, the new CPPA has a dedicated auditor position, so we can expect that there will be more audits,” Coleman said. “This will give our industry even more incentive to make sure we are in compliance with the [privacy law.]”
As a refresher, key requirements of the CCPA include:
- Businesses must disclose data collection and sharing practices to consumers;
- Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
- Consumers have a right to request what information is collected; and
- Businesses are required to provide a privacy notice prior to collecting information from a consumer.
The California Department of Justice is seeing a wide range of consumer requests reported by businesses as required under the law.
Among similarly sized and scoped companies, some have reported requests in the millions while others have been in the hundreds. Bonta also launched a new online tool that allows consumers to directly notify businesses of potential violations, according to the attorney general.
“Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We’re happy to announce that we are seeing great progress with our CCPA enforcement, but there’s more work to be done,” Bonta said in the news release.
CCPA enforcement, which went into effect July 1, 2020, includes a notice to businesses with an alleged violation to cure or fix it within 30 days before an enforcement action can be initiated.
The attorney general issued notices to cure to entities including data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers.
Bonta also launched a new online Consumer Privacy Tool that allows consumers to directly notify businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website. As part of the CCPA, businesses are required to have a link to their privacy policy on their website at the bottom of the homepage. Businesses that sell personal information about consumers must also include a “Do Not Sell My Personal Information” link on their websites or mobile apps.
The tool, available here, asks guided questions to walk consumers through the basic elements of the CCPA before generating a notification that the user can then email to the business. This email may trigger the 30-day period for the business to cure their violation of the law, which is a prerequisite to the attorney general bringing an enforcement action. The tool does not constitute legal advice.
For more information about the CCPA, visit www.oag.ca.gov/ccpa.
Related Content from ACA International
California Issues More Modifications to CCPA Data Privacy Law