California Attorney General Releases Enforcement Update on CCPA


Most companies have remedied compliance issues with the state’s data privacy law after receiving notice of an alleged violation.

8/27/2021 9:30

Enforcement of the California Consumer Privacy Act (CCPA) has been in place for just over one year and, in announcing the milestone, Attorney General Rob Bonta said there has been “great progress” by businesses required to comply.

According to a news release from the attorney general’s office, after receiving a notice of an alleged violation, 75% of businesses acted to come into compliance within the 30-day statutory cure period. The remaining 25% of businesses that received a notice of an alleged violation are either within the 30-day cure period or are under active investigation, according to the news release.

“The attorney general has been focusing on consumer complaints in fiscal year 2020-21, and that focus appears to have been on large companies and blatant violations,” said ACA International member June Coleman, of counsel at Messer Strickler Ltd. “With the voter approval of the Consumer Privacy Rights Act (CPRA) initiative in November 2020, that effort will be transferred to a separate agency to enforce the [law]—the California Privacy Protection Agency. Once the [agency] is up and running, you can expect that you will see more enforcement efforts.”

Coleman added the California Privacy Protection Agency (CPPA) has $10 million in funding, which is two-and-a-half times the amount of money the attorney general can spend on enforcement and 20 times the funding for enforcement allotted to the California Office of Privacy Protection when it closed down in 2012. 

“Also, the new CPPA has a dedicated auditor position, so we can expect that there will be more audits,” Coleman said. “This will give our industry even more incentive to make sure we are in compliance with the [privacy law.]”

As a refresher, key requirements of the CCPA include:

  • Businesses must disclose data collection and sharing practices to consumers;
  • Consumers have a right to request that their data be deleted, although there are exceptions that should apply to the collections industry;
  • Consumers have a right to request what information is collected; and
  • Businesses are required to provide a privacy notice prior to collecting information from a consumer.

The California Department of Justice is seeing a wide range of consumer requests reported by businesses as required under the law.

Among similarly sized and scoped companies, some have reported requests in the millions while others have been in the hundreds. Bonta also launched a new online tool that allows consumers to directly notify businesses of potential violations, according to the attorney general.

“Enforcement of the CCPA marks an enormous step for privacy protection in California, particularly at this time after the COVID-19 pandemic moved so much of our lives online. We’re happy to announce that we are seeing great progress with our CCPA enforcement, but there’s more work to be done,” Bonta said in the news release. 

CCPA enforcement, which went into effect July 1, 2020, includes a notice to businesses with an alleged violation to cure or fix it within 30 days before an enforcement action can be initiated.

The attorney general issued notices to cure to entities including data brokers, marketing companies, businesses handling children’s information, media outlets and online retailers. 

Bonta also launched a new online Consumer Privacy Tool that allows consumers to directly notify businesses that do not have a clear and easy-to-find “Do Not Sell My Personal Information” link on their website. As part of the CCPA, businesses are required to have a link to their privacy policy on their website at the bottom of the homepage. Businesses that sell personal information about consumers must also include a “Do Not Sell My Personal Information” link on their websites or mobile apps. 

The tool, available here, asks guided questions to walk consumers through the basic elements of the CCPA before generating a notification that the user can then email to the business. This email may trigger the 30-day period for the business to cure their violation of the law, which is a prerequisite to the attorney general bringing an enforcement action. The tool does not constitute legal advice. 

For more information about the CCPA, visit

Related Content from ACA International

California Issues More Modifications to CCPA Data Privacy Law

Mapping the California Consumer Privacy Act

CCPA Clarity in California

This site uses cookies. By continuing to use our site, you are agreeing to our use of cookies. Review our Privacy Policy for more information. You may change your preferences on how cookies are stored by reviewing the settings on your browser.

The content on this site is presented for educational, general reference, and informational purposes only; is not intended to serve as legal or other advice; is not intended to be a full and exhaustive explanation of the law in any area; and should not replace the advice of your own legal counsel. By continuing to use our site, you are agreeing to the legal disclaimers in our Terms of Use. Review our Terms of Use for more information.

Friendly Reminder

Get continued access to ACA International’s wide array of resources, which can help you become more profitable, compliant and successful.

Renew your membership today to take advantage of tools you won’t find anywhere else:

  • Discounts on seminars, products, services and events
  • Resources to strengthen your compliance department
  • Industry-specific risk management products and services
  • Participation in ACA’s online community, The Hub
    Members-only website content
  • Professional development and training opportunities, and so much more!