CPRAFirst Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

First Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

July marks the one-year anniversary of the California Consumer Protection Act (CCPA) and CCPA enforcement.  Just in time for this anniversary, the California Attorney General (“CA AG”) recently summarized its curative actions (i.e., notices of alleged noncompliance) and released a new consumer tool to assist consumers in notifying business of alleged CCPA violations.  The CA AG’s recent actions demonstrate the breadth of the CCPA’s application across a variety of industries as well as the AG’s commitment to enforcing the CCPA while equipping consumers with mechanisms to assist with enforcement efforts.  

Cure Notices as Effective Enforcement Mechanism  

Under the CA AG’s regulations, businesses found to be in violation of the CCPA receive a “notice to cure” that provides a 30-day window of time to remedy the alleged non-compliance. Rob Bonta, the CA AG, reports that 75% of the companies in receipt of a cure notice responded with amended practices within the 30-day cure period provided under the law. Bonta noted the remaining 25% of alleged violators were either in the middle of their 30-day cure period or under ongoing investigation. 

Following the press release, the CA AG’s Office published examples of the types of notices they have issued against businesses.  Some of the most frequent alleged violations include the following:  

  • There was no “Do Not Sell My Personal Information” Link on the businesses website; 
  • The Notice to Consumers was lacking or inaccurate, lacked the required notice of sale of personal information and notice regarding the minor’s personal information; 
  • The business maintained a non-Compliant Opt-Out process;  
  • The Privacy Policy failed to provide the required request methods for exercising rights; charging fees for the CCPA, and lacked a toll-free number;  
  • The business had defective methods for consumers to submit data subject access requests, provided untimely responses to requests, or charged fees for processing the requests;
  • The business failed to obtain the proper verification information when processing data subject requests or required the creation of a customer account as a means to verify identification;  

The enforcement examples show that the CA AG is looking for a wide range of CCPA violations across the various methods that businesses collect personal information from consumers, from online websites and platforms to mobile applications, and even in-person data collection.  

New Consumer Privacy Interactive Tool


The CA AG also launched a new interactive tool to help consumers notify businesses of alleged non-compliance with the CPPA for a lack of a clear and conspicuous “Do Not Sell My Personal Information” (DNSPI) link on its website.  While consumers cannot sue organizations directly yet, this new consumer tool provides a direct mechanism for consumers to issue a notice of noncompliance to a business, triggering the 30-day period to cure, which in turn triggers the Attorney General’s right to sue if a CCPA violation is not remedied. 

Although the new consumer tool for issuing notices only applies to the lack of a DNSPI link, this tool will likely be expanded for other CCPA rights.  

Overall Takeaways:  

  • Lack of a “Do Not Sell My Personal Information” Link Is An Easy Target – Not having an DNSPI link is an easy red flag for non-compliance that could likely trigger a notice to cure from the AG directly, or now from a consumer via the new tool   
  • Watch Out for AG Notice – The Attorney General’s Office is and will continue to use the notice to cure as effective way of CCPA enforcement. Organizations should clarify their CCPA obligations, take steps to be CCPA compliant to avoid triggering a notice to cure, and be prepared to respond and address promptly should you receive a notice.  
  • Watch Out for Consumer Notice – The new Consumer Privacy Interactive Tool streamlines the DNSPI link noncompliance notice process and will likely expand to other CCPA violations. Organizations should clarify their obligations to include a DNSPI link on their websites and implement where required.   
  • All Business Subject to Enforcement – All businesses across a variety of industries are ripe for enforcement actions under the CCPA.  
  • External and Internal Policies Matter – Organizations should review their external facing notices and internal processes in light of enforcement actions and update accordingly to meet compliance obligations. Be sure your Privacy Notice is up to date and accurate, including the notice of required CCPA rights, instructions on how to exercise those rights, and methods to exercise rights.  
  • Don’t Forget About Service Providers – Review agreements with service providers to be sure they adequately address data security and privacy by including provisions that impose restrictions on the use of personal information and other CCPA-specific provisions/addendums.  

In sum, companies subject to the CCPA should take initial steps to evaluate compliance obligations and implement proactive measures to minimize a potential enforcement action.  The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA enforcement risk.  From reviewing your external policies and data collection practices to reviewing your data mapping and data subject access right procedures, this last year of enforcement underscores the importance of operationalizing robust data security and privacy practice that can stand the test of time and adapt to the evolving consumer privacy landscape.   

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

CongressBipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

Bipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

On Wednesday July 21, 2021, Sens. Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins, (R-ME) introduced the Cyber Incident Notification Act of 2021 (CINA). 

Under CINA, federal agencies, federal contractors, and critical infrastructure companies (Covered Entities) would need to notify the Cybersecurity and Infrastructure Security Agency (CISA) within twenty four hours of discovery of a cyber intrusion or a potential cyber intrusion.  Moreover, under CINA, Covered Entities would need to provide regular seventy two-hour updates to CISA until the cyber intrusion has been mitigated.

Covered Entities who report to CISA under CINA will be afforded certain protections regarding their reports, including the report not being admissible as evidence into any resulting criminal or civil actions and being exempt to subpoenas, except for those directly coming from Congress.

CINA provides that Covered Entities who fail to report a cyber intrusion to CISA are subject to penalties determined by the Administrator of the General Services Administration (GAO), including but not limit to removal from Federal Contracting Schedules.  Additionally, CINA also provides that Covered Entities who fail to report cyber intrusions to CISA may be “subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”

Beckage closely monitors changes in laws governing cybersecurity incidents and breaches of system security, including those which affect government contractors and suppliers.  Beckage’s team of attorneys and technologists are especially entuned with both responding to a data breach and understanding what a robust cybersecurity program would entail.  Beckage will continue to monitor CINA as it makes its way through the Senate and an update accordingly.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Beckage attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@beckage.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

Myriah JaworskiMyriah V. Jaworski Quoted in Law.com Article: “NYC’s New Biometric Privacy Law ‘An Indication of What Is to Come'”

Myriah V. Jaworski Quoted in Law.com Article: “NYC’s New Biometric Privacy Law ‘An Indication of What Is to Come'”

Many businesses have a New York presence or are potentially collecting biometric information from New York residents. Maybe the passing of a New York biometric law is in fact the reason that businesses determine to roll out biometric policies on a nationwide basis.

Myriah V. Jaworski, Esq., CIPP/US, CIPP/E,
Beckage Litigation Team Lead
0
Colorado Privacy ActThe Colorado Privacy Act: Explained

The Colorado Privacy Act: Explained

On July 8th, Colorado Governor Jared Polis signed Senate Bill 190, the Colorado Privacy Act (CPA), into law. The Act is the third comprehensive state privacy law in the United States, following California’s Consumer Privacy Act and Virginia’s Consumer Data Protection Act.

The CPA is applicable to businesses that collect and store data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers. The bill also includes various data subject rights, a broad opt-out consent model with a universal opt-out mechanism, a right to cure, and attorney general rulemaking and enforcement. It is set to go into effect on July 1, 2023.

The CPA carries specific rights for the consumer including:

  • Opt-out of processing of personal data.
  • Authorization of another person to act on behalf of the consumer to opt-out of the processing of personal data for purposes of targeted advertising or the sale of consumer data.
  • Confirm whether personal data is being processed and access that data in a portable and readily usable format.
  • Correct inaccurate personal data.
  • Delete personal data.
  • Obtain consent before collection of certain sensitive personal data (data that reveals race or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sexual orientation or sex life, citizenship or citizenship status, or genetic or biometric data).

The right to opt-out model gives consumers a user-selected universal opt-out mechanism for executing their opt-out right, however, it applies to targeted advertising and the sale of information. Consumers cannot opt out of unnecessary and irrelevant collection of information.  Controllers must comply with the universal opt-out. Consumer requests must be verifiable, and a controller may deny the request if the request cannot be authenticated.

All consumers are provided the opportunity to appeal any denials of request. Under the act, all controllers are required to respond to a consumer’s request to exercise their rights within 45 days of receiving the request. The time period may be extended an additional 45 days with a notice of delay and reasons for the delay.

The controllers must receive a consumer’s consent before processing a consumer’s sensitive information. Consent must be a clear, affirmative act signifying a consumer’s freely given, specific, informed and unambiguous consent. Consent cannot be obtained by way of acceptance of general or broad terms of use. While the CPA requires consent to process “sensitive” personal data, the bill exempts protected health information and de-identified information under HIPAA, financial institutions and nonpublic personal information under the Gramm-Leach Bliley Act, information regulated by the Fair Credit Reporting Act, Children’s Online Privacy Protection Act, and the Family Educational Rights and Privacy Act, and information regulated by the Driver’s Privacy Protection Act of 1994. The CPA also exempts information maintained for employment records purposes.

Under the CPA, controllers are also required to conduct and document data protection assessments of each of its processing activities that involves personal data acquired when conducting processing that presents a heightened risk of harm to a consumer.

Controllers must provide a privacy notice to the consumer including:

  • Categories of personal data collected, processed, and/or shared with third parties,
  • Purposes for processing such data,
  • Categories of third parties with whom the controller shares personal data,
  • How and where consumers may exercise their rights, and
  • Whether the controller sells personal data or processes personal data for targeted advertising.

Data security practices must be appropriate to the volume, scope, and nature of the personal data processes and nature of the business. While the CPA carries these consumer rights and provides for several controller obligations, it does not offer a private right of action.

The Attorney General has the capability to address outstanding compliance concerns and ambiguities ahead of the law’s effective date. The Attorney General and state district attorneys will enforce the CPA. Under the bill, there is a 60-day cure period to rectify non-compliance provided before the Attorney General or district attorney may take enforcement action. The cure period is only provided until January 1, 2025, and noncompliance can result in civil penalties of not more than $2,000 per violation, not to exceed $500,000 in total for any related series of violations. Again, consumers are not given the private right of action under the bill.

We anticipate more states will begin to enact legislation that will encourage the regulation of sensitive data processing and enhance consumer privacy rights. Beckage will continue to monitor any developments regarding the bill. Our team of highly skilled attorneys are especially equipped to help your business implement a proactive plan to help mitigate risk and remain compliant with emerging laws.

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.