First Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

July marks the one-year anniversary of the California Consumer Protection Act (CCPA) and CCPA enforcement.  Just in time for this anniversary, the California Attorney General (“CA AG”) recently summarized its curative actions (i.e., notices of alleged noncompliance) and released a new consumer tool to assist consumers in notifying business of alleged CCPA violations.  The CA AG’s recent actions demonstrate the breadth of the CCPA’s application across a variety of industries as well as the AG’s commitment to enforcing the CCPA while equipping consumers with mechanisms to assist with enforcement efforts.  

Cure Notices as Effective Enforcement Mechanism  

Under the CA AG’s regulations, businesses found to be in violation of the CCPA receive a “notice to cure” that provides a 30-day window of time to remedy the alleged non-compliance. Rob Bonta, the CA AG, reports that 75% of the companies in receipt of a cure notice responded with amended practices within the 30-day cure period provided under the law. Bonta noted the remaining 25% of alleged violators were either in the middle of their 30-day cure period or under ongoing investigation. 

Following the press release, the CA AG’s Office published examples of the types of notices they have issued against businesses.  Some of the most frequent alleged violations include the following:  

  • There was no “Do Not Sell My Personal Information” Link on the businesses website; 
  • The Notice to Consumers was lacking or inaccurate, lacked the required notice of sale of personal information and notice regarding the minor’s personal information; 
  • The business maintained a non-Compliant Opt-Out process;  
  • The Privacy Policy failed to provide the required request methods for exercising rights; charging fees for the CCPA, and lacked a toll-free number;  
  • The business had defective methods for consumers to submit data subject access requests, provided untimely responses to requests, or charged fees for processing the requests;
  • The business failed to obtain the proper verification information when processing data subject requests or required the creation of a customer account as a means to verify identification;  

The enforcement examples show that the CA AG is looking for a wide range of CCPA violations across the various methods that businesses collect personal information from consumers, from online websites and platforms to mobile applications, and even in-person data collection.  

New Consumer Privacy Interactive Tool

The CA AG also launched a new interactive tool to help consumers notify businesses of alleged non-compliance with the CPPA for a lack of a clear and conspicuous “Do Not Sell My Personal Information” (DNSPI) link on its website.  While consumers cannot sue organizations directly yet, this new consumer tool provides a direct mechanism for consumers to issue a notice of noncompliance to a business, triggering the 30-day period to cure, which in turn triggers the Attorney General’s right to sue if a CCPA violation is not remedied. 

Although the new consumer tool for issuing notices only applies to the lack of a DNSPI link, this tool will likely be expanded for other CCPA rights.  

Overall Takeaways:  

  • Lack of a “Do Not Sell My Personal Information” Link Is An Easy Target – Not having an DNSPI link is an easy red flag for non-compliance that could likely trigger a notice to cure from the AG directly, or now from a consumer via the new tool   
  • Watch Out for AG Notice – The Attorney General’s Office is and will continue to use the notice to cure as effective way of CCPA enforcement. Organizations should clarify their CCPA obligations, take steps to be CCPA compliant to avoid triggering a notice to cure, and be prepared to respond and address promptly should you receive a notice.  
  • Watch Out for Consumer Notice – The new Consumer Privacy Interactive Tool streamlines the DNSPI link noncompliance notice process and will likely expand to other CCPA violations. Organizations should clarify their obligations to include a DNSPI link on their websites and implement where required.   
  • All Business Subject to Enforcement – All businesses across a variety of industries are ripe for enforcement actions under the CCPA.  
  • External and Internal Policies Matter – Organizations should review their external facing notices and internal processes in light of enforcement actions and update accordingly to meet compliance obligations. Be sure your Privacy Notice is up to date and accurate, including the notice of required CCPA rights, instructions on how to exercise those rights, and methods to exercise rights.  
  • Don’t Forget About Service Providers – Review agreements with service providers to be sure they adequately address data security and privacy by including provisions that impose restrictions on the use of personal information and other CCPA-specific provisions/addendums.  

In sum, companies subject to the CCPA should take initial steps to evaluate compliance obligations and implement proactive measures to minimize a potential enforcement action.  The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA enforcement risk.  From reviewing your external policies and data collection practices to reviewing your data mapping and data subject access right procedures, this last year of enforcement underscores the importance of operationalizing robust data security and privacy practice that can stand the test of time and adapt to the evolving consumer privacy landscape.   

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.