CPRAFirst Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

First Year of CCPA Enforcement and New Consumer Notice Tool: Insights Into CCPA Compliance

July marks the one-year anniversary of the California Consumer Protection Act (CCPA) and CCPA enforcement.  Just in time for this anniversary, the California Attorney General (“CA AG”) recently summarized its curative actions (i.e., notices of alleged noncompliance) and released a new consumer tool to assist consumers in notifying business of alleged CCPA violations.  The CA AG’s recent actions demonstrate the breadth of the CCPA’s application across a variety of industries as well as the AG’s commitment to enforcing the CCPA while equipping consumers with mechanisms to assist with enforcement efforts.  

Cure Notices as Effective Enforcement Mechanism  

Under the CA AG’s regulations, businesses found to be in violation of the CCPA receive a “notice to cure” that provides a 30-day window of time to remedy the alleged non-compliance. Rob Bonta, the CA AG, reports that 75% of the companies in receipt of a cure notice responded with amended practices within the 30-day cure period provided under the law. Bonta noted the remaining 25% of alleged violators were either in the middle of their 30-day cure period or under ongoing investigation. 

Following the press release, the CA AG’s Office published examples of the types of notices they have issued against businesses.  Some of the most frequent alleged violations include the following:  

  • There was no “Do Not Sell My Personal Information” Link on the businesses website; 
  • The Notice to Consumers was lacking or inaccurate, lacked the required notice of sale of personal information and notice regarding the minor’s personal information; 
  • The business maintained a non-Compliant Opt-Out process;  
  • The Privacy Policy failed to provide the required request methods for exercising rights; charging fees for the CCPA, and lacked a toll-free number;  
  • The business had defective methods for consumers to submit data subject access requests, provided untimely responses to requests, or charged fees for processing the requests;
  • The business failed to obtain the proper verification information when processing data subject requests or required the creation of a customer account as a means to verify identification;  

The enforcement examples show that the CA AG is looking for a wide range of CCPA violations across the various methods that businesses collect personal information from consumers, from online websites and platforms to mobile applications, and even in-person data collection.  

New Consumer Privacy Interactive Tool


The CA AG also launched a new interactive tool to help consumers notify businesses of alleged non-compliance with the CPPA for a lack of a clear and conspicuous “Do Not Sell My Personal Information” (DNSPI) link on its website.  While consumers cannot sue organizations directly yet, this new consumer tool provides a direct mechanism for consumers to issue a notice of noncompliance to a business, triggering the 30-day period to cure, which in turn triggers the Attorney General’s right to sue if a CCPA violation is not remedied. 

Although the new consumer tool for issuing notices only applies to the lack of a DNSPI link, this tool will likely be expanded for other CCPA rights.  

Overall Takeaways:  

  • Lack of a “Do Not Sell My Personal Information” Link Is An Easy Target – Not having an DNSPI link is an easy red flag for non-compliance that could likely trigger a notice to cure from the AG directly, or now from a consumer via the new tool   
  • Watch Out for AG Notice – The Attorney General’s Office is and will continue to use the notice to cure as effective way of CCPA enforcement. Organizations should clarify their CCPA obligations, take steps to be CCPA compliant to avoid triggering a notice to cure, and be prepared to respond and address promptly should you receive a notice.  
  • Watch Out for Consumer Notice – The new Consumer Privacy Interactive Tool streamlines the DNSPI link noncompliance notice process and will likely expand to other CCPA violations. Organizations should clarify their obligations to include a DNSPI link on their websites and implement where required.   
  • All Business Subject to Enforcement – All businesses across a variety of industries are ripe for enforcement actions under the CCPA.  
  • External and Internal Policies Matter – Organizations should review their external facing notices and internal processes in light of enforcement actions and update accordingly to meet compliance obligations. Be sure your Privacy Notice is up to date and accurate, including the notice of required CCPA rights, instructions on how to exercise those rights, and methods to exercise rights.  
  • Don’t Forget About Service Providers – Review agreements with service providers to be sure they adequately address data security and privacy by including provisions that impose restrictions on the use of personal information and other CCPA-specific provisions/addendums.  

In sum, companies subject to the CCPA should take initial steps to evaluate compliance obligations and implement proactive measures to minimize a potential enforcement action.  The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA enforcement risk.  From reviewing your external policies and data collection practices to reviewing your data mapping and data subject access right procedures, this last year of enforcement underscores the importance of operationalizing robust data security and privacy practice that can stand the test of time and adapt to the evolving consumer privacy landscape.   

*Attorney Advertising. Prior results do not guarantee similar outcomes. *

Subscribe to our Newsletter.

CPRACalifornia Passes Proposition 24 on Consumer Privacy

California Passes Proposition 24 on Consumer Privacy

Businesses that have worked hard to implement California Consumer Privacy Act (CCPA) compliance initiatives will have a whole new set of privacy standards to comply with in the very near future.  California’s Proposition 24, also known as the California Privacy Rights Act (CPRA), has passed, expanding the state’s consumer privacy regulations. 

The CCPA, which passed only two years ago, the final regulations of which were just released earlier this year, will remain in effect until the CPRA becomes effective on January 1, 2023.  The CPRA expands the CCPA, adding new privacy rights aimed at strengthening consumer privacy. 

Among the changes introduced by the CPRA is the creation of a new, five-member agency with regulatory authority for enforcement of both the CCPA and CPRA.  The California Privacy Protection Agency will take over enforcement authority from the California Attorney General and dramatically change the way privacy rights are handled.  The Agency will be empowered to issue guidelines and impose fines on businesses who fail to comply. The Agency is slated to take over on July 1, 2021.

What is new in the CPRA? 

The CPRA modifies the CCPA in some meaningful ways by introducing new privacy rights and obligations pertaining to certain categories of personal information.  The updates will likely have a significant impact on companies that do business in California.  

New provisions of the CPRA include:

  • Sensitive Personal Information. The CPRA introduces a newly defined category of personal information that includes things like social security number, driver’s license number, passport number, sexual orientation, biometric data, health and financial information, and precise geolocation.
  • Additional Consumer Rights.  In addition to the rights conferred upon consumers under the CCPA, under the CPRA consumers will have additional rights, including the right to:
    • correct personal information;
    • know the length of data retention;
    • opt-out of geolocation utilization;
    • limit businesses from collecting more data than necessary;
    • restrict usage of sensitive personal information;
    • know what personal information is sold or shared and to whom;
    • prevent retaliation for exercising privacy rights.
  • Sharing of Data.  Of note, the CPRA allows consumers to opt out of the sharing of their personal information (rather than sale) for “cross-context behavioral advertising.”  This change is intended to close a perceived loophole in the CCPA that some businesses have relied on to avoid compliance.  This means businesses who do not sell data but share for digital advertising purposes may have to comply.
  • Expanded Breach Liability.  The CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.
  • Disclosure Obligations.  Businesses will be required to disclose the duration they will retain each category of personal information, the purpose for which they retain the personal information, and the volume collected.  Misrepresentations would constitute a statutory violation.
  • Increased Penalties for Children’s Personal Information.  The CPRA triples the maximum penalties for any violations concerning children’s personal information (under the age of 16).  The new penalties may go up to $7,500 per intentional violation.
  • Third Party Requirements.  Businesses that share personal information with third-party service providers are required under the CPRA to enter into contracts extending the CPRA privacy requirements to the third parties.
  • Covered Business.  The CPRA also slightly updates who is a covered business required to comply, increasing the threshold from buying, selling, or sharing personal information from 50,000 California consumers/households to 100,000.

Certain exemptions from the CCPA are retained in the CPRA, including exemptions for medical information or protected health information covered by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).  In addition, the CPRA extends the CCPA’s exemption for employee information and business to business data until January 1, 2023.

What impact will the CPRA have?

The CPRA becomes effective on January 1, 2023.  The CPRA will apply to personal information collected on or after January 1, 2022.  While many details still need to be clarified and defined through regulation, the impact of the CPRA will likely be significant as the concept of sharing is much broader in scope than selling.  The passage of another stringent privacy law in California may boost the likelihood of a comprehensive federal privacy law in the near term.

Beckage’s California Privacy Team continues to actively monitor the updates to the privacy landscape and the impacts the new data privacy law will have. The CPRA underscores the importance of operationalizing robust data security and privacy practices that can stand the test of time and adapt to the evolving consumer privacy landscape.  To learn more about the impact the CCPA and the CPRA may have on your business reach out to our team of attorneys.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

PrivacyData Breach Compliance Under the CCPA – What You Need to Know

Data Breach Compliance Under the CCPA – What You Need to Know

The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and with it came expanded data breach laws and an increased risk of litigation. Attorney General enforcement of privacy-related suits cannot be initiated until six months after final regulations are approved by the California Attorney General or July 1 (whichever comes first), however data breaches are subject to enforcement via plaintiff private right of action now.

In fact, substantial data breach litigation has already begun under the CCPA, primarily in the form of consumer class actions brought in federal courts in California.

Businesses should be aware and prepared to comply with the data breach compliance requirements of the CCPA in the event of a data breach incident, as discussed below, or risk facing litigation.

Breach Defined

The CCPA provides consumers with a limited private right of action when “nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations are subject to penalties of $100 to $750 per incident, actual damages, and injunctive relief.

Personal Information Defined

In order for a data breach to be actionable, the information breached must be personal information as narrowly defined by California’s data breach notification law, Section 1798.81.5, not the broad definition included in the CCPA.  For the private right of action for data breaches, personal information means:

An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements…:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

(iv) Medical information.

(v) Health insurance information.

(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.

This narrower definition of personal information should work to limit the availability of CCPA’s private right of action.

What Constitutes “Reasonable Security?”

The CCPA does not define “reasonable security” and the California Attorney General has not yet offered guidance on the subject. However, some California regulators have endorsed certain security measures as providing “reasonable security” in contexts outside of the CCPA.  

For example, the former California Attorney General, Senator Kamala Harris, provided clear guidance on what she considered reasonable security in the February 2016 California Data Breach Report. As highlighted in the report, covered entities should look to the Center for Internet Security’s list of 20 Critical Controls (“CIS Controls”) as a potential baseline security standard for reference. The CIS Controls consist of twenty key actions, including authentication, incident-response plans, data-protection policies, and other security safeguards. Although these CIS Controls are not prescriptive safeguards for CCPA compliance, they are a good place to start.

Notice and Cure Period

Before bringing an action for a security breach, the CCPA requires consumers to provide covered businesses with 30 days written notice, identifying the specific provisions the business allegedly violated. Businesses then have 30 days to address and resolve the violations without penalty. Businesses who fail to cure the violation open themselves up to civil action for monetary damages, injunctive relief, and any other relief the court deems proper.

CCPA Prohibition

The CCPA does appear to prohibit the commencement of lawsuits which leverage the CCPA to state other claims. The CCPA explicitly prohibits consumers from using alleged CCPA violations “to serve as the basis for a private right of action under any other law,” thus prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. However, as described in other blogs, this has not stopped plaintiffs from bringing just these types of claims. Judicial decisions are required on the scope and enforceability of the CCPA’s prohibition on non-CCPA claims.

Takeaway

Businesses should continue to follow CCPA developments and carefully monitor related litigation in the coming months for further clarity on enforcement and compliance. CCPA data breach litigation is expected to considerably increase as plaintiffs take advantage of the CCPA’s private right of action for data breaches resulting from a company’s failure to implement and maintain “reasonable” security measure. Beckage will continue to provide updates as they become available. Additionally, AG enforcement of the CCPA data breach and privacy provisions is expected to commence soon, providing an additional layer of enforcement activity that businesses must be aware of. The Beckage team will continue to provide timely updates on the CCPA landscape and potential claims, and is available to discuss practical low-cost, high-impact tips for mitigating CCPA litigation risk.  

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our newsletter.

Update: CCPA Takes Effect, AG Releases AdvisoryUpdate: CCPA Takes Effect, AG Releases Advisory

Update: CCPA Takes Effect, AG Releases Advisory

As the groundbreaking California Consumer Privacy Act (CCPA) took effect on January 1, many were still working to understand the new requirements for businesses and rights bestowed to consumers. The California attorney general (AG) followed up on January 6 with a CCPA advisory pressrelease reviewing the regulations and restating that California residents are now afforded new, more stringent, data privacy rights. The CCPA has been bignews for anyone who does business in California. But the million-dollar question for New York-based companies that handle CA consumer data is whether the CCPA applies to them.  While we still await clarity on many of the key components of the Act, the recent advisory does provide some useful reminders for businesses to think about.

Read More
Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
1 2