Skip to main content

California AG Releases Important CCPA Enforcement Information and Announces an Online Consumer Reporting Tool

To note the one year anniversary of the California Consumer Privacy Act (CCPA) enforcement date, California Attorney General Rob Banta held a press conference on July 19, 2021 to share key information about enforcement efforts and announce a new consumer privacy tool. He also praised businesses for their prompt compliance efforts and urged consumers to be proactive about their privacy rights.

Attorney General Banta began by sharing compliance data, which his office deemed satisfactory, if not encouraging: “To date, 75% of businesses that received a notice to cure addressed the alleged CCPA violations within the 30-day window. The remaining 25% are either within their 30-day window or are under an active investigation.”

Enforcement Profiles

The California Department of Justice began enforcing the CCPA on July 1, 2020, when it first started to notify businesses of potential non-compliance. The CCPA gave businesses 30 days to cure or fix the alleged violations. Notices to cure have been issued to a wide variety of organizations including retailers, manufacturers, social media platforms, data brokers, marketing companies, businesses handling children’s data, media outlets, and others. To help businesses and consumers better understand the enforcement efforts and successes to date, he also provided four detailed examples of the alleged CCPA violations his office had addressed in the last year.

  • In one recent example, users of a social media platform complained that the company was slow in responding to CCPA requests, and consumers were not notified that their requests had been received or, in fact, completed. After receiving the AG’s notice to cure, the business promptly fixed its platform and further corrected its response measures.
  • In another enforcement example, an online dating app was forcing users to accept sharing of their personal information whenever they signed up for online dating service. The platform also did not have the required “do not share” link. After receiving notice of violation and working collaboratively with the AG’s office, the company cured the violations and added the required link.
  • A car manufacturer failed to notify its consumers of the use of their personal information that it collected whenever they signed up for test drives. After the AG’s notice of violation, the company implemented a notice at collection and further updated its privacy policy to include the requisite information.
  • Finally, a grocery chain required consumers to provide their personal information in exchange for participation in its loyalty program. Yet it failed to provide a notice of a financial incentive to participating consumers. Upon receiving a notice of the violation, the company promptly took corrective action.

Attorney General Banta emphasized that these examples “are really encouraging,” as they show that “businesses are motivated and able to comply with the law.” Given that the vast majority of businesses are reportedly willing to comply with the CCPA, the AG’s office is predominantly focusing on ensuring compliance rather than penalizing businesses. “We don’t want any ‘gotchas’ here,” he reiterated.

Reminder of CCPA Consumer “Rights”

The AG also encouraged California consumers to be more proactive about exercising their CCPA rights and reporting the violations: “The CCPA is only as good as the people who participate in it. In order to have control of your personal data, you must act.” Attorney General Banta explained that the CCPA rights are not self-executing, and individuals must opt out and ensure that they use the opt-out feature as they see fit. “It’s never too late,” he concluded, to use the rights and tools provided by the CCPA.

Broadly speaking, the AG reminded consumers of the following rights under the CCPA: the right to know, the right to delete, the right to opt out, rights for minors under 16, the right to non-discrimination. We have reported on these rights in greater detail here and have written extensively about the CCPA here. Yesterday’s press release confirmed that the AG’s office is laser-focused on protecting consumers’ CCPA rights and is actively thinking of new ways to help individuals protect their personal information.

Consumer Reporting Tool for “Do Not Sell” Opt-Outs

To make reporting even easier, the AG office therefore launched a new online Consumer Privacy Interactive Tool that allows consumers to directly notify businesses that they do not appear to comply with the CCPA. This tool was launched yesterday and is already available on the AG’s website, though it still has limited reporting capabilities and is being further developed. The tool asks consumers to answer several basic questions and then generates information that can then be emailed to the businesses. Importantly, reports submitted using this tool may by used by the AG’s office to trigger a 30-day notice letter to the business. Additionally, the AG’s website has an online complaint form where consumers can submit a CCPA complaint about businesses they believe are in violation of the CCPA.

Takeaways

There are two key takeaways from yesterday’s announcement. First, it is important to note that the AG’s office is heavily focused on the CCPA enforcement, albeit with the goal of ensuring compliance rather than penalizing businesses. Second, with the release of the new privacy reporting tool, businesses need to be hyper aware of notices of violations that can trigger the 30-day cure period and must be prepared for an increase of reports of potential violations. If you have any questions about the CCPA enforcement, the online tool, or about how the latest privacy litigation trends may impact your business, be sure to contact our privacy and cybersecurity team at Mintz.

 

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.