CCPA Enforcement is Here
The California Consumer Privacy Act (CCPA) has been officially in force since July 1, 2020 and we now have almost one month of statements and news from the California AG indicating they have not wasted time in beginning enforcement.
While further implementing regulations are still expected, the AG has a very detailed FAQ available covering some of the major aspects of CCPA. This face that additional guidance is still expected does not mean that there is any sort of grace period or safe harbor and the AG confirmed enforcement letters have indeed been sent to at least 30 organizations.
Under CCPA, organizations will need to meet the following criteria as soon as possible:
The right to know about the personal information a business collects and how it is used and shared.
The right to delete personal information collected.
The right to opt-out of the sale of personal information; and – businesses need to clearly and conspicuously display a link that is clear, unique, and obviously spelled out
The right to non-discrimination for exercising CCPA rights.
Since the beginning of July, the AG has prioritized consumer complaints, acknowledging that they often source issues from Twitter. The first batch of warning letters focused on business’ online representation about how they handle data, particularly related to claims to not sell data.
The AG has also indicated that, as the additional CCPA regulations are finalized, they may use notices of violations as a way to emphasize enforcement priorities and specific statutory interpretations. Some of these interpretations may result in material changes to the way you conduct your data collection and governance practices.
For example, the AG has indicated that third party cookies that track consumers across the website constitute a “sale” and may bring many more organizations into the scope of CCPA.
Some of the interpretations may also be very nuanced. Simply referring to the privacy policy during at the point of collection may not satisfy the requirements of notice of collection, but a link to the section of the privacy policy with the notice of collection disclosures is sufficient
Letters are just a notice that the AG believes you may be violating the CCPA, but should not necessarily be viewed as a definitive statement of violation nor will such letters be made de facto public. The goal of the AG isn’t to just collect penalties. Instead the AG wants your organization to make corrections and come into compliance and is willing to cooperate and coordinate to make that a reality.
And at this early stage of effect, they recognize some uncertainty still exists and are acting reasonably by providing organizations an opportunity to respond and correct. and is acting reasonably by recognizing that some uncertainty still exists. However, the express recommendation is to engage and not just self-correct.
We at Bay Regulatory Strategy have extensive experience working with regulators on situations just like this, in response to regulator inquiries and notice letters as well as acting proactively to not receive one, and would welcome the opportunity to help you navigate any issues with compliance. Businesses will only receive a 30 day notice for a violation so please feel free to reach out with any questions about CCPA or how we can help your organization.