During a recent keynote presentation with the IAPP following the July 1 enforcement deadline of the CCPA, Stacey Schesser, Supervising Deputy Attorney General for the State of California (“Deputy AG”), provided a bit of a roadmap for CCPA enforcement actions from the California Attorney General (“AG”) that are both currently underway and expected in the near future.
A first round of notice letters was sent on July 1, 2020 to businesses, the list of which has not been made public and is unlikely to be provided before the end of the 30-day cure period from the date of the initial notice letters. However, what we were able to gather from the Deputy AG’s chat is that businesses operating online were principally targeted across multiple industries, and the notices were generally based on failures to either (a) provide key disclosures required by CCPA or (b) include the “Do Not Sell My Information” link where the AG deemed it in fact necessary. Targeted businesses were identified after review of online policies by the AG, but interestingly, others were identified from customer complaints on social media sites such as Twitter. As expected, it is clear that the sale of personal information – as defined under CCPA with all of its ambiguities – is going to be one of the main issues and key enforcement points. However, until the CCPA Regulations have been reviewed and approved by the Office of Administrative Law, some of the ambiguities are unlikely to be resolved immediately.
As to future enforcement, we already knew from a statement made by the AG a few months ago that the personal information of children would be high on the priority list, along with sensitive information such as health and financial information. However, the Deputy AG also noted that the interplay of CCPA with California Unfair Competition Law and other laws would also be on the list, as well as repeated consumer complaints including those contained in class actions filed by individuals.
The key takeaway is that enforcement is already underway, albeit “quietly”, and businesses that have put off compliance – or failed to properly comply – may soon find themselves the target of the AG. In addition to ensuring compliance with the basic required disclosures under the CCPA, businesses should ensure that they have performed a complete assessment of any disclosures of personal information to determine whether any such disclosures constitute a sale.
As a reminder, a business is deemed to be in violation of the CCPA if it fails to cure any alleged violation within 30 days of being notified of alleged noncompliance. Any business, service provider, or other person that violates the CCPA is subject to potential injunctions and liability of civil penalties of up to $2,500 for each violation or $7,500 for each intentional violation. Coupled with the potential class actions that may come with security breaches under the CCPA, failure to comply can be costly.