In April, Rob Bonta became the new California Attorney General. In swift form, and not taking any summer break, he has made it clear that privacy and CCPA compliance is a priority, and that enforcement won’t be limited to a handful of requirements under the CCPA, as many previously believed.
First, the Attorney General posted several examples of enforcement actions, including those addressing the following issues:
- lack of proper service provider agreements and terms
- lack of transparency in website privacy notice of company’s role as a service provider
- failure to provide CCPA rights of right to know, delete, and to not be discriminated against, or disclose the request methods established for consumers to exercise their CCPA rights
- failure to include a “Do Not Sell My Information” link
- untimely CCPA responses to consumer requests
- failure to provide a notice of financial incentives
Notably, the enforcement action samples show that businesses in various industries were targeted ranging from toy distributor to online platform to grocery store to edtech and video game providers.
New CCPA FAQs also have been added to the Attorney General’s FAQ site. The FAQs now include a question titled, “What is the GCP?” GCP or a user-enabled global privacy control was developed for consumers to download an easy-to-use extension that can be used on multiple browsers to communicate their choice not to have their data “sold”. Coupled with the Attorney General’s list of examples of enforcement actions, the Attorney General is indicating that implementing and following GCP is mandatory. In this ever-changing privacy realm, it should be noted that GCP is a global opt-out signal whereas the California Privacy Rights Act (CPRA) will require a signal that can be customized per entity. The CPRA, essentially an amendment to the CCPA, will be effective in 2023. It is possible that in the meantime, clarifications will be issued as to how to resolve this potential conflict.
The Attorney General also released a new automated consumer complaint mechanism, which “may” trigger a 30-day cure period, which was previously considered a cure period from the time the Attorney General notified a business of a violation. Not only will this help consumers by tailoring their complaints, it most certainly will result in an uptick of complaints, some of which may be invalid, if not only simply due to consumers not understanding whether or not certain CCPA requirements apply to a given business. For now, the tool is limited to reports of businesses not properly posting the “Do Not Sell My Information” link. However, many companies are not required to include a “Do Not Sell My Information” link so the complaint mechanism will result in consumers complaining about any business that does not include such link. The Attorney General will now have this community policing tool to help find businesses and target ones for enforcement actions. Businesses will need to take consumer complaints seriously and address them promptly within the 30-day cure period or risk investigations by the Attorney General. In upcoming months, the tool may expand to allow consumers to report other issues.
If your business formerly adopted a wait-and-see approach on CCPA, now is the time to get compliant before the Attorney General steps up enforcement on your business.