The California Office of the Attorney General (OAG), under the leadership of new Attorney General (AG) Rob Bonta, has taken significant actions in recent weeks indicating that it is ramping up and potentially adding a new area of focus in its enforcement of the California Consumer Privacy Act (CCPA).
First, on July 19, 2021, the OAG issued a press release providing highlights from the first full year of CCPA enforcement. It noted that 75% of businesses that received notices of noncompliance addressed the cited issues during the 30-day cure period and that the remaining 25% are still within their cure period or are facing active investigation.
AG Bonta also encouraged Californians to exercise their privacy rights and announced a new Consumer Privacy Interactive Tool that guides a consumer through a series of questions to help the consumer understand the CCPA. The tool allows California consumers “to directly notify businesses” if a business is not complying with the “Do Not Sell” link requirements in the statute, and it generates a notification email that a consumer can send to a business, which “may trigger the 30-day period for the business to cure their violation of the law.”
The press release also promotes a consumer’s ability to report violations of the CCPA to the OAG directly through a consumer complaint form.
In addition to its press release on July 19, 2021, later in the day the OAG provided descriptions of 27 different examples of CCPA actions it had taken, revealing that AG Bonta was not talking about just a handful of cases. The cases included various acts of noncompliance, including failures to clearly disclose consumer rights, financial incentives or the CCPA’s “Do Not Sell” link, and failures to timely respond to consumer requests. The examples provided by the OAG covered a wide range of businesses, from grocery chains to streaming media services.
Second, the OAG updated its CCPA FAQ page in late June 2021 with comments that portend a new era of enforcement priorities. About a third of the OAG’s reported CCPA actions already involved “Do-Not-Sell” violations, but the new FAQs suggest that the OAG will now also be looking at honoring global opt-out signals from consumers via browser or other application/device-level settings. The OAG’s regulations for the CCPA include a requirement that businesses collecting personal information from consumers online treat “user-enabled global privacy controls . . . as a valid request [to opt-out of the sale of personal information].” Cal. Code Regs. tit. 11 § 999.315(c). The update to the CCPA FAQs added the questions, “What is the GPC?” and “How do I submit my opt out request using the GPC?” and went on to describe the Global Privacy Control (GPC), a cross-industry effort to develop a global privacy preference specification.
The state of the CCPA’s global privacy control requirement has been uncertain since the law’s passing. Until now, the requirement seemed low on the list of compliance priorities for industry and the OAG. On the one hand, the OAG’s regulations required that businesses honor global privacy signals immediately when the regulations became effective in August 2020. On the other hand, other language in the regulations is permissive.
For example, the regulations suggest that a global privacy control is merely one of many potential “acceptable methods” to receive consumer opt-out requests, and a business just needs to provide two “acceptable methods” for consumers to submit such requests (e.g., via a webform or through a 1-800 number). See Cal. Code Regs. tit. 11, § 999.315(a). That said, during the notice-and-comment period of the rule-making process, the OAG had encouraged businesses to “start innovating to support [the Global Privacy Control] protocol” because the OAG recognized that it satisfies the requirements of the CCPA.1
Overall, businesses should expect increased enforcement by the OAG and additional scrutiny of the CCPA-related information on their websites. Businesses also should be on the lookout for incoming CCPA requests sent via the OAG “Tool,” which would come from outside a business’s existing CCPA compliance systems and could be disregarded if employees are unaware. Finally, businesses should consider speeding up their ability to respond to global privacy signals, such as the Global Privacy Control, in a browser or other device, in light of the new emphasis on these tools by the OAG.
Even as businesses are beginning to look ahead to the California Privacy Rights Act (CPRA) compliance starting in 2023 (which has a look-back to information collected starting in 2022), they should not forget their ongoing — and evolving — obligations under the CCPA.
- See California Consumer Privacy Act Regulations Rulemaking File, Second Addendum to Final Statement of Reasons (FSOR), App. G: Summary and Response to Comments Submitted During Third 15-day Comment Period, Response #14.