Those wondering how California Consumer Privacy Act enforcement went after the law's first year in effect got that answer and plenty more July 19. California Attorney General Rob Bonta held a press conference to tout the effectiveness of the CCPA, particularly its cure notices, while unveiling a new Consumer Privacy Tool for individuals to report instances of missing or unclear "Do Not Sell My Personal Information" buttons on companies' websites.
Bonta said he was pleased to report 75% of the companies that received notice of a CCPA violation responded with amended practices within the 30-day cure period provided under the law. Bonta noted the remaining 25% of alleged violators were either in the midst of their 30-day cure period or under ongoing investigation.
"We've sent quite a few, but the good news is when we send out notices to cure we get a response," Bonta said. "We're not seeing resistance, stiff-arming or foot-dragging."
In addition to the cure statistics, Bonta offered specific examples, without naming actual companies, of instances where notices were received and malpractice rectified. During his presser, Bonta provided four detailed examples of notices issued, including two privacy policies that were missing language regarding certain data activities, an insufficient response to CCPA requests and the lack of a Do Not Sell button. That initial transparency and scope into the attorney general's work went deeper later Monday as Bonta's office published a separate list of 27 notice examples with descriptions.
"I think the attorney general is intending to dispel the notion that it will limit its enforcement to a few core aspects of the CCPA or to certain industries," Greenberg Traurig Of Counsel Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, said of the examples. "I read the (attorney general’s) message as saying, effectively, 'Everything and everyone is fair game, and we’re stepping it up.'"
The right to cure has been a hurdle in some states' efforts to pass state privacy legislation, while Colorado passed a law with language for a sunsetting cure provision. Bonta did not show his hand on whether the right to cure was something his office supported or was merely enforcing under the law, but he did note how encouraged he was to see companies taking their chance to come into compliance after being served a cure notice.
"We're seeing businesses are motivated and able to comply with the law. My belief is that the vast majorities want to comply and will comply," Bonta said. "They want to know how and once they do, they (comply). We're not talking about any 'gotchas' here. We really do we do want compliance and that outcome. That's how consumers and their privacy are protected."
The positive returns on the notices show companies either genuinely want to change their ways for the betterment of consumers, do not want to feel the wrath of the CCPA, or a combination of both. Regardless, these early reports back on enforcement didn't come as a shock, according to Hintze Law Associate Charlotte Lunday, CIPP/US, CIPM.
"It’s not surprising that most companies are taking CCPA seriously," Lunday said. "And it’s also not surprising that many companies relied on the 30-day cure period, particularly in areas where the statute and the regulations are ambiguous. The notices to cure that the attorney general sent to businesses helped bring some clarity regarding the office’s interpretations in some of those areas of ambiguity."
The disappointing part of the enforcement update for Abernethy was that it didn't delve into the nitty-gritty of enforcement, but rather focused on one aspect.
"I found it interesting but incomplete, as it does not provide granularity as to the subject matter of the notices nor does it confirm whether any investigations have actually been completed," Abernethy said. "To me, it also demonstrates that laws that include a reasonable cure period for businesses may in some cases actually be more consumer-enhancing than straight enforcement."
Baker McKenzie Partner Lothar Determann, author of the book "California Privacy Law," noted companies in compliance with the CCPA and otherwise exempt from this first wave of enforcement should remain hyper-aware of their data activities instead of potentially letting their guard down.
"Enforcement activity updates and forward-looking guidance are crucial," Determann said. "Companies must prioritize, because CCPA’s unreasonable complexity and overlap with myriad existing California privacy laws."
Monday's news came less than a week after Bonta's office added to its frequently asked questions page a requirement for CCPA-covered entities to treat the Global Privacy Control as a valid consumer request to halt the sale of a consumer's data. On top of the GPC announcement, Bonta offered another consumer-friendly wrinkle Monday in the form of the Consumer Privacy Tool, which allows consumers to bring their Do Not Sell gripes directly to companies.
According to Bonta, the tool "asks guided questions to walk consumers through the basic elements of the CCPA before generating a notification that the user can then email to the business." Bonta added the issuance of the notification from consumer to business may trigger the 30-day cure period. There was no explanation on specific instances where the notification does or does not mark the beginning of the cure period.
"I think the Consumer Privacy Tool will create challenges for businesses. It is likely to cause operational challenges due to the potential volume of requests that can be expected," Lunday said. "It is likely to result in inaccurate and uninformed complaints based on consumer interpretations of the complex and ambiguous aspects of the statute. For instance, every business that has gone through the complex factual and legal analysis and has decided it does not engage in data sales as defined by the CCPA, and it therefore does not need the Do Not Sell link on its homepage, can now have that conclusion easily second guessed by any California consumer."
The effectiveness of the tool and what it means to businesses will ultimately boil down to how a consumer uses it. Abernethy said seeking feedback like this from consumers on a topic they may not be fully apprised of "could easily lead to inaccurate attorney general submissions and outputs." On the other hand, Bonta is actively advocating for people to effectuate rights, whether it be through the tool or clicking clear and existing Do Not Sell buttons.
"It's their decision. I'm not saying to use it or not to use it, but it's there to be used," Bonta said. "If you don't want your information to be sold, you have to act. For those out there that think your information won't be sold automatically because of the CCPA, that's not true. You have to take that step and click that button on those websites."
This book aims to help the person who is leading a business’s CCPA efforts so they can have a handle on what is necessary to comply and make risk-based choices about how best to proceed.
California Privacy Law, now in its newly updated fourth edition, provides businesses, attorneys, privacy officers and other professionals with practical guidance and in-depth information to navigate the state’s strict policies.
If you want to comment on this post, you need to login.