Last week, the International Association of Privacy Professionals hosted a keynote session with Stacey Schesser, supervising deputy attorney general (AG) of the California Department of Justice, to discuss the July 1 start of the AG’s enforcement authority under the California Consumer Privacy Act (CCPA).
The deputy AG discussed the current scope of the AG’s enforcement authority and confirmed that on July 1, the Office of the Attorney General (OAG) sent businesses an initial round of letters, which included notices of alleged violations. The AG will open an investigation or file a lawsuit against companies that do not come into compliance within 30 days of receiving such notice letters.
Update on Rulemaking
The final regulation package was submitted by the OAG to the California Office of Administrative Law (OAL) on June 1. The deputy AG confirmed that without OAL approval and until the final text is filed with the secretary of state, the regulations are not enforceable by law. Although the OAL typically must complete its review of proposed regulations within 30 working days, Gov. Gavin Newsom extended the review period for an additional 60 days in response to the COVID-19 pandemic.
Although the regulations are not enforceable, the deputy AG also confirmed that the OAG will enforce the “four corners” of the statute – i.e., the original text of the CCPA, subject to a few amendments, which have been in place since Jan. 1, 2020.
The deputy AG confirmed that the OAG sent notices of potential violations to businesses with online presences. She confirmed that these notices allow 30 days to cure the potential violation, as required by the CCPA. The deputy AG stated that the initial round of letters went to companies across all sectors and were based, at least partially, on consumer complaints – including complaints received by the OAG and other public and recurring complaints on social media sites about the difficulty consumers had in exercising their privacy rights with certain businesses.
The deputy AG did not confirm or deny the rumors as to whether the letters were focused on the requirements relating to the “Do Not Sell My Personal Information” (DNS) button/link. However, she did mention that the DNS button is a unique aspect of the CCPA that explicitly requires a business that sells data to include the button on its homepage. She warned businesses that sell personal information and do not have the link to include it “as quickly as possible.”
In response to a question about whether the letters or complaints sent to businesses will be made public, the deputy AG stated that the OAG does not make them publicly available because the complaints often support and contribute to confidential investigations. She also noted that other consumer protection laws (such as the California Online Privacy Protection Act, the Confidentiality of Medical Information Act and the Consumer Legal Remedies Act) are available for the AG to enforce.
The deputy AG recommended that businesses look at previous enforcement actions to understand the OAG’s priorities. Some of the enforcement cases that she mentioned included examples where millions of California consumers were affected. In addition to the number of persons affected, she also mentioned that the type of data involved and the actual or potential harm that could be caused by mishandling of the data would be considered. For example, the deputy AG mentioned that the protection of vulnerable populations, particularly ensuring clear authorizations are provided for minors, is important to the OAG.
In response to a question regarding the possibility that California localities (cities and counties) may attempt to enforce the CCPA, the deputy AG reiterated the OAG’s position that the AG has sole enforcement authority over the CCPA.
The deputy AG acknowledged the OAG’s role as educator as well as enforcer and pointed to new FAQs on the OAG’s updated CCPA homepage that provide general consumer information about the CCPA as well as the Final Statement of Reasons and Appendices, which provide summaries and responses to every comment the OAG received during the public rulemaking process and an explanation for modifications the OAG made to the draft regulations in responses to those comments. The deputy AG stated that more consumer education efforts are underway.
Finally, the deputy AG acknowledged that the CCPA is a complex law and said businesses must closely read the law. She noted that certain provisions may frustrate consumers, such as the right to deletion, which is subject to many exceptions that often permit businesses to deny requests for wholesale deletion.
There is no question that CCPA is a first-of-its-kind law and we can expect continued developments in the privacy landscape. For additional articles on the California Privacy Rights Act, which received enough signatures to appear on the November 2020 ballot and is set to amend the CCPA, or the recent Schrems II decision, visit BakerHostetler’s Data Counsel blog.