CCPA Enforcement: Enter the AG

Dominique Shelton Leipzig (Perkins Coie) moderated the IAPP Keynote, “CCPA Enforcement: Enter the AG,” on July 9, 2020. The discussion featured Supervising Deputy Attorney General Stacey Schesser and Travis LeBlanc (Cooley) who shared their personal insights and views on the California Consumer Privacy Act (CCPA) and its enforcement.

View the video here

Key takeaways include:

  • The CCPA regulations will not be enforceable or effective until they are approved by the Office of Administrative Law and published by the Secretary of State.
  • Beginning on July 1, 2020, the California Attorney General’s office (AG) started its enforcement of the CCPA, but the enforcement is currently limited to the “four corners” of the statute.
  • The AG has sent out notices of violation and corresponding 30-day opportunity to cure (NOVs) to businesses that are not complying with the CCPA.
  • The AG has not focused on a particular industry or sector, but has looked at consumer complaints submitted to the AG, along with publicly available information such as complaints on social media (Twitter).
  • The NOVs were sent to online businesses and involved issues relating to CCPA disclosures and mechanisms.
    • An important CCPA right is the right to opt out of sale. If a business is selling personal information, they must have the Do Not Sell link on the home page.
    • The CCPA expressly seeks to protect minors by requiring, among other things, a much clearer authorization (i.e., opt in).
    • Protecting health data has been and continues to be a priority. Companies should keep this in mind in connection with COVID-19 data collection.
  • Companies are advised to take a comprehensive approach to privacy and data security (e.g., comply with California Online Privacy Protection Act, implement reasonable data security measures, etc.).
  • AG’s past enforcement actions may provide insights into the types of issues that are of the greatest concern to the AG (e.g., Equifax).
  • If a business receives a NOV, it should communicate and engage with the AG right away.
  • The exclusive enforcement of the CCPA resides with the AG, except for the limited private right of action for a data breach.
  • The CCPA is not an easily understood law. It is lengthy, nuanced, and complex. Businesses need to thoroughly understand both the statute and the regulations.
  • Our key takeaway from this discussion: Companies wishing to avoid receiving NOVs should consider updating their websites to include Do Not Sell links if they have third-party cookies that can track users across multiple sites.

Alastair Mactaggart on the CPRA

Watch the video here.

Key takeaways include:

  • The CPRA is popular.
  • Mactaggart’s goal is to treat privacy as a human right. He hopes to attain an adequacy determination from the European Union for California as a territory.
  • Mactaggart believes that “cross-contextual behavioral advertising” requires a Do Not Sell link.
  • The CPRA will add new rights including:
    • Right to correct data.
    • Right to limit use of sensitive data.
    • Right to opt out of sharing of PI.