California Deputy Attorney General Lisa Kim shared insights on the California Consumer Privacy Act (CCPA) enforcement and rulemaking at a live webinar hosted by the IAPP and California Lawyers Association Privacy Law Section on April 22, 2021. She pointed out key areas of focus for businesses as they develop and improve their CCPA compliance efforts. Here are some key takeaways from her remarks:

  • Privacy policy. Although the privacy policy does not have to be short in length, it should be easy to read for the consumer, without complicated cross-references or undefined legal or technical terms.
  • Opt-out of “sale” notice. The opt-out functionality should be easy-to-use for the consumer. She warned against the use of dark patterns and mentioned that links to opt-out should go directly to the section of the page that describes the right to opt-out and how to exercise that right, not merely to the top of a privacy policy. See a summary of the latest CCPA regulations, including guidance on opt-outs, here.
  • External data flows. Businesses should pay attention to data flows that go to outside entities, where there is a risk that a third-party may not restrict use or prevent further dissemination of the data they receive. If a business says it does not engage in a CCPA “sale” of personal information without any additional protections, she said her office will examine the benefits the business receives to determine if a “sale” has occurred.
  • Cookie banners. Cookie banners designed for GDPR compliance may not be enough to satisfy a business’s obligation to provide an opt-out of sale with regard to cookies under CCPA. The California Attorney General’s office is keeping an eye on the use of cookie banners.
  • Public comments. Looking ahead, the California Privacy Rights Act of 2020 (CPRA) rulemaking will begin in July 2021. In making public comments, she discourages repetition, suggests doing away with a narrative introduction, and appreciates specific examples of how the proposals will significantly impact businesses. For key dates on the CPRA, see a timeline here.

The above views reflect the opinions shared by California Deputy Attorney General Lisa Kim as she articulated them during the live webinar. While this is not a definitive statement regarding the meaning of the CCPA or the CPRA, this provides helpful guidance on the viewpoint of the California Attorney General’s office and its enforcement priorities.