California Deputy Attorney General Lisa Kim shared insights on the California Consumer Privacy Act (CCPA) enforcement and rulemaking at a live webinar hosted by the IAPP and California Lawyers Association Privacy Law Section on April 22, 2021. She pointed out key areas of focus for businesses as they develop and improve their CCPA compliance efforts. Here are some key takeaways from her remarks:
- External data flows. Businesses should pay attention to data flows that go to outside entities, where there is a risk that a third-party may not restrict use or prevent further dissemination of the data they receive. If a business says it does not engage in a CCPA “sale” of personal information without any additional protections, she said her office will examine the benefits the business receives to determine if a “sale” has occurred.
- Cookie banners. Cookie banners designed for GDPR compliance may not be enough to satisfy a business’s obligation to provide an opt-out of sale with regard to cookies under CCPA. The California Attorney General’s office is keeping an eye on the use of cookie banners.
- Public comments. Looking ahead, the California Privacy Rights Act of 2020 (CPRA) rulemaking will begin in July 2021. In making public comments, she discourages repetition, suggests doing away with a narrative introduction, and appreciates specific examples of how the proposals will significantly impact businesses. For key dates on the CPRA, see a timeline here.
The above views reflect the opinions shared by California Deputy Attorney General Lisa Kim as she articulated them during the live webinar. While this is not a definitive statement regarding the meaning of the CCPA or the CPRA, this provides helpful guidance on the viewpoint of the California Attorney General’s office and its enforcement priorities.