It has been a year since compliance with the California Consumer Privacy Act (CCPA) has been mandatory and financial penalties and sanctions have been possible for CCPA violations.
The CCPA was introduced on January 3, 2018 and was signed into law by California Governor Jerry Brown on June 28, 2018. The CCPA took effect on January 1, 2020, and compliance became enforceable on July 1, 2021. The CCPA was, and currently still is, the strictest state privacy law in the United States.
California Attorney General Rob Bonta has marked the 1st anniversary of the enforcement date by issuing a CCPA enforcement update and sharing details of some of the actions taken by businesses in response to notifications from the California Department of Justice about CCPA violations.
75% of Businesses Cured Noncompliance within 30 Days
When the California Department of Justice discovers a business is not in compliance with the CCPA, a notice is sent and the business is given 30 days to correct the violation. Attorney General Bonta said three quarters of businesses notified about an alleged CCPA violation took corrective action and addressed the violation within the allowed 30-day time frame. The remaining quarter are either still within the allowed 30-day cure period or are being actively investigated.
Actions taken by businesses after receiving notifications about noncompliance from the California Department of Justice include:
A social media app that was slow to respond to CCPA requests from consumers submitted detailed plans of how it updated its CCPA consumer response procedures to ensure timely receipt confirmations and responses on future CCPA requests after receiving a notice to cure.
An online dating app that did not have a “Do Not Sell My Personal Information” link on its homepage and had a policy whereby a consumer clicking an “accept sharing” button consented to the sale of their personal data added a clear and conspicuous link on its home page and updated its privacy policy with compliant sales disclosures after being notified about the violation.
A grocery chain had loyalty programs that required consumers to submit their personal data but failed to provide a Notice of Financial Incentive to consumers participating in the programs. After being notified about the CCPA violation, its privacy policy was changed to include a Notice of Financial Incentive.
Californians Encouraged to Exercise their CCPA Rights
The CCPA gave California residents new rights over their personal data and placed restrictions on uses and disclosures of that information by business and non-profits that do business in the state of California that either:
- Have annual gross revenues in excess of $25 million; or
- Buy, receive, or sell the personal information of 50,000 or more consumers or households; or
- Earn more than half of their revenue from the sale of consumers’ personal information.
In his enforcement update, Attorney General Bonta encouraged Californians to exercise their new rights, which are the right to:
- Know what personal data is being collected about them.
- Know whether their personal data is sold or disclosed and to whom.
- Say no to the sale of personal data.
- Access their personal data.
- Request a business to delete any personal information about a consumer collected from that consumer.
- Not be discriminated against for exercising their privacy rights.
To date, many Californians have exercised their rights, with some businesses reporting receiving millions of requests from consumers in the past year.
AG Bonta wants it to be easier for consumers to report potential violations of the CCPA to businesses and has announced that a new tool has been launched to allow them to do this. The tool has been added to the oag.ca.gov website and can be used by consumers to alert businesses when they do not have a “Do Not Sell My Personal Information” link on their home page. Attorney General Bonta said the notification sent by the tool to businesses may trigger the start of the 30-day cure period.
