California AG Sends Initial Notices of Potential CCPA Non-Compliance.
Although the California Consumer Privacy Act (CCPA) became effective January 1, 2020, the California Attorney General (AG) was restricted from beginning enforcements until July 1, 2020. While many companies have taken a risk-based approach and have slowly developed aspects of their CCPA compliance program, the AG went into action on July 1, sending numerous letters of potential non-compliance to companies with the following characteristics:
- No Industry Focus. The letters spanned multiple industries and business sectors, with no specific industry targeted.
- Missing Privacy Notice Disclosures and “Do Not Sell My Personal Information” Links. The letters focused on businesses that operated online and were missing either key privacy disclosures from their privacy notices or a “Do Not Sell” link (where the AG thought one was necessary). While not the focus of this round of letters, the AG’s office has previously stated that the AG intends to focus on protections for minors and other vulnerable populations; matters with wide-scale impacts on Californians; and sensitive data and actual harm (whether under the CCPA, the California Online Privacy Protection Act, the Confidentiality of Medical Information Act or California’s Unfair Competition Law).
- Companies with Consumer Complaints at Risk. The targets of the letters were identified based, at least in part, on consumer complaints, including complaints made on Twitter and other social media.
Opportunity to Present the Company’s Position or Cure the Violation. If a company receives a letter of non-compliance from the AG, it can either:
- Respond to the compliance letter and explain its position, including that it does not “sell” under the CCPA or that it is not subject to the CCPA (e.g., does not meet the $25 million revenue or other scoping thresholds or it is regulated by HIPAA, Common Rule, Gramm-Leach-Bliley Act or another available exemption), or
- Cure the alleged violation within 30 days to avoid a regulatory enforcement action and potential fines
AG Options. Under the CCPA, depending on a business’s response to the compliance letter, the AG may take one of three actions: (i) drop the case, (ii) open a confidential investigation to further review the company’s response or (iii) bring an enforcement suit/levy a fine if a business has not cured an alleged violation following a 30-day cure period.
3 Steps All Companies Subject to CCPA Should Take Now
Step 1: Review and update privacy notices (i.e., commercial and for employees/job applicants), as needed to comply with the CCPA, including the final regulations being approved now.
Step 2: Confirm your “Do Not Sell” position if you did not post a link, and either (i) document your supporting analysis and conclusion that you do not “sell” under the CCPA or (ii) add a “Do Not Sell My Personal Information” opt-out link if you change your position based on the AG efforts and industry trends.
Step 3: Complete and roll out the following five priorities and all other CCPA compliance documentation, if not in place:
- A data subject rights procedure to handle requests for copies and deletion of data, among other requests
- An incident response plan that includes California definitions, timing and reporting requirements
- A data processing addendum/service provider agreement template, reviewing what data rights, if any, you grant to third parties
- CCPA training (and broader privacy and security awareness training), and
- A mapping of your security policies and controls to the California definition of “Reasonable Security” to avoid class action litigation for breaches of personal information that is not encrypted, aggregated or de-identified