CCPA Enforcement: Enter the AG

From the Capitol Insider blog:

In this blog post, we follow along with Dominique Shelton Leipzig (Perkins Coie) as she moderates the IAPP Keynote, “CCPA Enforcement: Enter the AG,” on July 9, 2020. This discussion featured Supervising Deputy Attorney General Stacey Schesser and Travis LeBlanc (Cooley) who shared their personal insights and views on the California Consumer Privacy Act (CCPA) and its enforcement. In addition, you can find key takeaways from Dominique Shelton Leipzig’s July 30 interview with the proponent of the California Privacy Rights and Enforcement Act (CPRA).

By Dominique Shelton Leipzig & Bo W. Kim on July 10, 2020

POSTED IN CCPA

Dominique Shelton Leipzig (Perkins Coie) moderated IAPP Keynote, “CCPA Enforcement: Enter the AG,” on July 9, 2020. The discussion featured Supervising Deputy Attorney General Stacey Schesser and Travis LeBlanc (Cooley) who shared their personal insights and views on the California Consumer Privacy Act (CCPA) and its enforcement.

View the video here

Key takeaways include:

• The CCPA regulations will not be enforceable or effective until they are approved by the Office of Administrative Law and published by the Secretary of State.
• Beginning on July 1, 2020, the California Attorney General’s office (AG) started its enforcement of the CCPA, but the enforcement is currently limited to the “four corners” of the statute.
• The AG has sent out notices of violation and corresponding 30-day opportunity to cure (NOVs) to businesses that are not complying with the CCPA.
• The AG has not focused on a particular industry or sector, but has looked at consumer complaints submitted to the AG, along with publicly available information such as complaints on social media (Twitter).
• The NOVs were sent to online businesses and involved issues relating to CCPA disclosures and mechanisms.

• An important CCPA right is the right to opt out of sale. If a business is selling personal information, they must have the Do Not Sell link on the home page.
• The CCPA expressly seeks to protect minors by requiring, among other things, a much clearer authorization (i.e., opt in).
• Protecting health data has been and continues to be a priority. Companies should keep this in mind in connection with COVID-19 data collection.

• Companies are advised to take a comprehensive approach to privacy and data security (e.g., comply with California Online Privacy Protection Act, implement reasonable data security measures, etc.).
• AG’s past enforcement actions may provide insights into the types of issues that are of the greatest concern to the AG (e.g. Equifax).
• If a business receives a NOV, it should communicate and engage with the AG right away.
• The exclusive enforcement of the CCPA resides with the AG, except for the limited private right of action for a data breach.
• The CCPA is not an easily understood law. It is lengthy, nuanced, and complex. Businesses need to thoroughly understand both the statute and the regulations.
• Our key takeaway from this discussion: Companies wishing to avoid receiving NOVs should consider updating their websites to include Do Not Sell links if they have third-party cookies that can track users across multiple sites.

Dominique Shelton Leipzig interviewed Alastair Mactaggart on June 30, 2020. regarding the CCPA 2.0.

Watch the video here.

Key takeaways include:

• California Privacy Rights Act (CPRA) is popular.
• Mactaggart’s goal is to treat privacy as a human right. He hopes to attain an adequacy determination from the European Union for California as a territory.
• Mactaggart believes that “cross-contextual behavioral advertising” requires a Do Not Sell link.
• The CPRA will add new rights including:

• Right to correct data.
• Right to limit use of sensitive data.
• Right to opt out of sharing of PI.

Staff Contact: Shoeb Mohammed