Off to the Races for Enforcement of California’s Privacy Law
Yesterday, the California Attorney General’s office confirmed that it has begun sending a “swath” of enforcement notices to companies across sectors who are allegedly violating the California Consumer Privacy Act (CCPA), swiftly beginning enforcement right on the July 1st enforcement date. The law came into effect in January, after years of debate and amendment in the California Legislature. Additional proposed regulations, intended to clarify and operationalize the text of the statute, are not yet final.
In an IAPP-led webinar, “CCPA Enforcement: Enter the AG,” Stacey Schesser, California’s Supervising Deputy Attorney General, confirmed details about the first week of CCPA enforcement. Below, we provide 1) key takeaways from that conversation; 2) discuss the role of the draft regulations; and 3) observe that the successes or failures of AG enforcement will directly influence debates over other legislative efforts outside of California. Meanwhile, AG enforcement will almost certainly bolster public awareness and support for the California Privacy Rights Act (CPRA) or “CCPA 2.0” ballot initiative in November 2020.
Key takeaways and observations:
- Alleged violations involve a “swath” of online businesses, likely based on “Do Not Sell” obligations.
Based on Deputy AG Schesser’s comments, we know that active enforcement of the CCPA began immediately on July 1st, with the office sending violation notice letters to a “swath” of online businesses. Under the law, companies have a thirty-day period to “cure” violations and come into compliance. As a result, these letters are unlikely to become public, unless any of them progress into full-blown investigations.
We do know a few key things from this discussion, however, about the type and substance of the alleged violations under scrutiny.
For example, we know that online businesses from “across sectors” were targeted, rather than, for example, retail or other “brick and mortar” establishments that collect data in-person. And although it was not directly stated, it was implied that the violations involve perceived failures to comply with the law’s “Do Not Sell” provisions. The AG has publicly held up this specific consumer right to request that a business not sell data as the most central feature of the CCPA. As a result, major online companies or publishers that do not provide a link entitled “Do Not Sell My Information” may be under particular scrutiny.
We don’t know at this point whether the AG staff identified obvious cases where observation made it clear a company was selling data. In many cases the issue of whether data that is transmitted to third parties is a sale depends on contracts and commitments made by those parties, details that can be challenging to discern based on external observation. Some companies may use the thirty-day cure period to attempt to persuade the AG’s office that their data sharing is occurring within the context of a service provider relationship or another permissible exemption that allows them to not provide a “Do Not Sell” button.
Deputy AG Schesser also confirmed that businesses were targeted based on consumer complaints and even some reports on Twitter. It would not be surprising to see that early enforcement targets were influenced by media and Twitter reports of businesses that do or do not provide a “Do Not Sell My Information” link. For example, a February 2020 Washington Post article includes a comprehensive list of top companies and notes whether they provide CCPA-related links.
- Enforcement of requirements in the AG’s regulations will have to wait (for now).
For companies still interpreting and operationalizing the AG’s regulations, Deputy AG Schesser’s comments yesterday confirmed that enforcement (for now) is limited to the text of the statute. Although the CCPA has been in effect since January 1, 2020, the additional regulations promulgated by the AG’s office are not yet finalized, with the final text of the proposed regulations under review by the Office of Administrative Law.
Despite this, it would be wise for companies to carefully review the proposed regulations. Although in some cases the draft regulations appear to create new obligations or restrictions that do not exist in the text of the CCPA — such as disclosures for large data holders — in many cases the regulations are intended to clarify existing law. In such cases, the regulations provide a useful window into how the AG’s office understands the text of the CCPA. Similarly, companies seeking to understand how the AG’s office understands the CCPA and its “Do Not Sell” provision can look to the 900+ pages of responses given to commenters in the public comment periods for the draft regulations. These responses provide important insight into the AG’s analysis of what the underlying statute requires.
- The AG’s successes or failures (or perceptions thereof) will directly influence federal and state legislative debates outside of California.
The role of State Attorneys General (AGs) in enforcing comprehensive privacy laws has been at the heart of many recent debates over both state and federal legislation. For example, in deliberations regarding the Washington Privacy Act (WPA), enforcement emerged as one of the most divisive issues that led to the bill failing to pass the Washington House. Advocates and even the Washington Office of the Attorney General itself argued that the Washington AG lacked the financial and other resources to meaningfully enforce the law if it were passed, and that the law needed to also include a private cause of action for individuals to bring claims directly in court.
In the context of federal legislation, it is becoming increasingly common for proposed comprehensive privacy legislation from both Democrats and Republicans to include enforcement powers for State AGs. Industry groups sometimes argue against the inclusion of State AGs, perceiving their enforcement to be politically motivated or observing that they may lack the deep expertise of their federal agency counterparts to enforce privacy laws affecting complex emerging technologies and digital platforms. However, State AGs will almost certainly play some role in a future federal privacy law, particularly if stronger government enforcement becomes part of a compromise against a robust private cause of action.
Next up: CPRA Ballot Initiative (“CCPA 2.0”)
Meanwhile, the proposed “California Privacy Rights Act” (CPRA) has qualified for the November 2020 ballot, and if passed would modify the CCPA to provide additional consumer protections. For example, it would add the consumer right to “correct inaccurate information,” and the right to limit first-party use of sensitive categories of information (rather than only being able to limit its sale). It would also provide much-needed clarifications on the consumer right to opt out of all sale or sharing of data for purposes of online behavioral advertising, and enshrine a clearer “purpose limitation” obligation into the text of the statute.
If passed, the CPRA will likely become the new de facto minimum U.S. national standard for consumer privacy, raising the bar significantly for efforts to pass federal legislation. Despite its detailed requirements, it is not finding favor with some civil society groups such as the Consumer Federation of California, which has now formally opposed the initiative. On the other hand, Common Sense Media has now endorsed the effort. The ballot initiative process in California enables groups to submit ballot arguments in support or opposition of an initiative, which may be important to help voters understand the initiative, so stay tuned for news of additional groups that support or oppose the effort.
Author: Stacey Gray is an FPF Senior Counsel and leads FPF’s U.S. federal and state legislative analysis and policymaker education efforts. Did we miss anything? Email us at [email protected]
Image Credit: Tweet from Attorney General Becerra, @AGBecerra, Twitter, July 1, 2020, https://twitter.com/AGBecerra/status/1278377943803154432?s=20.